This blog post series is a culmination of my learning experience in becoming a threat hunter. Over time this learning experience helped me develop a teaching philosophy to help novices go from zero to hero threat hunter, which is what I will be using to teach the threat hunting fundamentals. This series will have a strong focus on understanding the attacker mindset, how to interpret actions performed by an adversary from a defenders perspective, and how to transition findings from your hunts into future detections or environmental improvements. The content used here is a written adaptation of my DefCon 2020 Blue Team village workshop. It will utilize the same ideas and techniques used for that workshop reiterating specifics and points for the greater InfoSec community to use.
First, we will start by understanding the attacker mindset with the Mandiant Attack Lifecycle. To re-enforce this methodology there is a red team exercise utilizing Powershell Empire to perform an APT style attack. The outcome of this red team exercise is the creation of a story or, in this case, the creation of a fictious advanced persistent threat (APT) known as Goofball. Second, we will utilize the actions performed by Goofball to perform an informal threat hunting exercise that will hunt the artifacts generated by our fictious adversary using Sysmon and the Elastic stack.
Thirdly, we will use our informal threat hunting exercise as a foundational jumping off point to formally hunt our fictitious adversary using the Endgame threat hunting process. In addition to the Endgame threat hunting process, we will learn how to use the MITRE ATT&CK matrix to generate threat hunting hypotheses and use FleetDM + Osquery to confirm/deny our hypothesis. Lastly, we will end this blog post series with a retrospective and how to convert threat hunting findings into detections or environmental improvements.
Before we jump into these topics, we need an environment to perform our red team exercise and to collect logs from for our threat hunting exercises. This blog post contains Ansible playbooks and manual instructions to setup the Windows environment used for this series. Additionally, there is a “quick setup” to stand up an Elastic stack and import pre-collected logs from the red team exercise. This quick setup is for individuals who don’t have the hardware resources to spin up an entire network or would prefer to just utilize the logs. The take away from this blog post series should be an understanding of the attacker mindset, how to use the knowledge of attacker techniques and procedures to hunt for them, and finally how to transition successful hunts to detections.