Category Archives: Threat Hunting

Part 3: Intro to threat hunting – Hunting the imposter among us with the Elastic stack and Sysmon

This blog post series is for anyone who has ever had an interest in threat hunting but did not have the knowledge of how or where to start, what tools they need, or what to hunt for. In this blog post, I will introduce an informal threat hunting process by hunting the APT-style attack performed during the red team exercise in the previous blog post. The theme of this blog post is to demonstrate how to hunt and detect malicious activity at each stage of the Mandiant Attack Lifecycle to create a fundamental framework for hunting adversaries. This blog post is a written adaptation of my DefCon 2020 Blue Team village workshop. It will utilize the same ideas and techniques used for that workshop reiterating specifics and points for the greater InfoSec community to use.

In this blog series, we have a fictitious advanced persistent threat (APT) code-named Goofball. They have been known to steal intellectual property and the Hackinglab corporation just released a press statement about a new widget that will revolutionize the world. This blog post is going to embark on a quest to hunt for the existence of Goofball in the Hackinglab corporation network. Additionally, this quest will introduce you to an informal threat hunting process to demonstrate the tools and techniques using Sysmon and the Elastic stack. The hope is that this informal process demonstrates how to apply a threat hunting mindset to search for malicious activity in your environment but also understand your findings to investigate further. 

Continue reading

Tagged , ,

Part 2: Intro to Threat Hunting – Understanding the attacker mindset with Powershell Empire and the Mandiant Attack Lifecycle

In this blog post, I continue my pursuit of knowledge to become a threat hunter. This blog post will introduce the following concepts: understanding the attacker mindset with the Mandiant Attack Lifecycle, performing a red team exercise to demonstrate the tools and techniques used by attackers with Powershell Empire, and observing how attacker activity leaves behind a trail of artifacts. These concepts will create the foundation we will use in future blog posts to hunt for malicious activity.

Continue reading


Part 1: Threat hunting with BRO/Zeek and EQL

One of the biggest challenges for blue teams is using logs to hunt for malicious activity. Tools like BRO provide fantastic logging of the events that transpired on a network but don’t provide a mechanism to ask those logs a question. Threat hunting is the process of generating a series of hypotheses about malicious activity that might be occurring on your network. EQL provides a tool that can ingest logs and provide the threat hunter a mechanism to ask questions to prove or disprove their hypotheses. Furthermore, I have extended the EQL platform to support Zeek/BRO logs for network-based threat hunting.

Continue reading

Part 1: Intro to Threat Hunting – Setting up the environment

This blog post series is a culmination of my learning experience in becoming a threat hunter. Over time this learning experience helped me develop a teaching philosophy to help novices go from zero to hero threat hunter, which is what I will be using to teach the threat hunting fundamentals. This series will have a strong focus on understanding the attacker mindset, how to interpret actions performed by an adversary from a defenders perspective, and how to transition findings from your hunts into future detections or environmental improvements. The content used here is a written adaptation of my DefCon 2020 Blue Team village workshop. It will utilize the same ideas and techniques used for that workshop reiterating specifics and points for the greater InfoSec community to use.

First, we will start by understanding the attacker mindset with the Mandiant Attack Lifecycle. To re-enforce this methodology there is a red team exercise utilizing Powershell Empire to perform an APT style attack. The outcome of this red team exercise is the creation of a story or, in this case, the creation of a fictious advanced persistent threat (APT) known as Goofball. Second, we will utilize the actions performed by Goofball to perform an informal threat hunting exercise that will hunt the artifacts generated by our fictious adversary using Sysmon and the Elastic stack.

Thirdly, we will use our informal threat hunting exercise as a foundational jumping off point to formally hunt our fictitious adversary using the Endgame threat hunting process. In addition to the Endgame threat hunting process, we will learn how to use the MITRE ATT&CK matrix to generate threat hunting hypotheses and use FleetDM + Osquery to confirm/deny our hypothesis. Lastly, we will end this blog post series with a retrospective and how to convert threat hunting findings into detections or environmental improvements.

Before we jump into these topics, we need an environment to perform our red team exercise and to collect logs from for our threat hunting exercises. This blog post contains Ansible playbooks and manual instructions to setup the Windows environment used for this series. Additionally, there is a “quick setup” to stand up an Elastic stack and import pre-collected logs from the red team exercise. This quick setup is for individuals who don’t have the hardware resources to spin up an entire network or would prefer to just utilize the logs. The take away from this blog post series should be an understanding of the attacker mindset, how to use the knowledge of attacker techniques and procedures to hunt for them, and finally how to transition successful hunts to detections.

Continue reading

Install/Setup MITRE Caldera the automated cyber adversary emulation system

In this blog post I will be covering how to setup and utilize MITRE’s new tool called Caldera. Caldera is a cyber adversary emulation system that operates on a server/agent model. On the server you can create adversary campaigns that are deployed to your agents. Your agents will periodically call back with their results and progress. Let’s begin!

Continue reading

Part 1: Intro to Threat Hunting with Powershell Empire, Windows event logs, and Graylog

One of the biggest trends in infosec, besides the word cyber, is threat hunting. First, I want to start by defining threat hunting as the action of “investigation without cause” and this concept is nothing new. It’s been around for years but we didn’t have a catchy marketing term associated with it. In this post, I will breakdown the Sqrrl threat hunting model, Powershell Empire for adversary activity, and instructions on setting up Graylog for log aggregation and a search platform to perform threat hunting. Finally, I would like to point out all Ansible playbooks used in this post are publicly accessible on my Github page in a repo called “AgileFalcon“.

Continue reading

Rekall memory analysis framework for Windows, Linux, and Mac OSX

Rekall is the most complete Memory Analysis framework. Rekall provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework. Rekall provides cross-platform solutions on Windows, Mac OSX, and Linux. Additionally, as stated above each operating system has it’s own memory acquisition tool provided by Rekall called pmem.

Continue reading