Chapter 1.2 Threat Intelligence & Attack Taxonomy
Module 1: Foundations & Threat Landscape Level: Intermediate to Advanced | Estimated reading time: 50-65 min
Table of Contents
- What Is Threat Intelligence?
- Threat Actor Taxonomy
- Attack Frameworks MITRE ATT&CK, Kill Chain, Diamond Model
- Indicators of Compromise (IoCs) & Indicators of Attack (IoAs)
- Threat Intelligence Platforms & OSINT Sources
- Operationalizing Threat Intel Practical Workflows
- Architecture Diagram
1. What Is Threat Intelligence?
Threat intelligence (TI) is evidence-based knowledge about existing or emerging threats including context, mechanisms, indicators, implications, and actionable advice that can be used to make informed decisions about responding to those threats.
The key word is actionable. Raw data (a list of IPs) is not intelligence. Intelligence answers the questions: Who is attacking? What are they after? How do they operate? What does detection look like?
The Intelligence Pyramid
┌─────────────────┐
│ Strategic │ ← Who, Why for executives, policy
│ Intelligence │ (nation-state activity, geopolitical risk)
└────────┬────────┘
│
┌────────┴────────┐
│ Operational │ ← Campaigns, TTPs for security managers
│ Intelligence │ (active threat actor campaigns)
└────────┬────────┘
│
┌────────┴────────┐
│ Tactical │ ← TTPs, malware families for analysts
│ Intelligence │ (how the attacker operates)
└────────┬────────┘
│
┌────────┴────────┐
│ Technical │ ← IoCs for security tools
│ Intelligence │ (IPs, hashes, domains, YARA rules)
└─────────────────┘
| Level | Consumers | Lifespan | Examples |
|---|---|---|---|
| Strategic | CISO, Board, Legal | Months-Years | Nation-state threat assessment, sector targeting trends |
| Operational | SOC Manager, IR Lead | Weeks-Months | "APT29 is actively targeting energy sector with spear-phishing" |
| Tactical | Threat Hunters, Analysts | Days-Weeks | Specific malware TTPs, C2 infrastructure patterns |
| Technical | SIEM, Firewall, EDR | Hours-Days | IP blocklists, file hashes, YARA rules, Snort signatures |
The Intelligence Lifecycle
1. Planning & Direction
└── What questions need answering? What are the priority intelligence requirements (PIRs)?
2. Collection
└── OSINT, HUMINT, technical feeds, honeypots, dark web monitoring
3. Processing
└── Normalize, deduplicate, enrich, correlate (e.g. IP → ASN → threat actor)
4. Analysis
└── Apply analytical frameworks (ATT&CK, Diamond Model) to produce assessments
5. Dissemination
└── Push to SIEM, share via STIX/TAXII, brief stakeholders
6. Feedback
└── Consumers report back on utility refines future collection
2. Threat Actor Taxonomy
Understanding who is attacking you is the foundation of threat-informed defense. Different actors have different motivations, capabilities, and persistence levels and require different defensive responses.
