Threat hunting (VII): hunting without leaving home. Process creation

See previous entries: I: intro 1, II: intro 2, III: Kibana, IV: Grafiki, V: Jupyter Notebooks, VI: Creating our víctim

Good hunters, how’s the hunt going?

I hope you have had time to play with your lab and feel more and more comfortable consulting and analyzing the data.

As I said in the previous article, now it’s time to get down into the mud and start understanding what is happening in our laboratory. In this case we are going to talk about the creation of processes, what happens when a process is created, what ways there are to create them and the traces that creation leaves behind.

Understanding the environment

Windows is organized in layers as far as interaction with the system is concerned.

The upper layers are those with which the user or the programs that he launches interacts, the lower layers those used by the operating system itself to function.

For security reasons, the upper layers are well documented and Windows offers facilities to interact with them, but with the lower layers things change, they are not documented and due to the complexity of their operation, it is very difficult or directly not possible for security reasons.

[Read more…]

Threat hunting (VI): hunting without leaving home. Creating our victim

See previous posts: I: intro 1, II: intro 2, III: Kibana, IV: Grafiki, V: Jupyter Notebooks.

Welcome to this new post on our home laboratory, which is gradually growing more and more.

In this article we will create a testing machine to play without fear, and we will deal with the necessary configurations to log everything that happens in it.

In the second post we talked about the existing event repositories, more specifically about the Mordor project and the EVTX-ATTACK-SAMPLES repository.

These repositories are very useful for understanding and learning about how many threats behave, and they make the work much easier, but when the work is already done you don’t learn as much. With your own machine we can try out new techniques and see how they are detected in the laboratory.

It is important to bear in mind that it will not be a virtual machine in which malware will be executed, as the level of isolation will not be sufficient to guarantee the security of the host computer.

[Read more…]

Threat hunting (IV): hunting without leaving home. Jupyter Notebooks

See previous posts: I: intro 1, II: intro 2, III: Kibana, IV: Grafiki.

Do you remember the first post when we talked about what is and what is not Threat Hunting? Well, an essential part of it is the generation of intelligence.

It’s good that we are the best at detecting abnormal behavior, but if all that acquired intelligence is not transformed into structured and repeatable information we lose one of the most valuable parts of the process.

Structured, so that anyone other than the author can use it and understand it. Repeatable in the better way possible, so that the detection teams can generate alerts with it or so that any other analyst can perform the queries in the most comfortable way possible.

In our laboratory we are going to use another part of HELK, the all powerful Jupyter Notebook.

[Read more…]