I’m new to the SOC team and I want to improve my manual threat hunting skills. Beyond just looking for high CPU usage, what are the subtle "Indicators of Compromise" (IoCs) that often go unnoticed in the logs? Are there specific patterns in DNS traffic or PowerShell execution that I should be prioritizing when I’m scanning our SIEM for suspicious activities?
3 answers
Focus on "Beacons" and "Living off the Land" techniques. Watch for unusual outbound traffic to unknown IPs on a regular heartbeat; this often indicates Command & Control (C2) communication. In PowerShell, look for encoded commands (-e or -enc) which are used to hide malicious scripts from basic log filters. Another big one is DNS tunneling—look for a high volume of DNS requests to a single unusual domain. Also, keep an eye on "Lateral Movement" logs, such as a user suddenly logging into fifty different workstations in an hour. These behavioral anomalies are much harder for attackers to hide than simple file-based malware.
Do you have a baseline for "Normal" traffic in your network, or are you trying to identify "Abnormal" activity without knowing what a quiet day looks like?
Watch for "Privilege Escalation" attempts. Any account that suddenly attempts to access a Domain Controller or a password vault should trigger an immediate high-priority alert.
Exactly, Linda. Monitoring your "Crown Jewels" for any unauthorized access attempts is the best way to catch an intruder before they can do real damage.
Charles, that's a great point. We spent the first month just documenting the usual "chatter" from our software updates and cloud syncs. Now that we have that baseline, the anomalies stand out like a sore thumb. For instance, we caught a developer using an unauthorized VPN because their traffic patterns shifted from a standard 9-to-5 window to midnight bursts. Without that baseline, we would have just assumed it was a background system process. Understanding your environment's "heartbeat" is the most important skill for any successful threat hunter.