Detection Engineering using Open-Source Tools — ThreatHound and Zircolite
Detection Engineering is the important part in cybersecurity since this trigger an alert that something suspicious is going on the network by matching applied signatures. These signatures are created in multiple form. Most widely used are:
- Sigma — System/Cloud logs
- YARA — File strings
- Snort/Suricata — Network traffic
- SIEM — Logical query
Keeping up to date on the adversary’s trend is the best way to enrich the detection and catch the threat before reaching the objective.
Additionally, purple teaming exercise would also be a great way to improve detection and gaps.
Please Note: I am using these tools as part of purple teaming exercise on reviewing the gap analysis report and enriching the detections (sigma rules).
Purple Teaming Emulation
Please Note: These tools are used assuming the adversary emulation is completed.
ThreatHound
STEP1: Export the Windows Event/Sysmon logs.
STEP2: Run the threathound.py against the logs with our existing detection to identify which threat were detection.
python3 ThreatHound.py ~/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx --sigma ~/sigma/
STEP3: Update the purple teaming exercise results and run the report to conduct detection gap analysis
STEP4: Add or Enrich Detection
We need to improve the detection on LSASS Memory and Remote Service.
STEP5: Repeat STEP2 to verify new or refine detection
Zircolite
STEP1: Export the Windows Event/Sysmon logs.
STEP2: Run the zircolite.py against the logs with our existing detection to identify which threat were detection.
python3 zircolite.py --evtx ~/EVTX-ATTACK-SAMPLES/ --rules ~/Zircolite/rules/rules_windows_sysmon_full.json
STEP3: Update the purple teaming exercise results and run the report to conduct detection gap analysis.
STEP3.1: Zircolite also has a cool GUI based report which can be used to conduct detection gap analysis.
python3 zircolite.py --evtx ~/EVTX-ATTACK-SAMPLES/ --rules ~/Zircolite/rules/rules_windows_sysmon_full.json --template templates/exportForZircoGui.tmpl --templateOutput data.js
unzip gui/zircogui.zip
mv data.js zircogui/
Then you just have to open index.html to review the report.
STEP4: Add or Enrich Detection
STEP5: Repeat STEP2 to verify new or refine detection
Please Note: Zircolite has ruleset in JSON format which is different from YML file, so we need to manually create rule to match.
I hope that these tools help to detect suspicious behavior on the network and also help enriching the detection engineering to protect against threat.