Incident Response & Threat Hunting

Incident Response & Threat Hunting — Tracking the Adversary

Incident Response (IR) is the structured process of detecting, investigating, and remediating security incidents. Threat Hunting extends IR — proactively searching for hidden attackers using evidence across endpoints, networks, and memory.

This guide teaches you the full operator lifecycle: detection → triage → containment → forensics → hunt → recovery.

I. 🧩 Core Concepts

II. ⚙️ The IR Lifecycle

III. ⚙️ Rapid Detection & Triage

🧠 1. Quick IOC Matching

yara -r rules/apt.yar /mnt/disk
grep -i -E "C2|POST|/admin" /var/log/httpd/access.log

⚙️ 2. Hash Check

sha256sum sample.exe
virustotal-search 9f3a7d...

💣 3. Triage Memory Image

volatility3 -f mem.raw windows.pslist
volatility3 -f mem.raw windows.malfind

⚙️ 4. Timeline Review

log2timeline.py case.plaso /mnt/evidence/
psort.py -o L2tcsv case.plaso > timeline.csv

IV. ⚙️ Artifact Correlation Workflow

🧩 1. Collect Everything

• Memory (winpmem, LiME)

• Disk (dd, FTK Imager)

• Network (tcpdump, Wireshark)

• Logs (Windows EVTX, Sysmon, Linux journal)

⚙️ 2. Correlate Timestamps

cat timeline.csv | grep "svchost.exe"
grep "192.168" network.log

→ Trace initial infection → process execution → C2 traffic.

V. ⚙️ Threat Hunting Foundations

VI. ⚙️ Endpoint Hunting (Windows & Linux)

🧠 1. Process & Command Line Analysis

volatility3 -f mem.raw windows.cmdline
grep "powershell" /var/log/syslog

⚙️ 2. Registry and Autoruns

volatility3 -f mem.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

💣 3. Scheduled Task Abuse

schtasks /query /fo LIST /v

⚙️ 4. Suspicious Network Use

netstat -an | grep ESTABLISHED

or in memory:

volatility3 -f mem.raw windows.netstat

VII. ⚙️ Network Threat Hunting

🧩 1. Extract Network Indicators

tshark -r capture.pcap -Y "http.request"

⚙️ 2. Detect C2 Patterns

Look for:

• Long beacon intervals

• DNS tunneling (TXT or random subdomains)

• HTTP POST /update.php with base64 payloads

🧠 3. Decode Encrypted Payloads

cat payload.b64 | base64 -d | xxd

VIII. ⚙️ SIEM & Log-Based Hunting

🧩 1. Sysmon (Windows)

Event IDs:

Example Query (Elastic / KQL):

process.command_line : "*powershell*" and event.code : 1

⚙️ 2. Linux Log Hunting

grep -i "Accepted password" /var/log/auth.log
grep -i "sudo" /var/log/secure
journalctl --grep "runc" --since "2h ago"

💣 3. Web Logs

grep -E "(cmd=|php\?|shell=)" /var/log/nginx/access.log

IX. ⚙️ Memory + Disk + Network Fusion

Example adversary chain:

1️⃣ Suspicious PowerShell in Sysmon → 2️⃣ Same PID in pslist (Volatility) → 3️⃣ DLL injected (malfind) → 4️⃣ HTTP POST observed (Wireshark) → 5️⃣ IOC match in YARA.

→ Confirmed beaconing malware.

X. ⚙️ Threat Intel Integration

Example:

Execution → T1059.001 (PowerShell)
Persistence → T1053.005 (Scheduled Task)
Exfiltration → T1048.003 (Exfil via HTTP)

XI. ⚙️ Case Study Example

Incident: Suspicious outbound connections

🧩 Step 1: Initial Alert

EDR detects rundll32.exe spawning powershell.exe.

⚙️ Step 2: Memory Analysis

volatility3 -f mem.raw windows.pslist | grep powershell
volatility3 -f mem.raw windows.malfind --pid <pid>

Finds shellcode injected into PowerShell.

💣 Step 3: Network Review

Wireshark shows beacon to api-update[.]com every 60s.

⚙️ Step 4: IOC Generation

SHA256: a912f...  
Domain: api-update.com  
Parent: rundll32.exe  
Technique: T1059.001, T1055

⚙️ Step 5: Containment & Eradication

• Isolate host from network

• Dump process memory

• Delete scheduled tasks

• Rotate credentials

XII. ⚙️ Threat Hunting Playbook Snippets

🧠 PowerShell Abuse Hunt

EventID:1 AND process.command_line:"-enc" OR "IEX("

⚙️ RDP Lateral Movement

EventID:4624 AND LogonType:10 AND SourceNetworkAddress!="internal_subnet"

💣 Suspicious Child Process Chains

ParentImage: winword.exe AND ChildImage: powershell.exe

XIII. ⚙️ Automation and Reporting

🧩 1. Use SOAR (Security Orchestration Automation)

Platforms:

• TheHive

• Cortex

• Shuffle

• Phantom (Splunk)

Automate: IOC lookup → containment → enrichment.

⚙️ 2. Incident Report Template

XIV. ⚙️ Pro Threat Hunting Tools

XV. ⚔️ Pro Tips & Operator Tricks

✅ Baseline Everything — Know normal before you hunt abnormal. ✅ Correlate, Don’t Guess — Processes + Logs + PCAPs = truth. ✅ Use Timestamps Aggressively — Attackers trip on timing inconsistencies. ✅ Memory First on Live Hosts — Evidence fades fast. ✅ Tag All IOCs — For later correlation with future incidents. ✅ Pivot From One Artifact — Every DLL, PID, or IP leads somewhere. ✅ Automate IOC Enrichment — VirusTotal, AbuseIPDB, GreyNoise APIs. ✅ Work Backwards From Persistence — The end of the chain often reveals the beginning.

XVI. ⚙️ Quick Reference Table