Part 1: Intro to Threat Hunting – Setting up the environment

This blog post series is a culmination of my learning experience in becoming a threat hunter. Over time this learning experience helped me develop a teaching philosophy to help novices go from zero to hero threat hunter, which is what I will be using to teach the threat hunting fundamentals. This series will have a strong focus on understanding the attacker mindset, how to interpret actions performed by an adversary from a defenders perspective, and how to transition findings from your hunts into future detections or environmental improvements. The content used here is a written adaptation of my DefCon 2020 Blue Team village workshop. It will utilize the same ideas and techniques used for that workshop reiterating specifics and points for the greater InfoSec community to use.

First, we will start by understanding the attacker mindset with the Mandiant Attack Lifecycle. To re-enforce this methodology there is a red team exercise utilizing Powershell Empire to perform an APT style attack. The outcome of this red team exercise is the creation of a story or, in this case, the creation of a fictious advanced persistent threat (APT) known as Goofball. Second, we will utilize the actions performed by Goofball to perform an informal threat hunting exercise that will hunt the artifacts generated by our fictious adversary using Sysmon and the Elastic stack.

Thirdly, we will use our informal threat hunting exercise as a foundational jumping off point to formally hunt our fictitious adversary using the Endgame threat hunting process. In addition to the Endgame threat hunting process, we will learn how to use the MITRE ATT&CK matrix to generate threat hunting hypotheses and use FleetDM + Osquery to confirm/deny our hypothesis. Lastly, we will end this blog post series with a retrospective and how to convert threat hunting findings into detections or environmental improvements.

Before we jump into these topics, we need an environment to perform our red team exercise and to collect logs from for our threat hunting exercises. This blog post contains Ansible playbooks and manual instructions to setup the Windows environment used for this series. Additionally, there is a “quick setup” to stand up an Elastic stack and import pre-collected logs from the red team exercise. This quick setup is for individuals who don’t have the hardware resources to spin up an entire network or would prefer to just utilize the logs. The take away from this blog post series should be an understanding of the attacker mindset, how to use the knowledge of attacker techniques and procedures to hunt for them, and finally how to transition successful hunts to detections.

DISCLAIMERS

The information contained in this blog post is for educational purposes ONLY! HoldMyBeerSecurity.com/HoldMyBeer.xyz and its authors DO NOT hold any responsibility for any misuse or damage of the information provided in blog posts, discussions, activities, or exercises. 

The red team exercise performed in this blog post occurred in a home lab network. Therefore, the malicious activity performed was on machines that I own and have permission to perform these actions.

To prevent the weaponization of the content within this blog post there will be missing commands/instructions. The red team exercise is meant to simulate what an attacker may do on a network, NOT a step-by-step.

DISCLAIMERS

Goals

  • Create a Windows environment for a red team exercise
    • Intentionally make the environment vulnerable
  • Choose your own SIEM adventure
  • Setup Osquery + FleetDM to run ad-hoc queries on Windows environment
  • Setup Sysmon + Winlogbeat + Elastic stack to perform real-time monitoring of Windows environment

Blog post series

My threat hunting teaching philosophy

This entire blog post series is how I learned threat hunting which turned into how I teach threat hunting. Back in college, I was interested in threat hunting and my professor did a post on his LinkedIn asking if people would like to mentor me. Thankfully the community came through and I started talking to a collection of threat hunters in the industry. Every one of them told me to understand the Mandiant Attack Lifecycle and the MITRE ATT&CK matrix.

Understanding the Mandiant Attack Lifecycle is really important because you need a good understanding of how the attacks are performed. The MITRE ATT&CK matrix can be used as a guide for threat hunters to create well scoped hypotheses for hunting. While all this is good, it didn’t quite give me that light bulb moment. During my college career, I heard about Mimikatz, malicious documents, and privilege escalation. What I had at the time was an independent concept of each of these things but not a concept of how all these things come together to perform an attack. Fast forward, I talked to @Devon who recommended that I perform a simulated attack with Powershell Empire and to hunt for it.

