Blog
Inside the SOC
Using Darktrace for Threat Hunting







What is Threat Hunting?
Threat Hunting is a technique to identify adversaries within an organization that go undetected by traditional security tools.
While a traditional, reactive approach to cyber security often involves automated alerts received and investigated by a security team, threat hunting takes a proactive approach to seek out potential threats and vulnerabilities before they escalate into full-blown security incidents. The benefits of hunting include identifying hidden threats, reducing the dwell time of attackers, and enhancing overall detection and response capabilities.
Threat Hunting Methodology
There are many different methodologies and frameworks for threat hunting, including the Pyramid of Pain, the Sqrrl Hunting Loop, and the MITRE ATT&CK Framework. While there is not one gold standard on how to conduct threat hunts, the typical process can be broken down into several key steps:
Planning and Hypothesis Creation: Define the scope and objective of the threat hunt. Identify potential targets and predict activity that might be taking place.
Data Collection: Refining data collection methods and gathering data from various sources, including logs, network traffic, and endpoint data.
Data Processing: Data that has been collected needs to be processed to generate information.
Data Analysis: Processed data can then be analyzed for anomalies, indicators of compromise (IoCs), or patterns of suspicious behavior.
Threat Identification: Based on the analysis, threat hunters may identify potential threats or security incidents.
Response: Taking action to mitigate or eradicate identified threats if any.
Documentation and Dissemination: It is important to record any findings or actions taken during the threat hunting process to serve as lessons learned for future reference. Additionally, any new threats or tactics, techniques, and procedures (TTPs) discovered may be shared with the cyber threat intelligence team or the wider community.
Building a Threat Hunting Program
For organizations looking to implement threat hunting as part of their cyber security program, they will need both a data collection source and human analysts as threat hunters.
Data collection and analysis may often be performed through existing security tools including SIEM systems, Network Traffic Analysis tools, endpoint agents, and system logs. On the human side, experienced threat hunters may be hired into an organization, or existing SOC analysts may be upskilled to perform threat hunts.
Leveraging AI security tools such as Darktrace can help to lower the bar in building a threat hunting program, both in analysis of the data and in assisting humans in their investigations.
Threat Hunting in Darktrace
To illustrate the benefits of leveraging Darktrace in threat hunting, we can walk through an example hunt following the key steps outlined above.
Planning and Hypothesis Creation
The initial hypothesis used in defining the scope of a threat hunt can come from several sources: threat intelligence feeds, the threat hunter’s own experience, or an anomaly detection that has been highlighted by Darktrace.
In this case, let’s imagine that this hunt is focused on a recent campaign by an Advanced Persistent Threat (APT). Threat intel has provided known file hashes, Command and Control (C2) IP addresses and domains, and MITRE techniques used by the attacker. The goal is to determine whether any indicators of this threat are present in the organization’s environment.
Data Collection and Data Processing
Darktrace can be deployed to cover an organization’s entire digital estate, including passive network traffic monitoring, cloud environments, and SaaS applications. Self-Learning AI is applied to the raw data to learn normal patterns of life for a specific environment and to highlight deviations from normal that might represent a threat. This data gives threat hunters a starting point in analyzing logs, meta-data, and anomaly detections.
Data Analysis
In the data analysis phase, threat hunters can use the Darktrace platform to search for the IoCs and TTPs identified during planning.
When searching for IoCs such as IP addresses or domain names, hunters can query the environment through the Omnisearch bar in the Darktrace Threat Visualizer. This search can provide a summary of all devices or users contacting a suspicious endpoint. From here the hunters can quickly pivot to identify surrounding activity from the source device.

Alternately, Darktrace Advanced Search can be used to search for these IoCs, but it also supports queries for file hashes or more advanced searches based on ports, protocols, data volumes, etc.

