My First Real-World Threat Hunting Experience (Personal Home Network)

By on

 

Summary
On March 19, 2025, I decided to analyze my PC for unusual or malicious traffic and applications as a way to practice my Incident Response and Threat Hunting skills. After getting hooked on SOC analyst work, I saw this as my first real-world IR and Threat Hunting experience—not tied to an exam or CTF.

Even though this was within my personal network, the concepts remained the same: a real environment, real malware, and real-world analysis and as you can see the application was already on my device since May 11, 2022. During my investigation, I discovered a malicious application and decided to document my findings for future reference. This initiative also allowed me to develop my own Threat Hunting methodology.




Investigation Summary
I started my investigation by examining network connectivity using netstat -anob in the command prompt. Upon reviewing the output, I noticed an unusual port—8080—standing out.

Content that showing all of the ESTABLISHED connection using port 8080


I then began investigating the destination IP addresses associated with port 8080. Upon checking them against VirusTotal, MXToolbox, and AbuseIPDB, I discovered that some had alerts or records indicating potential threats such as Remote Access Trojans (RATs) and botnets. This raised suspicion, prompting me to focus on these IP addresses and dig deeper for more information.

Since I had identified the application linked to the malicious IP addresses, I proceeded to check the associated process IDs using the tasklist command.

tasklist output

tasklist /FI “IMAGENAME eq AdvanceWindowsManager.exe” /M

I also ran WMIC to retrieve process and application information. Please don’t be confused by the different PIDs shown—it's the same application, as multiple instances of AdvancedWindowsManager.exe are currently running on my system.

wmic output

Since we already got the parent process ID we can use it to further check to identify how the process started and detect potential anomalies.

wmic using the Parent PID

To further investigate each instance of AdvancedWindowsManager.exe, I ran WMIC again, this time adding the get CommandLine parameter. This allowed me to determine how each instance of the application was executed.

How the AdvancedWindowsManager.exe executed

Now that I have identified the application's location, I decided to generate its hash and check for any records or malicious indicators on VirusTotal. I was able to confirm that this application is indeed malicious.

Hash Value and Virustotal output


My next step is to identify the persistence mechanism, as the application runs every time I start my system. This will allow me to stop the process and remove it completely. And I was able to find that under Task Scheduler.




Key Findings

     An ESTABLISHED connection to a public IP Addresses using port 8080 which is unusual for  secure protocols or legitimate traffic.

     This application was installed since year 2022 and confirmed that there is a record and tag as malicious application from Virustotal.

Indicators of Compromise (IOCs)

     IP Address: 212[.]83[.]158[.]215, 62[.]210[.]9[.]152, 195[.]154[.]62[.]146

 

     File Hash (SHA-256): dd226aa0ee4d6a3439bf2cf3e9ecd2c22ad59451c8ce902258b1d34fd28ff922


Recommendations

     After proper documentation of the incident Eradicate the AdvancedWindowsManager.exe

     Block any inbound or outbound traffic to the IP addresses 212[.]83[.]158[.]215, 62[.]210[.]9[.]152, 195[.]154[.]62[.]146 at the firewall and/or web-proxy level.

  Create an alert using the hash value.



"Blending years of Network Engineering with a passion for Cybersecurity."

Comments

Post a Comment

Popular posts from this blog

Deploying Sysmon on Windows and Integrating with Elasticsearch SIEM

By on
Image
  First, let's install Sysmon on our Windows host by opening this link in a browser and downloading it: Sysmon - Sysinternals | Microsoft Learn . As of this writing, the latest version of Sysmon is 15.5 Once the download is complete, go ahead and unzip the file. Sysmon configurations or rules are available on GitHub, with a well-known repository being SwiftOnSecurity's Sysmon config: 🔗 https://github.com/SwiftOnSecurity/sysmon-config We will download this configuration for our setup. We can place the downloaded configuration file in the same directory as Sysmon, then open PowerShell and follow the steps below. We can use net start to start Sysmon64, and it will list all services that start afterward. To further verify, go to Event Viewer > Applications and Services Logs > Microsoft > Windows > Sysmon > Operational , where you should see the corresponding event IDs. And now let's ingest Sysmon and Windows Defender logs into elasticsearch. Click the Add integ...
Read more

Installing Suricata IDS/IPS and Triggering Rules with an Nmap Stealth Scan and XSS Attack on bWAPP Using Burp Suite

By on
Image
  We are enabling the IDS/IPS functionality on our OPNsense firewall to detect and alert on potential threats by analyzing incoming traffic against predefined rules. These rules act as "fingerprints" to identify known attacks and suspicious behaviors across the network. In this Lab, i will be using Suricata, a free and open-source cybersecurity tool that functions as both an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS). Widely adopted by organizations worldwide, Suricata monitors networks for suspicious activity and detects cyber threats. Suricata's rules analyze network packets for specific characteristics, such as source and destination IP addresses, ports, protocol types, and even packet content, to identify potential threats. When traffic matches a rule, Suricata generates an alert, notifying administrators of potential security incidents. Based on my research, it is essential to disable offloading features before enabling the IDS/IPS capa...
Read more

Boss of the SOC v1 (2015) Website Defacement

By on
Image
  Question #1 Based on the first question, the task is to identify the IP address of an individual conducting  reconnaissance using a scanning technique. I began my investigation with the search parameter  index=botv1, as provided in the instructions, and incorporated imreallynotbatman.com as  specified in question number 1. After running the search parameters, I identified the dest_header field in the left-side panel.  Upon expanding it, I analyzed the details within and discovered references to the Acunetix  Web Vulnerability Scanner, indicating its use in the reconnaissance activity. To enhance visibility and identify the IP address scanning the web server, I created a table that  included the fields src_ip, dest_ip, and dest_header. I then filtered the results by searching  for the keyword 'scan' within the dest_header field and applied a dedup command to the src_ip  field to remove duplicate entries, effectively narrowing down the source...
Read more