First, I set up a small Windows domain which is the network used in this post. Next, I performed an APT style attack following the phases of the attack lifecycle with Powershell Empire on the network. For the first time in my life, the words Mimikatz and privilege escalation were not just buzzwords. I came to an understanding of how an attacker uses these tools + techniques to accomplish their mission. Before I started this blog post series I had been helping the same professor do a re-design of the Windows DFIR class and I was reading the Incident Response & Computer Forensics book. This book is a GOLD MINE of DFIR knowledge for Windows. When I combined my DFIR knowledge with the understanding of how attacks are conducted, a HUGE light bulb went on for me on how to hunt. I knew how to apply my knowledge of how attackers operate and my DFIR knowledge to hunt for that activity.

Now, when I teach threat hunting, I always start with doing a 40 minute interactive session on the attack lifecycle. Basically, I write the attack lifecycle on a whiteboard and I take 10 mins to explain all the phases. Next, I turn to my peers and say: “y’all have been hypothetically hired to steal credit cards from XYZ“. Next, I walk them through the attack lifecycle having THEM build a hypothetical attack on the whiteboard. For example, I say: “Okay, if you want to do an initial recon on fake company XYZ what would you do?” They would typically say LinkedIn, Facebook, Github, NMAP scans, and etc. I do this because most of the time novices to threat hunting and infosec have never seen an attack from start to finish. Again, we discuss things like Mimikatz but not just from a functionality standpoint but how it “fits” into an attack. Next, I flip the script on them and say: “How would y’all detect your hypothetical attack?“. Unfortunately, most students had been taught to detect bad things but not how to stop and interpret what they found.

For example, typically (but not in all cases), if a defender detects an attacker using Mimikatz it usually indicates these three things: One, the attacker has gained a foothold within the network. Two, the attacker was able to escalate privileges to run Mimikatz (which means they have reached the privilege escalation phase of the attack lifecycle). Three, most likely they are using Mimikatz to obtain credentials in an attempt to move laterally in the environment. At this point the detection of Mimikatz can give you an idea of where the attacker is in the lifecycle and what they might do next. Again, this isn’t always true but I am trying to paint a picture.

Once students have a general concept of the attack lifecycle and what an attack looks like, we perform the simulated attack (linked above). The purpose of this is to allow students to experience an attack from the attacker’s perspective. Again, I do this because most students have never performed any red teaming from start to finish. But also for them to grasp an understanding of the capabilities and limitations of being an attacker. Giving a bit more background, I learned real quick that trying to teach other college students about defense isn’t sexy. I personally LOVE LOGGING and I would happily listen to a talk on logging for an hour but 99% of people would not. I found that teaching from the red team perspective first is more attention grabbing. Once I have performed all the red team stuff discussed above, I started talking about DFIR concepts.

Again, in my experience, most students didn’t want to learn Windows DFIR concepts/skills which are essential to hunting. I agree with students that reading about the AmCache is boring by itself but when you can apply that knowledge to a simulated attack it makes ALL the difference. So next I would say: “Now we will hunt our own simulated attack using Windows DFIR artifacts” and people are exponentially more interested. I would subtly teach them Windows forensics, something that is crucial to understand to perform hunting, but boring to learn. The hard part with threat hunting is you have to walk before you can run. Most people don’t want to walk because that is the boring content. But I promise you once you understand the basics really, really, really, really well, then you can run and you can run far. I hope this blog helps.

Choose your own SIEM adventure

This blog post will provide instructions on how to set up the Elastic stack as the SIEM of choice. However, this blog post series and the data generated from the red team exercise is compatible with the Elastic stack, Graylog, or Splunk. If you would like to use a different SIEM, you are encouraged to do so. The instructions to set up these SIEMs using Docker, Ansible, or a manual installation can be found here:

Network diagram

docker-compose up -d – -no-wait

If you are not interested in setting up a Windows domain, deploying Osquery + FleetDM, and a SIEM of your choice, then continue reading. If you would like to setup the network in the diagram above please skip ahead to the following sections: “Install/Setup threat hunting environment with Ansible” or “Manual install/setup of threat hunting environment”. The instructions in this section are going to be setting up the Elastic stack version 7.10 using Docker and importing the logs from the red team exercise.