While searching for known suspicious domains and IP addresses is straightforward, the real strength of Darktrace lies in the ability to highlight deviations from a device’s ‘normal’ pattern of life. Darktrace has many built-in behavioral models designed to detect common adversary TTPs, all mapped to the MITRE ATT&CK Framework.
In the context of our threat hunt, we know that our target APT uses the Remote Desktop Protocol (RDP) to move laterally within a compromised network, specifically leveraging MITRE technique T1021.001. As each Darktrace model is mapped to MITRE, the threat hunter can search and find specific detection models that may be of interest, in this case the model ‘Anomalous Connection / Unusual Internal Remote Desktop’. From here they can view any devices that may have triggered this model, indicating possible attacker activity.

Threat hunters can also search more widely for any detections within a specific MITRE tactic through filters found on the Darktrace Threat Tray.

Threat Identification
Once a threat hunter has identified connections, model breaches, or anomalies during the analysis phase, they can begin to conduct further investigation to determine if this may represent a security incident.
Threat hunters can use Darktrace to perform deeper analysis through generating packet captures, visualizing surrounding network traffic, and utilizing features like the VirusTotal lookup to consult open-source intelligence (OSINT).
Another powerful tool to augment the hunter’s investigation is the Darktrace Cyber AI Analyst, which assists human teams in the investigation and correlation of behaviors to identify threats. Cyber AI Analyst automatically launches an initial triage of every model breach in the Darktrace platform, but threat hunters can also leverage manual investigations to gain additional context on their findings.
For example, say that an unusual RDP connection of interest was identified through Advanced Search. The hunter can pivot back to the Threat Visualizer and launch an AI Analyst investigation for the source device at the time of the connection. The resulting investigation may provide the hunter with additional suspicious behavior observed around that time, without the need for manual log analysis.

Response
If a threat is detected within Darktrace and confirmed by the threat hunter, Darktrace RESPOND™ can be leveraged to take either autonomous or manual action to contain the threat. This provides the security team with additional time to conduct further investigation, pull forensics, and remediate the threat. This process can be further supported through the bespoke, AI-generated playbooks offered by Darktrace HEAL™, allowing an efficient recovery back to normal.

Documentation and Dissemination
An important final step is to document the threat hunting process and use the results to better improve automated security alerting and response. In Darktrace, reporting can be generated through the Cyber AI Analyst, Advanced Search exports, and model breach details to support documentation.
To improve existing alerting through Darktrace, this may mean creating a new detection model or increasing the priority of existing detections to ensure that these are escalated to the security team in the future. The Darktrace model editor provides users with full visibility into models and allows the creation of custom detections based on use cases or business requirements.

Conclusions
Proactive threat hunting is an important part of a cyber security approach to identify hidden threats, reduce dwell time, and improve incident response. Darktrace’s Self-Learning AI provides a powerful tool for identifying attacker TTPs and augmenting human threat hunters in their process. Utilizing the Darktrace platform, threat hunters can significantly reduce the time required to complete their hunts and mitigate identified threats.
Like this and want more?
More in this series
Blog
Inside the SOC
Royal Pains: How Darktrace Refused to Bend the Knee to the MyKings Botnet



