Hunting Red Team Activities with Forensic Artifacts
A lot of enterprise networks are under attack or they already have been attacked by the adversaries. Red teamers or attackers tend to compromise the environments with new ways and rely on legitimate tools with sophisticated techniques based on their skill levels. On the other hand, the job of the blue teamers becomes more challenging and difficult as the attacker only needs to be successful once to gain access.
The blue teamers need to proactively search for evidence of compromise in the environment and think like “the red teamers” in order to detect and hunt their activities and their techniques across the network and the endpoints. In this research paper, we demonstrated some of the red team activities that based on real life scenarios. We have discussed about various forensic artifacts for hunting the malicious actors and their traces. We also gave an overview about the Yara Rule for detecting the malwares and the malicious files. At the end of this paper, we created some effective SIEM use cases for the sake of hunting, monitoring and detecting the demonstrated scenarios as well as some hunting tips.