Spin up Elastic stack with Docker

  1. git clone https://github.com/CptOfEvilMinions/ChooseYourSIEMAdventure
  2. cd ChooseYourSIEMAdventure
    1. IR Tales: The Quest for the Holy SIEM: Elastic stack + Sysmon + Osquery – See this blog post for more information on how to modify setting up the Elastic stack such as setting up a different password. For this blog post we are going to accept the default username of elastic and password of Changeme123!.
  3. openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout conf/tls/docker.key -out conf/tls/docker.crt
    1. Generate TLS public certificate and private key
  4. docker-compose -f docker-compose-elastic.yml build
    1. Build Docker contains
  5. docker-compose -f docker-compose-elastic.yml up -d
    1. Spin up the Elastic stack

Import logs from red team exercise

  1. git clone https://github.com/CptOfEvilMinions/ThreatWaffle
  2. cd ThreatWaffle/json_logs
  3. unzip bg-logs.zip
    1. UNzip logs
  4. cd ../../ChooseYourSIEMAdventure/siem_log_importer
  5. virtualenv -p python3 venv
    1. Create Python virtual environment
  6. source venv/bin/activate
    1. Active the Python virtual environment
  7. pip3 install -r requirements.txt
    1. Install the required dependencies
  8. python3 log_ingestor.py --platform=elasticsearch --server_host=<Elastic stack server IP addr> --server_port=<Elasticsearch port - default 9200> --index bg-sysmon --siem_username=elastic --siem_password=Changeme123! --log_file ../../ThreatWaffle/json_logs/bg-sysmon.json
    1. Import Sysmon logs into Elastic
  9. python3 log_ingestor.py --platform=elasticsearch --server_host=10.150.100.210 --server_port=9200 --index bg-sysmon --siem_username=elastic --siem_password=Changeme123! --log_file ../../ThreatWaffle/json_logs/bg-sysmon.json
    1. Import Windows Event Logs into Elastic

Install/Setup threat hunting environment with Ansible

Step 0: Install Ansible on macOS

  1. pip3 install pywinrm
  2. pip3 install ansible

Step 1: Create VMs

Based on the table provided (screenshot below), create VMs using the following operating systems and versions listed. The Windows 10 VMs HAVE TO BE version 1511 because some of the red team techniques require an older version that is vulnerable. The following sections will provide instructions to set up each of these VMs with Ansible or with manual instructions.

Requirements

Step 2: Install/Setup Elastic stack v7.10 on Ubuntu 20.04

The instructions to run this Ansible playbook are copied from this blog post: IR TALES: THE QUEST FOR THE HOLY SIEM: ELASTIC STACK + SYSMON + OSQUERY

Setup playbook

  1. git clone https://github.com/CptOfEvilMinions/ChooseYourSIEMAdventure
  2. cd ChooseYourSIEMAdventure
  3. openssl req -x509 -new -nodes -keyout conf/tls/tls.key -out conf/tls/tls.crt
    1. Generate TLS public certificate and private key
  4. vim hosts.ini add IP address of Elastic server under [elastic]

  5. vim group_vars/all.yml and set:
    1. base_domain – Set the domain where the server resides
    2. timezone – OPTIONAL – The default timezone is UTC+0
    3. siem_username – Ignore this setting
    4. siem_password – Ignore this setting
  6. vim group_vars/elastic.yml and set:
    1. hostname – Set the desired hostname for the server
    2. elastic_repo_version – Change the repo version to install the Elastic stack – best to leave as default
    3. elastic_version – Set the version of the Elastic stack to install
    1. Save and exit

Run playbook

  1. ansible-playbook -i hosts.ini deploy_elastic.yml -u <username> -K
  2. Monitor the Ansible output to record the username and passwords generated
    1. A temporary file containing the credentials is stored at /tmp/elasticsearch-setup-passwords.txt , which will be deleted on reboot
  3. Skip ahead to “Setup Elastic via WebGUI” section to complete the setup

Step 3: Install/Setup FleetDM v3.9.0 on Ubuntu 20.04

The instructions to run this Ansible playbook are copied from this blog post: GETTING STARTED WITH FLEETDM V3.6.0

