Threat Hunting: Pivoting
Premium roomHunting suspicious activities indicating threat propagation across the infrastructure.
medium
120 min
8,511
To access material, start machines and answer questions login.
Is your organisation's network robust enough to spot lateral movements of adversaries within your systems? Can you detect unusual network activities or illicit privilege escalation that could indicate a pivot attack? Can you use network telemetry and analytics to identify abnormal behaviour and halt lateral movement before it wreaks havoc?
These are essential questions to mull over when considering the critical pivoting stage in the cyber kill chain. Cyber threat actors, every day, devise innovative methods to move laterally within compromised networks, exploiting credentials, network misconfigurations or unpatched software to extend their foothold. As a security team, you are responsible for safeguarding the network perimeter and continuously monitoring for anomalous internal activities to intercept the attackers during their stealthy lateral movement. The task can be overwhelming, given the subtle nature of pivot attacks and the tenacity of modern cyber criminals.
Learning Objectives
In this room, we will learn to hunt malicious activity indicating a potential internal network pivoting in continuation of achieving an initial foothold. In addition, we will tackle the following topics throughout the room:
- Understanding the attacker's mindset in moving inside the compromised internal network.
- Correlating succeeding actions executed by an attacker after establishing persistent and continuous internal access.
- Differentiating suspicious host and network events from benign ones.
- Getting acquainted with the Tactics involved once an attacker attempts to jump from one machine to another.
Prerequisites
It is suggested to clear the following rooms first before proceeding with this room:
- Windows Event Logs - Understanding events generated on a Windows host.
- Core Windows Processes - Differentiating benign host processes from suspicious ones.
- Advanced Queries - Effective usage of queries.
- Threat Hunting: Introduction - Building threat hunting mindset.
- Threat Hunting: Foothold - Hunting indicators of initial compromise.
Threat Hunting Virtual Machine
Before we proceed with the following tasks, start the Threat Hunting attached to this task by clicking the Start Button in the upper-right corner. The provided virtual machine runs an elastic stack (), which contains the logs that will be used throughout the room.
Once the machine is up, access the console using the following credentials below. The instance may take up to 3-5 minutes to initialise.
| URL | ://MACHINE_IP |
| Username | elastic |
| Password | elastic |
Before we proceed, note that all concepts discussed moving forward are not limited to the Elastic Query syntax (including all field names). Every theoretical way of hunting can be applied to any other / platform.
Moreover, the instance contains the following indices that will be used in the threat-hunting activity:
- Winlogbeat - Contains all events (Windows Event Logs and ) generated by Windows machines.
- Packetbeat - Contains network traffic events generated by the workstations and servers.
Lastly, the emulated network runs the following workstations and servers:
| Host | Operating System | Purpose |
| INTSRV01 | Windows Server 2019 | Server running an internal web application used by the organisation. |
| WKSTN-1 | Windows 10 | One of the workstations used by the employees. |
| WKSTN-2 | Windows 10 | One of the workstations used by the employees. |
| DC01 | Windows Server 2019 | Domain controller of the internal network. |
Ready to learn Cyber Security?
The Threat Hunting: Pivoting room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in