Introducing Hunt Advanced Search

Introducing Hunt Advanced Search

Published on

Published on

Published on

Jan 30, 2024

Jan 30, 2024

Jan 30, 2024

Introducing Hunt Advanced Search
Introducing Hunt Advanced Search
Introducing Hunt Advanced Search
TABLE OF CONTENTS

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with more questions than when you started?

Today, we are happy to introduce the Advanced Search feature for Hunt.

Designed with an easy-to-use language to specifically query the data Hunt scans, researchers and threat hunters alike can discover hidden gems in open directories, track well-known frameworks used for initial access, or search for one-of-a-kind TLS certificates; Advanced Search is key to unlocking the secrets of the internet.

Let's Get Started: Query Syntax & Examples

Advanced Search focuses on three categories when searching data: Malware, Certificates, and Opendir files. Each category has a data schema and example values, allowing users to immediately experience the tool's power.

The below figure depicts what users see when navigating to the Advanced Search page.

httpshuntioimagesblogsblog-12img-1-2xwebp
Figure 1: Advanced Search Page

For reference, let's cover a few of the more common queries along with a screenshot from each category threat hunters are likely to use throughout an investigation:

Searching for newly identified Quasar RAT infrastructure

  • Query: malware_name:"Quasar"
httpshuntioimagesblogsblog-12img-2-2xwebp
Figure 2: Snippet of query results for Quasar infrastructure

Notice that, like any other modern query language, we can combine queries for a more comprehensive result.

Using the "AND" operator in addition to "seen_last," we can filter our results to only those scanned in the last 7 days.

TLS certificate subject common name default Cobalt Strike

  • subject.common_name:"
httpshuntioimagesblogsblog-12img-3-2xwebp
Figure 3: Snippet of query results for default Cobalt Strike certificate common name

Presence of Fast Reverse Proxy configuration files on open directories

  • file_key://frpc.ini$/ AND modified:>now-30d
httpshuntioimagesblogsblog-12img-4-2xwebp
Figure 4: Snipped of query results for FRP config files

Enough of the example queries; let's dig into some real-world examples and put Advanced Search to the test!

JA4X & Sliver

This first example will combine the power of John Althouse's JA4+ suite, specifically JA4X ( https://github.com/FoxIO-LLC/ja4 ), with Hunt's ability to search across subject and issuer information from TLS certificates.

httpshuntioimagesblogsblog-12img-5-2xwebp
Figure 5: Snippet of query results for Sliver certificates.

The query in the screenshot above searches for certificates matching the JA4X hash but does not use the default subject or issuer common names hardcoded into the Sliver framework.

Cobalt Strike Redirector

RedWarden (https://github.com/mgeeky/RedWarden), is an open-source Cobalt Strike C2 reverse proxy meant to throw researchers off the scent of adversary infrastructure.

Let's find some recent instances of RedWarden hosted on DigitalOcean.

httpshuntioimagesblogsblog-12img-6-2xwebp
Figure 6: Snippet of query results for RedWarden on Digital Ocean infrastructure

OpenDirs & CVE's

Past Hunt blog articles have focused on just how important open directories can be to cyber threat hunting and incident response.

In addition to the large number of executables, log and configuration files and whatever else is exposed, many open directories also host exploit code for common vulnerabilities and exposures (CVE), past and present.

See the below screenshot for exploit code identified by Hunt in open directories across the past 7 days.

httpshuntioimagesblogsblog-12img-7-2xwebp
Figure 7: Snippet of query results for opendir exploit code

Conclusion

We've only scratched the surface of what is capable when using Advanced Search. In just a line or two, researchers, threat hunters, and the curious can identify malicious infrastructure first seen a couple minutes ago, or track the steps of an adversaries infrastructure from a few months ago.

If you haven't already, apply for a Hunt account, and if you find something interesting share your query with the community.

TABLE OF CONTENTS

Have you ever run multiple searches seeking to identify malicious infrastructure only to be left frustrated and with more questions than when you started?

Today, we are happy to introduce the Advanced Search feature for Hunt.

Designed with an easy-to-use language to specifically query the data Hunt scans, researchers and threat hunters alike can discover hidden gems in open directories, track well-known frameworks used for initial access, or search for one-of-a-kind TLS certificates; Advanced Search is key to unlocking the secrets of the internet.

Let's Get Started: Query Syntax & Examples

Advanced Search focuses on three categories when searching data: Malware, Certificates, and Opendir files. Each category has a data schema and example values, allowing users to immediately experience the tool's power.

The below figure depicts what users see when navigating to the Advanced Search page.

httpshuntioimagesblogsblog-12img-1-2xwebp
Figure 1: Advanced Search Page

For reference, let's cover a few of the more common queries along with a screenshot from each category threat hunters are likely to use throughout an investigation:

Searching for newly identified Quasar RAT infrastructure

  • Query: malware_name:"Quasar"
httpshuntioimagesblogsblog-12img-2-2xwebp
Figure 2: Snippet of query results for Quasar infrastructure

Notice that, like any other modern query language, we can combine queries for a more comprehensive result.

Using the "AND" operator in addition to "seen_last," we can filter our results to only those scanned in the last 7 days.

TLS certificate subject common name default Cobalt Strike

  • subject.common_name:"
httpshuntioimagesblogsblog-12img-3-2xwebp
Figure 3: Snippet of query results for default Cobalt Strike certificate common name

Presence of Fast Reverse Proxy configuration files on open directories

  • file_key://frpc.ini$/ AND modified:>now-30d
httpshuntioimagesblogsblog-12img-4-2xwebp
Figure 4: Snipped of query results for FRP config files

Enough of the example queries; let's dig into some real-world examples and put Advanced Search to the test!

JA4X & Sliver

This first example will combine the power of John Althouse's JA4+ suite, specifically JA4X ( https://github.com/FoxIO-LLC/ja4 ), with Hunt's ability to search across subject and issuer information from TLS certificates.

httpshuntioimagesblogsblog-12img-5-2xwebp
Figure 5: Snippet of query results for Sliver certificates.

The query in the screenshot above searches for certificates matching the JA4X hash but does not use the default subject or issuer common names hardcoded into the Sliver framework.

Cobalt Strike Redirector

RedWarden (https://github.com/mgeeky/RedWarden), is an open-source Cobalt Strike C2 reverse proxy meant to throw researchers off the scent of adversary infrastructure.

Let's find some recent instances of RedWarden hosted on DigitalOcean.

httpshuntioimagesblogsblog-12img-6-2xwebp
Figure 6: Snippet of query results for RedWarden on Digital Ocean infrastructure

OpenDirs & CVE's

Past Hunt blog articles have focused on just how important open directories can be to cyber threat hunting and incident response.

In addition to the large number of executables, log and configuration files and whatever else is exposed, many open directories also host exploit code for common vulnerabilities and exposures (CVE), past and present.

See the below screenshot for exploit code identified by Hunt in open directories across the past 7 days.

httpshuntioimagesblogsblog-12img-7-2xwebp
Figure 7: Snippet of query results for opendir exploit code

Conclusion

We've only scratched the surface of what is capable when using Advanced Search. In just a line or two, researchers, threat hunters, and the curious can identify malicious infrastructure first seen a couple minutes ago, or track the steps of an adversaries infrastructure from a few months ago.

If you haven't already, apply for a Hunt account, and if you find something interesting share your query with the community.

Related Posts:

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.