Category Archives: Threat Hunting

Part 2: Intro to Threat Hunting – Understanding the attacker mindset with Powershell Empire and the Mandiant Attack Lifecycle

In this blog post, I continue my pursuit of knowledge to become a threat hunter. This blog post will introduce the following concepts: understanding the attacker mindset with the Mandiant Attack Lifecycle, performing a red team exercise to demonstrate the tools and techniques used by attackers with Powershell Empire, and observing how attacker activity leaves behind a trail of artifacts. These concepts will create the foundation we will use in future blog posts to hunt for malicious activity.

Continue reading


Part 1: Threat hunting with BRO/Zeek and EQL

One of the biggest challenges for blue teams is using logs to hunt for malicious activity. Tools like BRO provide fantastic logging of the events that transpired on a network but don’t provide a mechanism to ask those logs a question. Threat hunting is the process of generating a series of hypotheses about malicious activity that might be occurring on your network. EQL provides a tool that can ingest logs and provide the threat hunter a mechanism to ask questions to prove or disprove their hypotheses. Furthermore, I have extended the EQL platform to support Zeek/BRO logs for network-based threat hunting.

Continue reading

Part 1: Intro to Threat Hunting – Setting up the environment

In this blog post series, I am documenting my novice pursuit for knowledge to become a threat hunter. This series has a strong focus on utilizing OSQuery to hunt for different techniques used by adversaries. The first post of this series, will consist of instructions to set up a lab environment. The second post of this series will be walking through red team scenarios with Powershell Empire, and MITRE’s cyber adversary emulation system called Caldera.

The third post in this series, will utilize OSQuery to hunt red team activity by discovering artifacts and modifications made to the system. The fourth post in this series, will integrate our successful hunts into Graylog for logging and alerting. Lastly, this series will be generating threat-hunting playbooks and scoring our detection capabilities using Cyb3rWard0g’s system.

Continue reading

Install/Setup MITRE Caldera the automated cyber adversary emulation system

In this blog post I will be covering how to setup and utilize MITRE’s new tool called Caldera. Caldera is a cyber adversary emulation system that operates on a server/agent model. On the server you can create adversary campaigns that are deployed to your agents. Your agents will periodically call back with their results and progress. Let’s begin!

Continue reading

Part 1: Intro to Threat Hunting with Powershell Empire, Windows event logs, and Graylog

One of the biggest trends in infosec, besides the word cyber, is threat hunting. First, I want to start by defining threat hunting as the action of “investigation without cause” and this concept is nothing new. It’s been around for years but we didn’t have a catchy marketing term associated with it. In this post, I will breakdown the Sqrrl threat hunting model, Powershell Empire for adversary activity, and instructions on setting up Graylog for log aggregation and a search platform to perform threat hunting. Finally, I would like to point out all Ansible playbooks used in this post are publicly accessible on my Github page in a repo called “AgileFalcon“.

Continue reading

Rekall memory analysis framework for Windows, Linux, and Mac OSX

Rekall is the most complete Memory Analysis framework. Rekall provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework. Rekall provides cross-platform solutions on Windows, Mac OSX, and Linux. Additionally, as stated above each operating system has it’s own memory acquisition tool provided by Rekall called pmem.

Continue reading