2.1 Actor Categories
| Category | Motivation | Capability | Persistence | Example Groups |
|---|---|---|---|---|
| Nation-State (APT) | Espionage, sabotage, political | Very High | Very High (months-years) | APT29 (Cozy Bear), APT41, Lazarus Group |
| Cybercriminal | Financial gain | High | Medium (until paid) | FIN7, Evil Corp, Conti |
| Hacktivist | Ideology, protest | Low-Medium | Low-Medium | Anonymous, KillNet |
| Insider Threat | Revenge, financial, coercion | Variable | High (legitimate access) | Disgruntled employees, moles |
| Script Kiddie | Fame, curiosity | Low | Low | Opportunistic attackers |
| Cyber Mercenary | Hired capability | High | Variable | NSO Group, Hacking Team |
2.2 Advanced Persistent Threat (APT) Deep Dive
APT is a category, not a single group. The term describes a threat actor that:
- Has sophisticated, targeted capabilities (not opportunistic)
- Maintains long-term persistence in a compromised network
- Pursues specific, high-value objectives (IP theft, critical infrastructure disruption)
- Uses custom tooling alongside commodity tools to blend in
APT Lifecycle (typical nation-state intrusion):
Phase 1: Initial Access
Spear phishing, supply chain compromise, 0-day exploitation
Example: SolarWinds trojanized build pipeline
Phase 2: Establish Foothold
Lightweight backdoor / implant deployed
Communication via encrypted C2 over legitimate protocols (HTTPS, DNS)
Phase 3: Escalate Privileges
Kerberoasting, pass-the-hash, token impersonation, local privilege escalation
Phase 4: Internal Reconnaissance
BloodHound AD enumeration, network scanning, credential harvesting
Phase 5: Lateral Movement
WMI execution, PsExec, RDP pivoting, SMB shares
Phase 6: Persist & Maintain Access
Multiple redundant backdoors, living-off-the-land binaries (LOLBins)
Phase 7: Exfiltration / Effect
Data staged, compressed, encrypted, exfiltrated over C2
Or: destructive payload (wiper), ransomware, OT disruption
2.3 Threat Actor Profiling: Key Attributes
When building a threat profile, capture these attributes:
| Attribute | Description | Example |
|---|---|---|
| Attribution | Country/group assessment (low/med/high confidence) | "High confidence: Russian GRU" |
| Targeting | Sectors, geographies, org types | Energy, Finance, NATO members |
| Initial Access | How they typically get in | Spear phishing, supply chain |
| Preferred TTPs | Characteristic techniques | Cobalt Strike, custom implants |
| C2 Infrastructure | How they communicate | Domain fronting, Tor, cloud storage |
| Operational Security | How they avoid detection | Time-zone awareness, LOLBins |
| Historical Campaigns | Known past operations | Operation Aurora, Sunburst |
3. Attack Frameworks
Frameworks give us a shared vocabulary for describing attacker behavior. They enable better detection engineering, threat hunting, and purple teaming.
3.1 MITRE ATT&CK
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
Structure: Organized as a matrix of Tactics (the "why" what the attacker is trying to achieve) and Techniques (the "how" specific methods used).
ATT&CK Tactics for Enterprise (in attack order)
| ID | Tactic | Description | Example Techniques |
|---|---|---|---|
| TA0043 | Reconnaissance | Gather info before attack | T1595 Active Scanning, T1598 Phishing for Info |
| TA0042 | Resource Development | Build/acquire infrastructure | T1583 Acquire Infrastructure, T1587 Develop Capabilities |
| TA0001 | Initial Access | Get into the network | T1566 Phishing, T1190 Exploit Public-Facing App |
| TA0002 | Execution | Run malicious code | T1059 Command/Script Interpreter, T1203 Exploit for Exec |
| TA0003 | Persistence | Maintain foothold | T1053 Scheduled Task, T1078 Valid Accounts |
| TA0004 | Privilege Escalation | Get higher permissions | T1055 Process Injection, T1068 Exploit for PrivEsc |
| TA0005 | Defense Evasion | Avoid detection | T1070 Indicator Removal, T1562 Impair Defenses |
| TA0006 | Credential Access | Steal credentials | T1003 OS Credential Dumping, T1558 Steal Kerberos Tickets |
| TA0007 | Discovery | Understand environment | T1018 Remote System Discovery, T1087 Account Discovery |
| TA0008 | Lateral Movement | Move through network | T1021 Remote Services, T1550 Use Alternate Auth Material |
| TA0009 | Collection | Gather target data | T1005 Data from Local System, T1039 Data from Network Share |
| TA0011 | Command & Control | Communicate with implant | T1071 Application Layer Protocol, T1095 Non-App Layer Protocol |
| TA0010 | Exfiltration | Steal data out | T1041 Exfil over C2 Channel, T1048 Exfil over Alt Protocol |
| TA0040 | Impact | Cause damage | T1486 Data Encrypted for Impact, T1485 Data Destruction |
Using ATT&CK for detection engineering:
# Example: Detecting T1059.001 (PowerShell) Command and Scripting Interpreter
# In your SIEM, look for these patterns:
# 1. Encoded PowerShell commands (common evasion)
# Event ID 4104 (Script Block Logging) + base64 encoded commands
# Pattern: powershell.exe -enc <base64>
# 2. Download cradle (common for stage-2 payload delivery)
# IEX (Invoke-Expression) + download
# Pattern: IEX(New-Object Net.WebClient).DownloadString
# Sigma rule for encoded PowerShell (YAML):
# title: Suspicious Encoded PowerShell
# detection:
# selection:
# CommandLine|contains:
# - ' -enc '
# - ' -encodedcommand '
# - ' -e '
# condition: selection
# Enable PowerShell Script Block Logging (GPO / Registry)
# HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
# EnableScriptBlockLogging = 1
3.2 The Cyber Kill Chain
Developed by Lockheed Martin, the Kill Chain describes the stages of a targeted attack as a linear sequence. Disrupting any stage breaks the chain.
