Threat hunting (VI): hunting without leaving home. Creating our victim

See previous posts: I: intro 1, II: intro 2, III: Kibana, IV: Grafiki, V: Jupyter Notebooks.

Welcome to this new post on our home laboratory, which is gradually growing more and more.

In this article we will create a testing machine to play without fear, and we will deal with the necessary configurations to log everything that happens in it.

In the second post we talked about the existing event repositories, more specifically about the Mordor project and the EVTX-ATTACK-SAMPLES repository.

These repositories are very useful for understanding and learning about how many threats behave, and they make the work much easier, but when the work is already done you don’t learn as much. With your own machine we can try out new techniques and see how they are detected in the laboratory.

It is important to bear in mind that it will not be a virtual machine in which malware will be executed, as the level of isolation will not be sufficient to guarantee the security of the host computer.

[Read more…]

Threat hunting (VI): cazando sin salir de casa. Creando nuestra víctima

Ver entradas anteriores: I: intro 1, II: intro 2, III: Kibana, IV: Grafiki, V: Jupyter Notebooks.

Bienvenidos a esta nueva entrada sobre nuestro laboratorio doméstico, que poco a poco va creciendo más y más.

En este artículo se hablará sobre la creación de una máquina de pruebas a la que poder hacer todo tipo de perrerías sin miedo, y se abordarán las configuraciones necesarias para registrar todo lo que pasa en ella.

En la segunda entrada se habló de los repositorios de eventos que existen, más concretamente del proyecto Mordor y del repositorio EVTX-ATTACK-SAMPLES.

Estos repositorios son muy útiles para poder entender y aprender sobre cómo se comportan muchas amenazas, y facilitan mucho el trabajo, pero cuando el trabajo te lo dan hecho no se aprende igual. Con una máquina propia se pueden probar técnicas que vayan surgiendo y comprobar cómo son detectadas en el laboratorio.

Hay que tener en cuenta que no va a ser una máquina virtual en la que se debería ejecutar malware, dado que el nivel de aislamiento no va a ser el suficiente para garantizar la seguridad del equipo anfitrión.

[Read more…]

Threat hunting (IV): hunting without leaving home. Jupyter Notebooks

See previous posts: I: intro 1, II: intro 2, III: Kibana, IV: Grafiki.

Do you remember the first post when we talked about what is and what is not Threat Hunting? Well, an essential part of it is the generation of intelligence.

It’s good that we are the best at detecting abnormal behavior, but if all that acquired intelligence is not transformed into structured and repeatable information we lose one of the most valuable parts of the process.

Structured, so that anyone other than the author can use it and understand it. Repeatable in the better way possible, so that the detection teams can generate alerts with it or so that any other analyst can perform the queries in the most comfortable way possible.

In our laboratory we are going to use another part of HELK, the all powerful Jupyter Notebook.

[Read more…]