Botnets: A persistent cyber threat
Since their appearance in the wild over three decades ago, botnets have consistently been the attack vector of choice for many threat actors. The most prevalent of these attack vectors are distributed denial of service (DDoS) and phishing campaigns. Their persistent nature means that even if a compromised device in identified, attackers can continue to operate by using the additional compromised devices they will likely have on the target network. Similarly, command and control (C2) infrastructure can easily be restructured between infected systems, making it increasingly difficult to remove the infection.
MyKings Botnet
One of the most prevalent and sophisticated examples in recent years is the MyKings botnet, also known as Smominru or DarkCloud. Darktrace has observed numerous cases of MyKings botnet compromises across multiple customer environments in several different industries as far back as August 2022. The diverse tactics, techniques, and procedures (TTPs) and sophisticated kill chains employed by MyKings botnet may prove a challenge to traditional rule and signature-based detections.
However, Darktrace’s anomaly-centric approach enabled it to successfully detect a wide-range of indicators of compromise (IoCs) related to the MyKings botnet and bring immediate awareness to customer security teams, as it demonstrated on the network of multiple customers between March and August 2023.
Background on MyKings Botnet
MyKings has been active and spreading steadily since 2016 resulting in over 520,000 infections worldwide.[1] Although verified attribution of the botnet remains elusive, the variety of targets and prevalence of crypto-mining software on affected devices suggests the threat group behind the malware is financially motivated. The operators behind MyKings appear to be highly opportunistic, with attacks lacking an obvious specific target industry. Across Darktrace’s customer base, the organizations affected were representative of multiple industries such as entertainment, mining, education, information technology, health, and transportation.
Given its longevity, the MyKings botnet has unsurprisingly evolved since its first appearance years ago. Initial analyses of the botnet showed that the primary crypto-related activity on infected devices was the installation of Monero-mining software. However, in 2019 researchers discovered a new module within the MyKings malware that enabled clipboard-jacking, whereby the malware replaces a user's copied cryptowallet address with the operator's own wallet address in order to siphon funds.[2]
Similar to other botnets such as the Outlaw crypto-miner, the MyKings botnet can also kill running processes of unrelated malware on the compromised hosts that may have resulted from prior infection.[3] MyKings has also developed a comprehensive set of persistence techniques, including: the deployment of bootkits, initiating the botnet immediately after a system reboot, configuring Registry run keys, and generating multiple Scheduled Tasks and WMI listeners.[4] MyKings have also been observed rotating tools and payloads over time to propagate the botnet. For example, some operators have been observed utilizing PCShare, an open-source remote access trojan (RAT) customized to conduct C2 services, execute commands, and download mining software[5].
Darktrace Coverage
Across observed customer networks between March and August 2023, Darktrace identified the MyKings botnet primarily targeting Windows-based servers that supports services like MySQL, MS-SQL, Telnet, SSH, IPC, WMI, and Remote Desktop (RDP). In the initial phase of the attack, the botnet would initiate a variety of attacks against a target including brute-forcing and exploitation of unpatched vulnerabilities on exposed servers. The botnet delivers a variety of payloads to the compromised systems including worm downloaders, trojans, executable files and scripts.
This pattern of activity was detected across the network of one particular Darktrace customer in the education sector in early March 2023. Unfortunately, this customer did not have Darktrace RESPOND™ deployed on their network at the time of the attack, meaning the MyKings botnet was able to move through the cyber kill chain ultimately achieving its goal, which in this case was mining cryptocurrency.
Initial Access
On March 6, Darktrace observed an internet-facing SQL server receiving an unusually large number of incoming MySQL connections from the rare external endpoint 171.91.76[.]31 via port 1433. While it is not possible to confirm whether these suspicious connections represented the exact starting point of the infection, such a sudden influx of SQL connection from a rare external endpoint could be indicative of a malicious attempt to exploit vulnerabilities in the server's SQL database or perform password brute-forcing to gain unauthorized access. Given that MyKings typically spreads primarily through such targeting of internet-exposed devices, the pattern of activity is consistent with potential initial access by MyKings.[6]
Initial Command and Control
The device then proceeded to initiate a series of repeated HTTP connections between March 6 and March 10, to the domain www[.]back0314[.]ru (107.148.239[.]111). These connections included HTTP GET requests featuring URIs such as ‘/back.txt', suggesting potential beaconing and C2 communication. The device continued this connectivity to the external host over the course of four days, primarily utilizing destination ports 80, and 6666. While port 80 is commonly utilized for HTTP connections, port 6666 is a non-standard port for the protocol. Such connectivity over non-standard ports can indicate potential detection evasion and obfuscation tactics by the threat actors. During this time, the device also initiated repeated connections to additional malicious external endpoints with seemingly algorithmically generated hostnames such as pc.pc0416[.]xyz.