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ 1 │ │ 2 │ │ 3 │ │ 4 │
│Reconnaissance│───│ Weaponize │───│ Deliver │───│ Exploit │
│ │ │ │ │ │ │ │
│ OSINT scan │ │ Craft │ │ Phishing │ │ Trigger │
│ Port scan │ │ exploit + │ │ email │ │ vulnerability│
│ Job postings│ │ payload │ │ USB drop │ │ on target │
└─────────────┘ └─────────────┘ └─────────────┘ └──────┬──────┘
│
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ 7 │ │ 6 │ │ 5 │◀──────────┘
│ Actions on │◀───│ Command │◀───│ Install │
│ Objectives │ │ & Control │ │ │
│ │ │ │ │ Backdoor │
│ Data theft │ │ C2 beacon │ │ RAT │
│ Ransomware │ │ established │ │ Persistence │
└─────────────┘ └─────────────┘ └─────────────┘
Kill Chain → Defensive Controls Mapping:
| Stage | Attacker Activity | Defensive Control |
|---|---|---|
| Reconnaissance | Scanning, OSINT | Minimize exposed surface, honey tokens |
| Weaponization | Crafting exploit | Nothing to detect happens off-network |
| Delivery | Email, web, USB | Email gateway, web proxy, AV, user training |
| Exploitation | Trigger vuln | Patching, EDR, exploit mitigation (ASLR, DEP) |
| Installation | Backdoor/RAT | EDR, application whitelisting, FIM |
| C2 | Beacon out | DNS filtering, proxy inspection, network anomaly |
| Actions | Exfil, encrypt | DLP, network segmentation, honeypots, backup |
Kill Chain criticism: It was designed for targeted APT intrusions. It handles insider threats poorly, doesn't model cloud-native attacks well, and its linear model doesn't capture multi-stage campaigns accurately. ATT&CK is more comprehensive for modern threats.
3.3 The Diamond Model of Intrusion Analysis
The Diamond Model provides a framework for analyzing individual intrusion events (not campaigns). Each event has four core features forming a diamond:
┌──────────────┐
│ Adversary │
│ (Who?) │
└──────┬───────┘
│
uses │ against
│
┌──────────────────┼──────────────────┐
│ │ │
┌───────┴──────┐ │ ┌──────┴───────┐
│ Capability │ │ │ Victim │
│ (What?) │◀──────────┼──────────│ (Who?) │
│ │ │ │ │
│ Malware │ over │ │ Org/Person │
│ Exploit │ │ │ Asset │
└───────┬──────┘ │ └──────┬───────┘
│ │ │
└──────────────────┼──────────────────┘
│
┌──────┴───────┐
│ Infrastructure│
│ (How/Where?)│
│ │
│ C2 IP/domain │
│ Email server │
└──────────────┘
Meta-features extend the model: timestamps, phase (Kill Chain stage), result (success/fail), direction.
Why it matters operationally: The Diamond Model enables pivoting from one known attribute to discover the others. If you know the malware hash (capability), you can pivot to find the C2 infrastructure. From the C2 domain, you pivot to find other victims. From victims, you identify the adversary.
4. Indicators of Compromise & Indicators of Attack
4.1 Indicators of Compromise (IoCs)
IoCs are forensic artifacts that indicate a system has been compromised. They are evidence of what already happened.