Setup playbook

  1. git clone https://github.com/CptOfEvilMinions/FleetDM-Automation
  2. cd FleetDM-Automation
  3. openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout conf/tls/fleet.key -out conf/tls/fleet.crt
    1. Generate TLS private key and public certificate
  4. vim hosts.ini and add IP address under [fleetdm]
  5. vim group_vars/all.yml and set:
    1. base_domain – The domain for your network and the base domain of the FQDN
    2. timezone – OPTIONAL – Change the default timezone of UTC +0
  6. openssl rand -base64 32
    1. Copy the output from the command
  7. vim group_vars/fleetdm.yml and set:
    1. fleetdm_jwt –  Set this to the random string generated by the OpenSSL command
    2. mysql_root_password – Set the root password for MySQL
    3. mysql_fleetdm_password –  Set the password for FleetDM MySQL user

Run playbook

  1. ansible-playbook -i hosts.ini deploy_fleetdm.yml -u <user> -K
    1. Enter the password for the user
  2. Skip ahead to “Setup FleetDM via WebGUI” section to complete the setup

Step 4: Enable WinRM on Windows hosts

  1. On each Windows host login as Administrator
  2. Start Powershell as Administrator
  3. powershell -NoProfile -ExecutionPolicy Bypass -Command "iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))"
    1. Enable WinRM

Step 5: Deploy Windows Server 2016 domain controller

Setup Ansible playbook

  1. git clone https://github.com/CptOfEvilMinions/ThreatWaffle
  2. cd ThreatWaffle
  3. vim group_vars/all.yml and set:
    1. base_domain – Set to the domain for the environment
    2. timezone – Set the default timezone to use – default it UTC +0
  4. cp group_vars/windows.yml.example group_vars/windows.yml
  5. vim group_vars/windows.yml and set:
    1. ansible_user – Username to use to login into machines with WinRM
    2. ansible_password – Password to use to login into machines with WinRM
    3. win_dc_hostname – Set the hostname for the domain controller
    4. ad_safe_mode_password – Set AD safe mode password
    5. domain_users_password – Set domain administrator password
  1. vim hosts.ini and append IP address of Windows domain controller under [win_domain_controler]
    1. Append IP address of Elastic server under [elastic]
    2. Append IP address of FleetDM server under [fleetdm]

Run playbook

  1. ansible-playbook -i hosts.ini deploy_windows_domain_controler.yml

Step 7: Deploy Windows clients

Set hostnames

  1. Login into each Windows 10 client
  2. Set the hostname of one machine to saturn and the other to jupiter
  3. Reboot both machines

Get FleetDM API token

  1. export FLEETDM_TOKEN=$(curl -s -k -X POST https://fleetdm.hackinglab.beer/api/v1/kolide/login -d '{"Username": "<admin username>", "Password": "<password>"}' | jq -r '.token')
    1. Request an API token and save token to an environment variable

Setup playbook

  1. vim group_vars/windows.yml and set:
    1. ansible_user – Change this value if the username for the Windows 10 machines is different than for the server
    2. ansible_password – Change this value if the password for the Windows 10 machines is different than for the server
  2. vim group_vars/sec_tools.yml and set:
    1. osquery_version – Set the version of Osquery to install
    2. fleetdm_host – Set the FQDN of the FleetDM server – default fleetdm.<base_domain>
    3. fleetdm_port – Set the port the FleetDM + NGINX are listening on – default 443
    4. sysmon_version – Set the version of Sysmon to install
    5. winlogbeat_version – Set the version of Winlogbeat to install
    6. logstash_ip_addr – Set this to the FQDN or IP address of the Elastic stack server
    7. logstash_port – Set the port Logstash is ingesting logs – default 5044
  3. vim conf/win_clients/sysmon/sysmonconfig.xml edit the Symon config to your liking
    1. The config in the repo was pulled from SwiftOn Security’s repo
  4. vim hosts.ini and add the IP addresses of the Windows 10 clients under [win_clients]

Run playbook

  1. ansible-playbook -i hosts.ini deploy_windows_clients.yml

Manual install/setup of threat hunting environment

Step 1: Create VMs

Based on the table provided (screenshot below) create VMs using the following operating systems and versions listed. The Windows 10 VMs HAVE TO BE version 1511 because some of the red team techniques require an older version that is vulnerable. The following sections will provide instructions to set up each of these VMs with Ansible or with manual instructions.