Tool Transfer
While this beaconing activity was taking place, the affected device also began to receive potential payloads from unusual external endpoints. On April 29, the device made an HTTP GET request for “/power.txt” to the endpoint 192.236.160[.]237, which was later discovered to have multiple open-source intelligence (OSINT) links to malware. Power.txt is a shellcode written in PowerShell which is downloaded and executed with the purpose of disabling Windows Defenders related functions.[7] After the initial script was downloaded (and likely executed), Darktrace went on to detect the device making a series of additional GET requests for several varying compressed and executable files. For example, the device made HTTP requests for '/pld/cmd.txt' to the external endpoint 104.233.224[.]173. In response the external server provided numerous files, including ‘u.exe’, and ‘upsup4.exe’ for download, both of which share file names with previously identified MyKings payloads.
MyKings deploys a diverse array of payloads to expand the botnet and secure a firm position within a compromised system. This multi-faceted approach may render conventional security measures less effective due to the intricacies of and variety of payloads involved in compromises. Darktrace, however, does not rely on static or outdated lists of IoCs in order to detect malicious activity. Instead, DETECT’s Self-Learning AI allows it to identify emerging compromise activity by recognizing the subtle deviations in an affected device’s behavior that could indicate it has fallen into the hands of malicious actors.

Achieving Objectives – Crypto-Mining
Several weeks after the initial payloads were delivered and beaconing commenced, Darktrace finally detected the initiation of crypto-mining operations. On May 27, the originally compromised server connected to the rare domain other.xmrpool[.]ru over port 1081. As seen in the domain name, this endpoint appears to be affiliated with pool mining activity and the domain has various OSINT affiliations with the cryptocurrency Monero coin. During this connection, the host was observed passing Monero credentials, activity which parallels similar mining operations observed on other customer networks that had been compromised by the MyKings botnet.
Although mining activity may not pose an immediate or urgent concern for security unauthorized cryptomining on devices can result in detrimental consequences, such as compromised hardware integrity, elevated energy costs, and reduced productivity, and even potential involvement in money laundering.

