Hunting for threats on Windows systems
Threat hunting is based on the events collected from endpoints using built-in tools such as forwarding Windows event logs to a SIEM system (usually covering servers only), or from telemetry acquired by EDR solutions (covering endpoints and servers). The following list explains the relevance criteria for the data utilized in the hunting process:
- Security events from any system in the scope of threat huntingover time – telemetry retention period
- Events should show a potential attacker’s activity
- Traces of threat actors’ activity in second stage of a cyberattack (remember our unified kill chain of a sophisticated cyber-attack introduced in Chapter 2), in the form of telemetry or forensic artifacts left after those actions so it is better to use security controls to cover this stage of an attack
- An Endpoint Detection and Response (EDR) solution is a must; other security controls like SIEM, UEBA, PAM, NGFW,...
