Friday, March 18, 2022

A Threat Hunting approach using Inventory

You've probably heard it mentioned that one of the first steps in Cybersecurity is Asset Inventory. I can tell you first hand this is so true.  How can you protect things if you don't know what you have? Sadly, at everywhere I've worked, and I think this is a struggle everywhere, it's been a challenge just knowing what you have. I'm not just speaking about Workstation, Server, or user names. Another example would be Software titles, Publishers, and executable names.

I wanted to share with you something I've been doing, as a "Threat Hunter".  You may think it's interesting to take a list of IOCs (indicators of compromise) like malicious IPs, file hashes, file names, urls, or domains and hunt for them on your network. If you think it's targeted and relevant IOCs, that's not a bad idea, but the odds of you getting a hit are low.  Threat actors are very skilled nowadays and have simple ways to generate brand new IPs, domains, urls, file names, and file hashes per target, per victim, and even per user.  

Another more advanced and potentially good threat hunt would be to find a tactic/technique that a threat actor may use, like certain parameters being passed to an executable, certain port and protocol traffic on your network, certain file extensions in emails, etc.  This is cool and could be worthwhile, but is also like finding a needle in a haystack. The MITRE att&ck matrix hads 100s of techniques, and there are so many variations of each technique that a threat actor has the advantage.  If they tweak their method every so slightly, your search may find nothing.

So, what's an even better method?  Here I go back to asset inventory. Knowing what you have in your environment. At my current work I have massive lists built over the years of various things ...

  • All executable names I've ever seen in the environment
  • All software publishers I've ever seen in the environment
  • All file names I've ever seen in the windows folder
  • All domains I've ever seen our IoT network connect to
  • All domains I've ever seen windows applications (excluding browsers) reach out to
  • All Scheduled Task that have ever been created
  • All Windows Services that have ever been installed
  • more random ideas :-) 

Hopefully you get the picture. Massive lists of things I've done at least some level of vetting on, even if it's 30 seconds with a google search, to have some comfort level that it's probably normal or expected.  I have experience doing this for perhaps 15,000 or more systems and yet I'm able to build these lists and believe me, it wasn't as hard as I expected.  Now of course, if you work at a larger organization than that this could get significantly more challenging.  But if you're at a smaller business, I can honestly say I think it's do-able.  

So, why do I have all these lists? I think in many ways, this is my best approach or chance for finding malicious activity. This is my best approach I've found so far for threat hunting.  Instead of looking for malicious IOCs that have a short life and become useless quickly, instead of searching for odd tactics and techniques that may or may not have been used by my threat actors, I look for stuff that I've never seen before in our environment. 

Imagine the following

  • An executable just started running that has never been seen at my work before. That's a good threat hunt find to dig into.
  • A program runs by a software Publisher that has never before been used at work. That's a good threat hunt find to dig into.
  • A program reaches out to a domain that has never been connected to at work before. That's a good threat hunt find to dig into.
  • A scheduled task just got added to a pc that has never been seen before on any pc.  That's a good threat hunt find to dig into.

It's my belief that this is a great way to find anomalies and potentially malicious activity.

A threat actor can change their IOC, a threat actor can change their technique, but in the overall big picture it's going to be hard for a threat actor to generate ONLY program names, urls, domains, IPs, scheduled tasks, or windows services that have already been seen.

The odds are more likely that the threat actor will generate a few program names, urls, domains, ips, scheduled tasks, or windows services that have never been seen before at my work ... and hopefully those show up on my hunt because they don't exist in my list yet ... and hopefully I can identify that they are malicious before the threat actor does anything deterimental.



  1. I lost my job few months back and there was no way to get income for my family, things was so tough and I couldn't get anything for my children, not until a met a recommendation on a page writing how Mr Bernie Wilfred helped a lady in getting a huge amount of profit every 6 working days on trading with his management on the cryptocurrency Market, to be honest I never believe it but I took the risk to take a loan of $1000. and I contacted him unbelievable and I was so happy I earn $12,500 in 6 working days, the most joy is that I can now take care of my family I don't know how to appreciate your good work Mr. Bernie Doran God will continue to bless you for being a life saver I have no way to appreciate you than to tell people about your good services.
For a perfect investment and good strategies contact Mr Bernie Doran via WhatsApp :+1(424)285-0682 or Telegram : @Bernie_doran_fx or Email :

  2. Get help for all your financial problems. Contact Union Solutions to access a wide range of loan facilities. Contact for more information: whats-App +918929509036 Dr James Eric Finance Pvt Ltd Thanks

  3. contact ethicalhackers009 AT gmail DOT com, Whatsapp +14106350697 if you need any hacking help or you need a private investigator to spy on your spouse's phone or clear your criminal records(databased),fix your bad credit score etc you just name it when you contact them be rest assured you will get your testimony.