Conclusion
Detecting future iterations of the MyKings botnet will likely demand a shift away from an overreliance on traditional rules and signatures and lists of “known bads”, instead requiring organizations to employ AI-driven technology that can identify suspicious activity that represents a deviation from previously established patterns of life.
Despite the diverse range of payloads, malicious endpoints, and intricate activities that constitute a typical MyKing botnet compromise, Darktrace was able successfully detect multiple critical phases within the MyKings kill chain. Given the evolving nature of the MyKings botnet, it is highly probable the botnet will continue to expand and adapt, leveraging new tactics and technologies. By adopting Darktrace’s product of suites, including Darktrace DETECT, organizations are well-positioned to identify these evolving threats as soon as they emerge and, when coupled with the autonomous response technology of Darktrace RESPOND, threats like the MyKings botnet can be stopped in their tracks before they can achieve their ultimate goals.
Credit to: Oluwatosin Aturaka, Analyst Team Lead, Cambridge, Adam Potter, Cyber Analyst
Appendix
IoC Table
IoC - Type - Description + Confidence
162.216.150[.]108- IP - C2 Infrastructure
103.145.106[.]242 - IP - C2 Infrastructure
137.175.56[.]104 - IP - C2 Infrastructure
138.197.152[.]201 - IP - C2 Infrastructure
139.59.74[.]135 - IP - C2 Infrastructure
pc.pc0416[.]xyz - Domain - C2 Infrastructure (DGA)
other.xmrpool[.]ru - Domain - Cryptomining Endpoint
xmrpool[.]ru - Domain - Cryptomining Endpoint
103.145.106[.]55 - IP - Cryptomining Endpoint
ntuser[.]rar - Zipped File - Payload
/xmr1025[.]rar - Zipped File - Payload
/20201117[.]rar - Zipped File - Payload
wmi[.]txt - File - Payload
u[.]exe - Executable File - Payload
back[.]txt - File - Payload
upsupx2[.]exe - Executable File - Payload
cmd[.]txt - File - Payload
power[.]txt - File - Payload
ups[.]html - File - Payload
xmr1025.rar - Zipped File - Payload
171.91.76[.]31- IP - Possible Initial Compromise Endpoint
www[.]back0314[.]ru - Domain - Probable C2 Infrastructure
107.148.239[.]111 - IP - Probable C2 Infrastructure
194.67.71[.]99 - IP- Probable C2 Infrastructure
Darktrace DETECT Model Breaches
- Device / Initial Breach Chain Compromise
- Anomalous File / Masqueraded File Transfer (x37)
- Compromise / Large DNS Volume for Suspicious Domain
- Compromise / Fast Beaconing to DGA
- Device / Large Number of Model Breaches
- Anomalous File / Multiple EXE from Rare External Locations (x30)
- Compromise / Beacon for 4 Days (x2)
- Anomalous Server Activity / New User Agent from Internet Facing System
- Anomalous Connection / New User Agent to IP Without Hostname
- Anomalous Server Activity / New Internet Facing System
- Anomalous File / EXE from Rare External Location (x37)
- Device / Large Number of Connections to New Endpoints
- Anomalous Server Activity / Server Activity on New Non-Standard Port (x3)
- Device / Threat Indicator (x3)
- Unusual Activity / Unusual External Activity
- Compromise / Crypto Currency Mining Activity (x37)
- Compliance / Internet Facing SQL Server
- Device / Anomalous Scripts Download Followed By Additional Packages
- Device / New User Agent
MITRE ATT&CK Mapping
ATT&CK Technique - Technique ID
Reconnaissance – T1595.002 Vulnerability Scanning
Resource Development – T1608 Stage Capabilities
Resource Development – T1588.001 Malware
Initial Access – T1190 Exploit Public-Facing Application
Command and Control – T15568.002 Domain Generated Algorithms
Command and Control – T1571 Non-Standard Port
Execution – T1047 Windows Management Instrumentation
Execution – T1059.001 Command and Scripting Interpreter
Persistence – T1542.003 Pre-OS Boot
Impact – T1496 Resource Hijacking
References
[1] https://www.binarydefense.com/resources/threat-watch/mykings-botnet-is-growing-and-remains-under-the-radar/
[2] https://therecord.media/a-malware-botnet-has-made-more-than-24-7-million-since-2019
[3] https://www.darktrace.com/blog/outlaw-returns-uncovering-returning-features-and-new-tactics
[4] https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophoslabs-uncut-mykings-report.pdf
[5] https://www.antiy.com/response/20190822.html
[6] https://ethicaldebuggers.com/mykings-botnet/
[7] https://ethicaldebuggers.com/mykings-botnet/
Blog
Thought Leadership
The Implications of NIS2 on Cyber Security and AI