Requirements

Step 2: Enable WinRM on Windows hosts

  1. On each Windows host login as Administrator
  2. Start Powershell as Administrator
  3. powershell -NoProfile -ExecutionPolicy Bypass -Command "iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/ansible/ansible/devel/examples/scripts/ConfigureRemotingForAnsible.ps1'))"
    1. Enable WinRM

Step 3: Install/Setup Elastic stack on Ubuntu 20.04

In order to keep this blog post short, I will not be including the manual instructions to setup the Elastic stack. If you would like manual instructions please go to my blog post: IR TALES: THE QUEST FOR THE HOLY SIEM: ELASTIC STACK + SYSMON + OSQUERY

Step 4: Install/Setup Fleet v3.9.0 on Ubuntu 20.04

In order to keep this blog post short, I will not be including the manual instructions to setup FleetDM. If you would like manual instructions please go to my blog post: GETTING STARTED WITH FLEETDM V3.6.0

Step 5: Install/Setup Windows Server 2016 domain controller

Install/setup Active Directory

  1. Open Powershell as Administrator
  2. Rename-Compuer -NewName "windc"
    1. Set hostname of the domain controller
  3. Restart-Computer
  4. Open Server Manager
  5. Select Manage > Add roles and features
  6. Installation type
    1. Select “Role-based or feature-based installation”
  7. Server selection
    1. Ensure the “windc” server is selected
  8. Server Roles
    1. Check “Active Directory Domain Services”
    2. Check “DNS Server”
  9. Leave the rest of the menus as default and select “Install”
  10. Exit the installation menu
  11. In the Server Manager window select the the flag icon with a yellow caution sign
  12. Select “Promote this server to a domain controller”
  13. Deployment configuration
    1. Select “Add a new forest” for deployment operation
    2. Enter “<domain>” into root domain name
      1. I am going to use the following domain: hackinglab.beer
  14. Domain controller options
    1. Leave all settings as default
    2. Enter a password for DSRM
  15. For Additional options, Paths, Review options, Prereq checks
    1. Leave settings as default
    2. Select “Install”

Setup DNS server

  1. Login into domain controller
  2. Open Powershell as Administrator
  3. Set-DnsClientServerAddress -InterfaceAlias * -ServerAddresses 127.0.0.1
    1. Set the default DNS server to itself

Create a DNS reverse zone

  1. Open Server Manager
  2. Select “Tools” then “DNS”
  3. Expand WinDC > Reverse Lookup Zone
  4. Right-Click “Reverse Lookup Zone” and select “New zone”
    1. Select “Primary zone” for the type of zone
    2. Select “To all DNS servers running on domain controllers in domain” for data replication
    3. Select “IPv4 reverse lookup zone” for the type of reverse zone
    4. Enter “<Local network ID>” for the Network ID in reverse
    5. Select “Allow only secure dynamic updates” for dynamic updates
    6. Select “Finish”

Add DNS A records

  1. Expand WinDC > Forward Lookup Zone > hackinglab.beer
  2. Select “Action” then “New Host(A)”
    1. Enter elastic for Name
    2. Enter <IP addr of Elastic stack server> for IP address
    3. Check “Create associated pointer (PTR) record”, if UNchecked
    4. Select “Add host”
  3.  Repeat for “fleetdm”

Configure Group Policy

Enable RDP through the firewall

  1. Select “Tools” then “Group policy manager”
  2. Expand Group policy manager > Forest: hackinglab.beer > Domains > hackinglab.beer
  3. Right-click “Default Domain Policy”
  4. Expand Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile
    1. Enable “Allow inbound Remote Desktop exceptions” and enter * for IP addresses

