Last two years ago, as a final year student, I was doing internship at one of the leading bank at Myanmar and meet my team leader who found over 40 bugs in Facebook. He guided me to learn threat hunting and I started learning from his guidance. This post does not contain any technical information since I want to share how I learned threat hunting resources.
Weaponized threat hunting lab
My very first learning resource is a creating threat hunting lab blog post series which is created from Roberto Rodriguez . You can learn how to set up a lab for threat hunting purposes in here. There are 7 parts to setup the lab. I learned alot from his blog as well as system administration. Then I started to dig around HELK which is also created from him.
Learning threat hunting materials
After setting up the lab, I need to learn about what is threat hunting and hunting methodologies. I found a very nice paper called huntpedia and you can download that paper in here. After reading the paper, I started to know a little about threat hunting methodologies, signal VS noise reduction and so on.
Also I learned from syspanda and you can view his blog here. This blog gave me a lot of knowledges, hunting methodologies and alerting techniques.
Then I found a very cool github repo called Threat Hunter Playbook. You can view in here. This repo contains a lot of resources such as threat hunting techniques, presentations, playbooks and pretty much everything about threat hunting.
The Pyramid of Pain
After I have some knowledge about threat hunting methodologies, I stared learning about The Pyramid of Pain. which wrote by David J Bianco. This will give you a lot of thinking something like what if attacker bypass file hash, what if he came from different origin, what if I can get new TTPs from him.You can see his blog post here.
Thinking like an adversary(I mean simulation)
Before thinking like an adversary, firstly I need to know how an adversary operates in their operation. So, I stared to learn about attacker life cycle in order to think like an adversary. There are six stages in attacker life cycle as shown below.
You can read a good white paper in here.
After learning some resources, I stared to simulate as adversary and writing some rules based on my output. I stared using automation tools like atomic red team, CALDERA, Infection Monkey, RTA as well as manual simulation. You can view a list of automation tool here. For manual simulation, I used techniques form ired.team , pentestblog and some cheat sheet such as Empire, Powerview, PowerUp , mimikatz and so on. You can download these from HarmJ0y’s github. For mimikatz simulation, adsecurity created unofficial mimikatz documentation in here. Remember that, simulation step is really important to us. If you missed or forgot to implement technique. You cannot get a detection from adversary.
There is a github repo called mordor provides pre-recorded security events generated by simulated adversarial techniques. you can test it from here. According to mordor, their attack diagram is as shown below.
You can learn a lot of adversary techniques from there.
Writing my own rules and tools
After simulating lots of techniques, I stared realize that there are so many false positive output and I need to reduce that false positive ratio. So, I started learning about MITRE ATT&CK.
and evaluate based on ATT&CK Evaluation. Currently there are two evaluation which is APT3 and APT29 in MITRE and you can view these evaluation here. Then I stared writing my own detection techniques based on ATT&CK and you can view in my Gitlab.
Then I combined HELK with threat intelligence platform called Alien vault OTX. If there is a match like malware IP, file hash between HELK log and OTX feed in my organization, I got an alert. You can view my integration setting in here.
One day, my team leader told me that
if we can get destination domain registration date, we can get a high benefits from there.
Mostly adversaries registered their domain for their operation not more than 5 or 6 months. So, I stared to dig around how to implement that feature and I found a python script called domain stats which is created by MarkBaggett(SANS Instructor). You can download his script here. So, I combined this with my HELK and the outcome is
Other Resources
Sigma
There is a tool called Sigma in order to share your findings to others. For writing YARA rules for your detection, you can learn how to write a Sigma rule. John Hubbard also talk about “Improving Detection with Sigma” and you can download his slide from here.
Azure Sentinel
My favorite platform is azure sentinel because you can write your playbook, you can create your rules set very easily, you can integrate it with a lot resources like sysmon, syslog and so on. The most favorite feature is azure sentinel provide graph feature.
By the way, I am not a guy from Microsoft and I am not promoting their products:)
Conclusion
Threat hunting will never gets old as long as adversaries do not exists and there are plenty of resources out there. Writing detection rule is so easy unless you have no attacker mindset.