| IoC Type | Examples | Lifespan |
|---|---|---|
| File hash (MD5/SHA256) | Malware binary hash | Short trivial to change |
| IP address | C2 server IP | Short rotated frequently |
| Domain | evil-update[.]com | Short-Medium |
| URL | http://evil.com/payload.exe | Short |
| Email subject/sender | Phishing template | Short |
| Registry key | HKCU\Software\MalwareKey | Medium |
| Mutex | Global\MalwareMutex_v2 | Medium-Long |
| Network traffic pattern | Beacon interval, User-Agent | Long |
| YARA rule | Byte pattern in malware | Long |
The Pyramid of Pain (David Bianco) the higher up the pyramid, the more it hurts the attacker when you detect/block it:
╔═══════════════════╗
║ TTPs ║ ← Hardest for attacker to change
╚═══════════════════╝
╔═══════════════════════╗
║ Tools ║
╚═══════════════════════╝
╔═══════════════════════════╗
║ Network/Host Artifacts ║
╚═══════════════════════════╝
╔═══════════════════════════════╗
║ Domain Names ║
╚═══════════════════════════════╝
╔═══════════════════════════════════╗
║ IP Addresses ║ ← Trivial for attacker to change
╚═══════════════════════════════════╝
╔═══════════════════════════════════════╗
║ Hash Values ║ ← Useless after first detection
╚═══════════════════════════════════════╝
Implication: Blocking IPs and hashes is low-value detection. Detection engineering should target behaviors and TTPs things that are expensive for the attacker to change.
4.2 Indicators of Attack (IoAs)
IoAs focus on intent and behavior the attacker's actions, not artifacts left behind. IoAs detect attacks in progress rather than confirming post-hoc compromise.
| IoA | What It Detects | ATT&CK Mapping |
|---|---|---|
| Port scan from internal host | Internal reconnaissance | T1046 Network Service Discovery |
| PowerShell spawned by Word.exe | Malicious macro execution | T1059.001 + T1566.001 |
| LSASS memory read | Credential dumping | T1003.001 |
| New scheduled task created by non-admin | Persistence attempt | T1053.005 |
| DNS query to DGA domain | C2 beacon | T1568 Dynamic Resolution |
| Large outbound transfer at 3am | Data exfiltration | T1041 |
| Net user /add from service account | Lateral movement prep | T1136 |
# IoA detection examples using Linux audit framework
# Detect LSASS reads on Linux equivalent (reading /proc/*/mem or /etc/shadow)
auditctl -w /etc/shadow -p r -k shadow_read
auditctl -w /etc/passwd -p r -k passwd_read
# Monitor for new cron job creation (persistence IoA)
auditctl -w /etc/cron.d -p wa -k cron_modification
auditctl -w /var/spool/cron -p wa -k cron_modification
# Detect unusual outbound connections (potential C2)
# Watch for connections to rare countries or on non-standard ports
auditctl -a always,exit -F arch=b64 -S connect -k outbound_conn
# View audit log
ausearch -k shadow_read
ausearch -k cron_modification --start today
4.3 STIX & TAXII Sharing Intelligence
STIX (Structured Threat Information eXpression): JSON-based format for representing threat intelligence objects (malware, campaigns, IoCs, TTPs) in a machine-readable way.
TAXII (Trusted Automated eXchange of Intelligence Information): Transport protocol for sharing STIX content between organizations.
# Python example: query a TAXII server for threat intelligence
from taxii2client.v21 import Server
# Connect to MITRE ATT&CK TAXII server (public)
server = Server('https://cti-taxii.mitre.org/taxii/',
user='guest', password='')
# List available collections (threat intel feeds)
api_root = server.api_roots[0]
for collection in api_root.collections:
print(f"Collection: {collection.title} | ID: {collection.id}")
# Fetch objects from a specific collection (e.g. Enterprise ATT&CK)
from taxii2client.v21 import Collection
collection = Collection(
'https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/'
)
tc_source = TAXIICollectionSource(collection)
# Query for all groups (threat actors)
from stix2 import Filter
groups = tc_source.query([Filter("type", "=", "intrusion-set")])
for group in groups[:5]:
print(f"Group: {group.name} | Aliases: {group.get('aliases', [])}")
5. Threat Intelligence Platforms & OSINT Sources
5.1 Commercial & Open-Source TI Platforms
| Platform | Type | Best For |
|---|---|---|
| MISP (Malware Information Sharing Platform) | Open-source | Collaborative IoC sharing, STIX/TAXII |