Enable SMB access for PSexec via firewall

  1. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security LDAP
  2. Right-click “Inbound Rules” and select “New Rule”
    1. Rule type
      1. Select “Predefined” for type
      2. Select “File and Printer sharing”
    2. Predefined rules
      1. Accept defaults
    3. Action
      1. Select “Allow the connection”

Enable Powershell script block logging

  1. Expand Computer Configuration > Policies > Administrative Templates -> Windows Components -> Windows PowerShell
    1. Enable “Turn on PowerShell Script Block Logging”

Enable Process creation logging

  1. Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking
    1. Enable for successful “Audit Process Creation”

Create domain users (non-admin)

  1. Open server manager
  2. Select “Tools” then “Active Directory Users and Computers”
  3. Expand hackinglab.beer > Users
  4. Select “Users” on the left
  5. Select “Action” then “New User”
    1. User info
      1. Enter Bob for First name
      2. Enter Gates for the Last Name
      3. Enter Bgates for logon
    2. Password
      1. Enter a password for the user
      2. Uncheck “User must change password at next logon”
  6. Repeat this process for Sheldon Jobs with the username of “sjobs”

Step 6: Install/Setup Windows 10 clients

Initial setup

  1. Install trial of Office 365 – This is required for the red team exercise

Join Windows clients to the domain

  1. Open Powershell as Administrator
  2. Get the IP address of the Windows domain controller
  3. Set-DnsClientServerAddress -InterfaceAlias * -ServerAddresses <Windows domain controller IP address>
  4. Add-Computer -Domainname <domain> -Credential AD\Administrator -Restart –Force
    1. Enter password for domain admin

Install/Setup Osquery v4.8.0

  1. Open Powershell as Administrator
  2. cd $ENV:TEMP
    1. Cd to user’s temp directory
  3. Invoke-WebRequest -Uri https://pkg.osquery.io/windows/osquery-4.8.0.msi -OutFile osquery-4.8.0.msi -MaximumRedirection 3
    1. Download Osquery
  4. Start-Process $ENV:TEMP\osquery-4.8.0.msi -ArgumentList '/quiet' -Wait
    1. Install Osquery
  5. Open a web browser and login into FleetDM
  6. Click “Add new host” in the top right
    1. Copy the enroll secret
  7. Set-Content -Path 'C:\Program Files\osquery\osquery.key' -Value '<Osquery enroll key>'
    1. Write Osquery key to a file
  8. Invoke-WebRequest -Uri https://raw.githubusercontent.com/CptOfEvilMinions/ThreatWaffle/main/conf/win_clients/osquery/osquery.flags -OutFile 'C:\Program Files\osquery\osquery.flags'
    1. Download Osquery.flags config
  9. (Get-Content -Path 'C:\Program Files\osquery\osquery.flags' -Raw) -replace "{{ fleetdm_host }}","<FleetDM FQDN or IP addr>" | Set-Content -Path 'C:\Program Files\osquery\osquery.flags'
  10. (Get-Content -Path 'C:\Program Files\osquery\osquery.flags' -Raw) -replace "{{ fleetdm_port }}","<FleetDM port - default 443>" | Set-Content -Path 'C:\Program Files\osquery\osquery.flags'
    1. Set FleetDM address and port
  11. Restart-Service osqueryd

Install/Setup Sysmon v.13.10

  1. Open Powershell as Administrator
  2. cd $ENV:TMP
  3. $ProgressPreference = 'SilentlyContinue'
    1. Disable download status bar
  4. Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile Sysmon.zip
    1. Download Sysmon
  5. Expand-Archive .\Sysmon.zip -DestinationPath .
    1. Unzip Sysmon
  6. Invoke-WebRequest -Uri https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml -OutFile sysmonconfig.xml
    1. Download Sysmon config
  7. .\Sysmon.exe -accepteula -i .\sysmonconfig.xml
    1. Install Sysmon driver and load Sysmon config 