The NIS2 Directive requires member states to adopt laws that will improve the cyber resilience of organizations within the EU. It impacts organizations that are “operators of essential services”. Under NIS 1, EU member states could choose what this meant. In an effort to ensure more consistent application, NIS2 has set out its own definition. It eliminates the distinction between operators of essential services and digital service providers from NIS1, instead defining a new list of sectors:
- Energy (electricity, district heating and cooling, gas, oil, hydrogen)
- Transport (air, rail, water, road)
- Banking (credit institutions)
- Financial market infrastructures
- Health (healthcare providers and pharma companies)
- Drinking water (suppliers and distributors)
- Digital infrastructure (DNS, TLD registries, telcos, data center providers, etc.)
- ICT service providers (B2B): MSSPs and managed service providers
- Public administration (central and regional government institutions, as defined per member state)
- Space
- Postal and courier services
- Waste management
- Chemicals
- Food
- Manufacturing of medical devices
- Computers and electronics
- Machinery and equipment
- Motor vehicles, trailers and semi-trailers and other transport equipment
- Digital providers (online market places, online search engines, and social networking service platforms) and research organizations.
With these updates, it becomes harder to try and find industry segments not included within the scope. NIS2 represents legally binding cyber security requirements for a significant region and economy. Standout features that have garnered the most attention include the tight timelines associated with notification requirements. Under NIS 2, in-scope entities must submit an initial report or “early warning” to the competent national authority or computer security incident response team (CSIRT) within 24 hours from when the entity became aware of a significant incident. This is a new development from the first iteration of the Directive, which used more vague language of the need to notify authorities “without undue delay”.
Another aspect gaining attention is oversight and regulation – regulators are going to be empowered with significant investigation and supervision powers including on-site inspections.
The stakes are now higher, with the prospect of fines that are capped at €10 million or 2% of an offending organization’s annual worldwide turnover – whichever is greater. Added to that, the NIS2 Directive includes an explicit obligation to hold members of management bodies personally responsible for breaches of their duties to ensure compliance with NIS2 obligations – and members can be held personally liable.
The risk management measures introduced in the Directive are not altogether surprising – they reflect common best practices. Many organizations (especially those that are newly in scope for NIS2) may have to expand their cyber security capabilities, but there’s nothing controversial or alarming in the required measures. For organizations in this situation, there are various tools, best practices, and frameworks they can leverage. Darktrace in particular provides capabilities in the areas of visibility, incident handling, and reporting that can help.
NIS2 and Cyber AI
The use of AI is not an outright requirement within NIS2 – which may be down to lack of knowledge and expertise in the area, and/or the immaturity of the sector. The clue to this might be in the timing: the provisional agreement on the NIS2 text was reached in May 2022 – six months before ChatGPT and other open-source Generative AI tools propelled broader AI technology into the forefront of public consciousness. If the language were drafted today, it's not far-fetched to imagine AI being mentioned much more prominently and perhaps even becoming a requirement.
NIS2 does, however, very clearly recommend that “member states should encourage the use of any innovative technology, including artificial intelligence”[1]. Another section speaks directly to essential and important entities, saying that they should “evaluate their own cyber security capabilities, and where appropriate, pursue the integration of cyber security enhancing technologies, such as artificial intelligence or machine learning systems…”[2]
One of the recitals states that “member states should adopt policies on the promotion of active cyber protection”. Where active cyber protection is defined as “the prevention, detection, monitoring, analysis and mitigation of network security breaches in an active manner.”[3]
From a Darktrace perspective, our self-learning Cyber AI technology is precisely what enables our technology to deliver active cyber protection – protecting organizations and uplifting security teams at every stage of an incident lifecycle – from proactively hardening defenses before an attack is launched, to real-time threat detection and response, through to recovering quickly back to a state of good health.
The visibility provided by Darktrace is vital to understanding the effectiveness of policies and ensuring policy compliance. NIS2 also covers incident handling and business continuity, which Darktrace HEAL addresses through AI-enabled incident response, readiness reports, simulations, and secure collaborations.
Reporting is integral to NIS2 and organizations can leverage Darktrace’s incident reporting features to present the necessary technical details of an incident and provide a jump start to compiling a full report with business context and impact.
What’s Next for NIS2
We don’t yet know the details for how EU member states will transpose NIS2 into national law – they have until 17th October 2024 to work this out. The Commission also commits to reviewing the functioning of the Directive every three years. Given how much our overall understanding and appreciation for not only the dangers of AI but also its power (perhaps even necessity in the realm of cyber security) is changing, we may see many member states will leverage the recitals’ references to AI in order to make a strong push if not a requirement that essential and important organizations within their jurisdiction leverage AI.
Organizations are starting to prepare now to meet the forthcoming legislation related to NIS2. To see how Darktrace can help, talk to your representative or contact us.
[1] (51) on page 11
[2] (89) on page 17
[3] (57) on page 12
