Threat hunting (VII): hunting without leaving home. Process creation

See previous entries: I: intro 1, II: intro 2, III: Kibana, IV: Grafiki, V: Jupyter Notebooks, VI: Creating our víctim

Good hunters, how’s the hunt going?

I hope you have had time to play with your lab and feel more and more comfortable consulting and analyzing the data.

As I said in the previous article, now it’s time to get down into the mud and start understanding what is happening in our laboratory. In this case we are going to talk about the creation of processes, what happens when a process is created, what ways there are to create them and the traces that creation leaves behind.

Understanding the environment

Windows is organized in layers as far as interaction with the system is concerned.

The upper layers are those with which the user or the programs that he launches interacts, the lower layers those used by the operating system itself to function.

For security reasons, the upper layers are well documented and Windows offers facilities to interact with them, but with the lower layers things change, they are not documented and due to the complexity of their operation, it is very difficult or directly not possible for security reasons.

[Read more…]

Threat hunting (VI): hunting without leaving home. Creating our victim

See previous posts: I: intro 1, II: intro 2, III: Kibana, IV: Grafiki, V: Jupyter Notebooks.

Welcome to this new post on our home laboratory, which is gradually growing more and more.

In this article we will create a testing machine to play without fear, and we will deal with the necessary configurations to log everything that happens in it.

In the second post we talked about the existing event repositories, more specifically about the Mordor project and the EVTX-ATTACK-SAMPLES repository.

These repositories are very useful for understanding and learning about how many threats behave, and they make the work much easier, but when the work is already done you don’t learn as much. With your own machine we can try out new techniques and see how they are detected in the laboratory.

It is important to bear in mind that it will not be a virtual machine in which malware will be executed, as the level of isolation will not be sufficient to guarantee the security of the host computer.

[Read more…]

Threat hunting (IV): hunting without leaving home. Jupyter Notebooks

See previous posts: I: intro 1, II: intro 2, III: Kibana, IV: Grafiki.

Do you remember the first post when we talked about what is and what is not Threat Hunting? Well, an essential part of it is the generation of intelligence.

It’s good that we are the best at detecting abnormal behavior, but if all that acquired intelligence is not transformed into structured and repeatable information we lose one of the most valuable parts of the process.

Structured, so that anyone other than the author can use it and understand it. Repeatable in the better way possible, so that the detection teams can generate alerts with it or so that any other analyst can perform the queries in the most comfortable way possible.

In our laboratory we are going to use another part of HELK, the all powerful Jupyter Notebook.

[Read more…]

Threat hunting (IV): hunting without leaving home. Grafiki

See first, second and third part.

Teoría de Grafos: Análisis relacional de las Redes Sociales

Today’s post covers something very special to me.

In the previous entry we saw the exploitation of information with Kibana and its usefulness in seeing potential anomalies at a glance. After a lot of work with Kibana, spending many hours creating visualizations and dashboards, there was one visualization that I missed: the graphs!

In that sense, I read some time ago the sentence “Defenders think in lists. Attackers think in graphs“.

Although it can raise a lot of controversy, if that were true it would leave us, defenders, at a clear disadvantage. In a world where threats are increasingly complex, being able to “connect the dots” makes the difference between finding our threat or not.

From this idea and an increase in my free time due to lockdown, Grafiki emerged. Let’s take a look at it.

[Read more…]

Threat hunting (III): hunting without leaving home. Kibana

See first and second part.

Hey, hunters! How’s the hunting season going?

After what we saw in previous posts, in this article we will continue to understand and improve our Threat Hunting lab.

Kibana "Hello World" Example - Part 3 of the ELK Stack Series -

We have already learned how to enter our data about real attacks and now we will learn how to exploit that data. Being able to visualize the data in a comfortable way is, along with selecting good data sources, the most important part of a laboratory. All the time we invest in an intuitive and pleasant visualization will be time saved during the analysis.

Now we are going back to the laboratory, this time we are going to learn how to handle some of the HELK functionalities that we have not seen yet.

[Read more…]

Threat hunting (II): hunting without leaving home

The data

In the last post we set a platform to store the data. Now we need to feed it with some data. One way would be to install Windows virtual machines, Winlogbeat and Sysmon, but we will do that later. Now I want to talk about Mordor.


This project, also maintained by Roberto Rodríguez and José Luis Rodríguez, is a repository of pre-recorded events while offensive techniques were executed on laboratory machines.

As expected, this project integrates perfectly with HELK and provides us with very interesting data to start hunting our threats. So, let’s go.

[Read more…]

Threat hunting (I): hunting without leaving home

Many times, talking to friends who work in other professions, I tell them how lucky we are, those of us who work in the IT industry. We, unlike 99% of the occupations, can create realistic environments for testing, learning, practicing… and when we are done with those environments we can destroy them and the expense of material will have been zero. How lucky we are!

Those of us who are passionate about computer security are even luckier; since its inception the cybersecurity community has been characterized by its defense of information freedom, free software and collective learning, which has made us the best time in history to learn about cybersecurity.

In this case, I want to make a guide to be able to build a Threat Hunting lab from home and at zero cost (not counting the investment of our computer).

Before we get started, let’s make a brief introduction about Threat Hunting, as it is important to settle the foundations of our laboratory.

[Read more…]