Install/Setup Winlogbeat

  1. cd $ENV:TEMP
  2. Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.10.0-windows-x86_64.zip -OutFile winlogbeat-7.10.0-windows-x86_64.zip
    1. Download Winlogbeat
  3. Expand-Archive .\winlogbeat-7.10.0-windows-x86_64.zip -DestinationPath .
    1. Unzip Winogbeat
  4. mv .\winlogbeat-7.10.0-windows-x86_64 'C:\Program Files\winlogbeat'
    1. Move Winlogbeat to the Program Files directory
  5. cd 'C:\Program Files\winlogbeat\'
    1. Change to the Program Files directory
  6. Invoke-WebRequest -Uri https://raw.githubusercontent.com/CptOfEvilMinions/ThreatWaffle/main/conf/win_clients/winlogbeat/winlogbeat.yml -OutFile winlogbeat.yml
    1. Download Winglogbeat config
  7. Using your favorite text editor open C:\Program Files\winlogbeat\winlogbeat.yml
    1. Open the document from the command line with Visual Studio Code: code .\winlogbeat.yml
    2. Open the document from the command line with Notepad: notepad.exe.\winlogbeat.yml
  8. Scroll down to the output.logstash:
    1. Replace logstash_ip_addr with the IP address of FQDN of Logstash
    2. Replace logstash_port with the port Logstash uses to ingest Beats (default 5044) 
  9. powershell -Exec bypass -File .\install-service-winlogbeat.ps1
  10. Set-Service -Name "winlogbeat" -StartupType automatic
  11. Start-Service -Name "winlogbeat"
  12. Get-Service -Name "winlogbeat"

Setup Elastic via WebGUI

Login into Elastic WebGUI

  1. Open a browser to https://<IP addr or FQDN of Elastic>:443 and login
    1. Username: elastic
    2. Password: <output for the Elastic user during setup>
    3. Select “Log in”

Setup Sysmon index on Elastic

  1. Settings > Data > Index management
    1. Ensure that a Sysmon indices has been created like below
  2. Settings > Kibana > Index patterns
  3. Select “Create index pattern”
    1. Define an index pattern
      1. Enter sysmon-* int index pattern name
    2. Configure settings
      1. Select “@timestamp” for timefield
    3. Select “Create index pattern”
  4. Settings > Kibana > Discover

Setup FleetDM via WebGUI

  1. Open a web browser to FleetDM
  2. Setup user
    1. Enter a <username> into Username
    2. Enter a <password> into Password
    3. Enter an <e-mail> for the admin user
    4. Select “Next”
  3. Organization details
    1. Enter organization name
    2. Enter the organization URL
    3. Select “Next”
  4. Set Fleet URL
    1. Accept the default Fleet URL, unless you need to change it
    2. Select “Submit”
  5. Select “Finish”

Test Osquery agents with a live query

  1. Select “Hosts” in the top right
  2. Select one of the Osquery agents from the list
  3. Select “Query” in the top right
  4. Enter the following query: SELECT * FROM osquery_info into SQL
  5. Select “Run” in the bottom right

Future road map

In this blog post, we created a lab environment to perform red team activities for us to hunt. This environment is predominantly Windows machines with Windows clients Jupiter and Saturn as our primary targets. The Windows domain controller (WinDC) provides central authentication and Group Policy management for our Windows clients. In addition to our Windows machines we also have our Ubuntu servers running FleetDM which our Osquery agents are reporting too and the Elastic stack which Sysmon + Winlogbeat are reporting too. Using this environment we will focus on understanding the attack mindset, how to interpret actions performed by an adversary from a defenders perspective, and how to transition findings from your hunts into future detections or environmental improvements.

In the next blog post, I am going to introduce the attacker mindset with the Mandiant Attack Lifecycle. To do this I am going to utilize Powershell Empire to simulate an APT style attack to generate artifacts for us to hunt in the blog posts to follow.

In the third blog post we will see that Sysmon is monitoring the Windows clients in real time and reporting the activity to the Elastic stack. The Elastic stack will then be used to step through the phases of the attack life cycle hunting the malicious adversary activity in each phase. The goal will be to demonstrate common tools and techniques used by adversaries and how to hunt for artifacts generated by that activity using Elastic.