| OpenCTI | Open-source | Graph-based TI with ATT&CK integration |
| ThreatConnect | Commercial | Full TI lifecycle management |
| Recorded Future | Commercial | Real-time threat intelligence, dark web |
| VirusTotal Intelligence | Commercial | Malware analysis, file/URL reputation |
| AlienVault OTX | Free/Commercial | Community threat feeds |
| MITRE ATT&CK Navigator | Free | TI mapping to ATT&CK matrix |
5.2 Critical OSINT Sources for Threat Intel
# ── PASSIVE DNS & IP REPUTATION ────────────────────────────────────────────
# Shodan: search engine for internet-connected devices
# Find all Apache 2.4.49 servers (CVE-2021-41773 - path traversal)
shodan search 'apache/2.4.49'
# Censys: similar to Shodan, strong TLS/certificate data
# Query via CLI
censys search 'services.http.response.headers.server: "nginx/1.14"' --index hosts
# ── DOMAIN & IP INVESTIGATION ───────────────────────────────────────────────
# WHOIS lookup (registration info, abuse contacts)
whois evil-domain.com
# Passive DNS see historical resolution records
# (curl to SecurityTrails, RiskIQ, or Mnemonic PassiveDNS)
curl "https://api.securitytrails.com/v1/domain/evil-domain.com/history/a" \
-H "APIKEY: your_key"
# Certificate Transparency logs find subdomains
# crt.sh is a public CT log database
curl 'https://crt.sh/?q=%.target.com&output=json' | \
python3 -c "import sys,json; [print(r['name_value']) for r in json.load(sys.stdin)]" | \
sort -u
# ── MALWARE & HASH LOOKUP ───────────────────────────────────────────────────
# VirusTotal hash lookup via API
curl "https://www.virustotal.com/api/v3/files/<sha256_hash>" \
-H "x-apikey: YOUR_VT_API_KEY"
# MalwareBazaar (abuse.ch) free malware sample DB
curl -d 'query=get_info&hash=<sha256>' \
'https://mb-api.abuse.ch/api/v1/'
# ── THREAT ACTOR OSINT ──────────────────────────────────────────────────────
# MITRE ATT&CK groups page
# https://attack.mitre.org/groups/
# ETDA Thailand APT Groups tracker (comprehensive open list)
# https://apt.etda.or.th/cgi-bin/listgroups.cgi
# Malpedia malware families and associated threat actors
# https://malpedia.caad.fkie.fraunhofer.de/
5.3 Honeypots & Active Intelligence Collection
Honeypots are decoy systems designed to attract attackers. They generate high-fidelity threat intelligence because any interaction is suspicious by definition.
# Deploy a simple SSH honeypot using Cowrie
# Cowrie logs attacker commands, captures uploaded files, records credentials
# Install Cowrie
git clone https://github.com/cowrie/cowrie.git
cd cowrie
pip install -r requirements.txt
cp etc/cowrie.cfg.dist etc/cowrie.cfg
# Configure: listen on port 2222, redirect real SSH to 2222 and expose 22
# /etc/cowrie.cfg
# [ssh]
# listen_port = 2222
# hostname = srv04
# Redirect real SSH to 2222, expose 22 to the internet for honeypot
iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
# Start Cowrie
bin/cowrie start
# Monitor attacker sessions in real-time
tail -f var/log/cowrie/cowrie.json | python3 -c "
import sys, json
for line in sys.stdin:
event = json.loads(line)
if event.get('eventid') in ['cowrie.command.input', 'cowrie.login.success']:
print(f\"[{event['eventid']}] {event.get('input', event.get('username',''))}\")"
What honeypots reveal:
- Attacker toolkits and commands used immediately after initial access
- Credential lists being brute-forced (real passwords in use)
- C2 infrastructure (malware download URLs)
- Zero-day techniques before public disclosure
6. Operationalizing Threat Intel
6.1 The TI-to-Detection Pipeline
Raw intelligence must be converted into detection rules, firewall blocks, and hunting queries to have operational value.
STIX Feed / TI Report
│
▼
Extract IoCs / TTPs
(IPs, domains, hashes, techniques)
│
▼
Enrich & Validate
(Is this IP still malicious? Is the domain still resolving? Is the hash FP-prone?)
│
├─────────────────────────────────────────────────────┐
▼ ▼
Technical IoCs TTPs / Behaviors
(IP, hash, domain) (ATT&CK techniques)
│ │
▼ ▼
Block / Alert Write Detection Rules
(Firewall, DNS sinkhole, (Sigma, YARA, Suricata)
endpoint hash block) │
▼
Deploy to SIEM / EDR / NDR
│
▼
Alert → Triage → Confirm
6.2 Writing YARA Rules for Malware Detection
YARA is the pattern-matching language for malware analysts. Rules describe characteristics of malware families to detect them on disk or in memory.
