Category Archives: Threat Hunting

Part 2a: Intro to Threat Hunting with Kolide Fleet, OSQuery, Powershell Empire, and Caldera – Setup environment

In this blog post series, I am documenting my novice pursuit for knowledge to become a threat hunter. This series has a strong focus on utilizing OSQuery to hunt for different techniques used by adversaries. The first post of this series, will consist of instructions to set up a lab environment. The second post of this series will be walking through red team scenarios with Powershell Empire, and MITRE’s cyber adversary emulation system called Caldera.

The third post in this series, will utilize OSQuery to hunt red team activity by discovering artifacts and modifications made to the system. The fourth post in this series, will integrate our successful hunts into Graylog for logging and alerting. Lastly, this series will be generating threat-hunting playbooks and scoring our detection capabilities using Cyb3rWard0g’s system.

Continue reading

Install/Setup MITRE Caldera the automated cyber adversary emulation system

In this blog post I will be covering how to setup and utilize MITRE’s new tool called Caldera. Caldera is a cyber adversary emulation system that operates on a server/agent model. On the server you can create adversary campaigns that are deployed to your agents. Your agents will periodically call back with their results and progress. Let’s begin!

Continue reading

Part 1: Intro to Threat Hunting with Powershell Empire, Windows event logs, and Graylog

One of the biggest trends in infosec, besides the word cyber, is threat hunting. First, I want to start by defining threat hunting as the action of “investigation without cause” and this concept is nothing new. It’s been around for years but we didn’t have a catchy marketing term associated with it. In this post, I will breakdown the Sqrrl threat hunting model, Powershell Empire for adversary activity, and instructions on setting up Graylog for log aggregation and a search platform to perform threat hunting. Finally, I would like to point out all Ansible playbooks used in this post are publicly accessible on my Github page in a repo called “AgileFalcon“.

Continue reading

Rekall memory analysis framework for Windows, Linux, and Mac OSX

Rekall is the most complete Memory Analysis framework. Rekall provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework. Rekall provides cross-platform solutions on Windows, Mac OSX, and Linux. Additionally, as stated above each operating system has it’s own memory acquisition tool provided by Rekall called pmem.

Continue reading