In the fourth blog post we will introduce the Endgame threat hunting process using the MITRE ATT&CK matrix. This will be done utilizing FleetDM as our fleet manager for Osquery agents, this provides the ability to run scheduled queries on a specified interval or ad-hoc queries to ask our environment a question. We will create threat hunting hypotheses and use FleetDM + Osquery to confirm or deny our hypothesis, aka the existence or absence of malicious activity in our environment. Lastly, we will collect and review our findings from the threat hunt exercises to create detections and/or recommend environment improvements.

DISCLAIMERS

The information contained in this blog post is for educational purposes ONLY! HoldMyBeerSecurity.com/HoldMyBeer.xyz and its authors DO NOT hold any responsibility for any misuse or damage of the information provided in blog posts, discussions, activities, or exercises. 

The red team exercise performed in this blog post occurred in a home lab network. Therefore, the malicious activity performed was on machines that I own and have permission to perform these actions.

To prevent the weaponization of the content within this blog post there will be missing commands/instructions. The red team exercise is meant to simulate what an attacker may do on a network, NOT a step-by-step.

DISCLAIMERS

Lessons learned

I am currently reading a book called “Cracking the Coding Interview” and it is a great book. One interesting part of the book is their matrix to describe projects you worked on and the matrix contains the following sections which are: challenges, mistakes/failures, enjoyed, leadership, conflicts, and what would you do differently. I am going to try and use this model at the end of my blog posts to summarize and reflect on the things I learn. I don’t blog to post things that I know, I blog to learn new things and to share the knowledge of my security research.

New skills/knowledge

  • How to configure Group Policy with Powershell
  • Use the new version of Ansible v2.9
  • Use the new version of FleetDM v3.9.0
  • Using Sysmon v13.10
  • Using the Python Elasticsearch library to import logs into Elasticsearch
  • Using the Python Beats library to send logs to Logstash for ingestion
  • How to setup a Windows domain
  • How to setup a Windows domain that allows lateral movement
  • How to interact/enable Windows Event Logs – process creation

Challenges

  • Automate modifying the Group Policy with Ansible
  • How to scale this workshop for DEFCON, especially as a remote workshop

Enjoyed

  • Went to DEFCON for my first time even though it was virtual due to COVID
  • My first security workshop – DEFCON
  • Interacting with the community after my DEFCON workshop on Twitter

References

4 thoughts on “Part 1: Intro to Threat Hunting – Setting up the environment

  1. Alex Sara says:

    Hi.

    I am trying to follow your steps to deploy the osquery on Windows 10 and to enroll them to Kolide, however I do not understand what you mean in Deploy OSQuery agents -> Initial Setup -> Step 4 -> vim group_vars/agents -> set osquery_enroll_secret with string from Kolide.

    Where is this group_vars? It is really confusing this Deployment steps, could you please clarify?

    Thanks.

    • spartan2194 says:

      The directions have been updated to include:
      4. mv group_vars/agents.example group_vars/agents
      5. vim group_vars/agents

  2. ralph23 says:

    I have difficulty understanding the lingo here.

    mv group_vars/all.example group_vars/all
    mv group_vars/win_agents.example group_vars/win_agents
    vim group_vars/win_agents

    mv ==> move
    group_vars/all.example ==> [folder/file.example] ==> group_vars/all [folder] ?

    Do i make a file name group_vars with a file name all.example?
    What is vim an editor. Do i create a file in folder groups_vars name
    win_agents? My understanding of linux goes off the rails here. Can you please
    provide some explanation. I would like to try your method in my personal lab.

    • spartan2194 says:

      Hey ralph23,

      The move(mv) command within Linux can be used to move files OR rename files, like done above. The files within the current group_vars directory end with a “.example” extension. But Ansible is looking for a file called “group_vars/all”, which does not contain the extension. Continue reading if you want to know why I do this :).

      Files within the “group_vars” directory may contain sensitive information. To avoid pushing code with potentially sensitive information, I make a copy of each group_var file and call it .example with fake/blank values. Next, I add “group_vars” files WITHOUT the “.example” extension to my “.gitignore” file. This ensures I don’t accidentally push code to Github with sensitive values such as a Slack token.

      Happy Hunting!

Leave a Reply

Your email address will not be published.