Sandfly Hunter is a way to quickly search for common pieces of threat data that may be present on your hosts. This is a powerful feature of Sandfly which can help find and see threats against your systems quickly.
Sandfly Hunter allows you to click on critical forensic attributes in an event and see what other systems have the same attribute present. Sandfly is able to search for a variety of attributes in Hunter mode such as:
- Process attributes such as names, paths, cryptographic hashes and owners.
- File attributes such as names, paths, cryptographic hashes and owners.
- Directory attributes such as names, paths and owners.
- Username attributes such as home directories, group memberships and UIDs.
- User password attributes such as password type and search hashes (a hash of the password hash that allows you to search across hosts without exposing the hashed password to operators).
- SSH keys such as key types, key data and key hashes which can be used to search across hosts for identical SSH authorized_keys entries for identical keys in use elsewhere.
Enable Recon Sandflies
To get the maximum benefit from the Hunter Mode, we recommend you enable several recon sandflies which are disabled by default. Enabling recon sandfly modules will collect process, user and other data and save it in the database each time a host is checked. This data will be available to future searches if needed and builds a timeline of events if a host is compromised so you can see what and when a problem happened.
For instance, if you enable the recon_process_list_all module Sandfly will collect all running processes every time the host is checked. This data will be stored and you will have a running record of all processes we saw at the time. Later if you run into a suspicious process, the Sandfly Hunter data will pull up these historical records to show you where else we saw these processes.
To enable these sandfly checks, please go to the Sandfly section of the UI. We recommend these recon modules be enabled by default:
- recon_process_list_all - Lists all running processes.
- recon_user_list_all - Lists all users and SSH key data.
- recon_log_list_lastlog - Shows all users present in the system lastlog.
- recon_log_list_logins_failed - List of failed logins over last 4 hours.
- recon_log_list_logged_in_users - Shows all users currently logged into a system.
- recon_log_list_logins_valid - Shows all users that successfully logged into a host.
There are other modules that pull file attributes from system /bin and other directories. You can enable these at your discretion, but keep in mind that they may generate a lot of data that your database will need to be scaled to store.
After you enable these recon modules the data will be stored as passed events in the database. When Sandfly Hunter does a search this data will be used as well to form a more complete picture of what may be going on.
Hunter Timeline for a Suspicious SSH Key
With each attribute you select, you will be taken to a screen that shows all systems where that attribute has been seen and what time it was first spotted.
For instance, the image below is the result of a search were we found a suspicious user on a system that generated an alert. The user had a SSH key pulled into the forensic data. When we clicked on their SSH key we immediately see a list of hosts that also show that key is present.
SSH Key Hunting
In the above we see all hosts that have this key present. The user alert shows up as red marks on the timeline. The first red line is the time when Sandfly first alerted on this user. The green bars indicate no alert for that user key was seen on these other hosts, but that the key does in fact exist on those hosts even though no alert is currently active.
From a threat hunting point of view you now have the suspicious user, but also can see immediately what hosts that SSH key for that user is in use. This can help you to quickly find hosts that need to be investigated in case an attacker is using the SSH key to move laterally but has not activated any alerts yet.
Hunter Timeline for a Suspicious Process
Next we find a host with an alert for a suspicious network process running the SCTP protocol. This is extremely dangerous and a look at the forensic data shows a command line that is very odd.
Sandfly finds a SCTP backdoor process
We quickly click on the process.hash.sha1 field and jump to Sandfly Hunter mode. Here we see that same process hash is running on two hosts and each host has identical alerts. The malicious process is contained to these two hosts and we can begin isolation and incident response procedures.
Sandfly Hunter SCTP backdoor found on two hosts
Recon Sandflies Collect Supporting Data
You will notice that some of the alerts are green. This is normal because they are attributes found during the recon_process_list_all checks Sandfly performs. These are reconnaissance checks where Sandfly pulls all system process data and simply saves the results. Although not a security check, the resulting forensic data is now available for searching if needed.
Recon and Alert Sandflies Build Timeline View
The recon checks show that similar process hashes were running on the hosts without alerts likely because they were legitimate. But suddenly the process was seen doing something suspicious and this generated the alert only recently.
In fact, in the timeline view we see above the red alerts happened just 8 minutes prior where the full 72 hour window showed nothing unusual. This indicates the host was recently compromised with the suspicious use of this process only showing up now.
Under the Sandfly Hunter you can click on each row and see the individual alert details just as you can in normal results view.