// YARA rule example: detect Cobalt Strike beacon
// Cobalt Strike is the most commonly abused red team tool, used by APTs and cybercriminals
rule CobaltStrike_Beacon_Indicators
{
meta:
description = "Detects Cobalt Strike beacon based on characteristic strings and patterns"
author = "SecurityTeam"
date = "2024-01-15"
severity = "critical"
mitre_attack = "T1071.001, T1055"
strings:
// Cobalt Strike default sleep mask string
$cs_str1 = "%s (admin)" wide ascii
// Default named pipe for SMB beacon
$cs_pipe = "\\\\.\\pipe\\msagent_" wide ascii
// Malleable C2 default user agents
$cs_ua1 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; 123)" ascii
// Cobalt Strike staging URL pattern
$cs_url = "/submit.php" ascii
// XOR-encoded configuration block marker
$cs_config = { 2e 2f 2e 2f 2e 2c } // Hex bytes common in CS config
condition:
// Detect if any 2 of the above strings are present
uint16(0) == 0x5A4D // MZ header it's a PE file
and filesize < 2MB
and 2 of ($cs_str1, $cs_pipe, $cs_ua1, $cs_url, $cs_config)
}
// Run YARA against a directory
// yara -r cobalt_strike.yar /path/to/scan
// yara -r cobalt_strike.yar --scan-list file_list.txt
6.3 Writing Sigma Rules for SIEM Detection
Sigma is a generic, vendor-neutral detection rule format for SIEM systems. Rules are written once and converted to Splunk SPL, Elastic DSL, QRadar AQL, etc.
# Sigma rule: detect Mimikatz LSASS credential dumping
title: Mimikatz LSASS Credential Dumping
id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
status: stable
description: Detects credential dumping from LSASS memory using Mimikatz or similar tools
references:
- https://attack.mitre.org/techniques/T1003/001/
author: SecurityTeam
date: 2024/01/15
tags:
- attack.credential_access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\lsass.exe'
GrantedAccess|contains:
- '0x1010' # PROCESS_VM_READ + PROCESS_QUERY_INFORMATION
- '0x1410'
- '0x147a'
- '0x143a'
condition: selection
falsepositives:
- Security software, antivirus scanners
- Windows Defender credential guard
level: critical
# Convert Sigma rule to Splunk SPL
# sigma convert -t splunk -p splunk_windows cobalt_strike.yml
# Convert to Elastic Query DSL
# sigma convert -t es-qs -p ecs_windows mimikatz_lsass.yml
6.4 Threat Hunting with Intelligence
Threat hunting is proactive, hypothesis-driven searching for threats that have evaded automated detection.
# Hunt hypothesis: "APT29 is known to use WMI for lateral movement (T1021.006)"
# Hunt for unusual WMI process creation events
# Windows Event Log hunting with PowerShell
# Look for WMI spawning cmd.exe or PowerShell (common LOLBin abuse)
Get-WinEvent -LogName "Microsoft-Windows-WMI-Activity/Operational" |
Where-Object { $_.Message -match "cmd.exe|powershell.exe" } |
Select-Object TimeCreated, Message
# Hunt for LOLBin abuse: certutil downloading payloads (T1105)
# Certutil is legitimate but often abused for downloading malware
Get-WinEvent -LogName Security |
Where-Object { $_.Message -match "certutil" -and $_.Message -match "urlcache" }
# Hunt for DGA domains in DNS logs (random-looking domain names)
# DGA domains typically have high entropy and follow no dictionary pattern
# Example using Python + Shannon entropy
python3 -c "
import math
def entropy(s):
p = [s.count(c)/len(s) for c in set(s)]
return -sum(x*math.log2(x) for x in p)
domains = ['google.com', 'xkjhdf.net', 'update.microsoft.com', 'asjklhdf.biz']
for d in domains:
name = d.split('.')[0]
e = entropy(name)
flag = 'DGA?' if e > 3.5 else 'OK'
print(f'{d:35s} entropy={e:.2f} {flag}')
"