![]() This blog post contains Ansible playbooks and manual instructions to setup the Windows environment used for this series. Lastly, we will end this blog post series with a retrospective and how to convert threat hunting findings into detections or environmental improvements.īefore we jump into these topics, we need an environment to perform our red team exercise and to collect logs from for our threat hunting exercises. In addition to the Endgame threat hunting process, we will learn how to use the MITRE ATT&CK matrix to generate threat hunting hypotheses and use FleetDM + Osquery to confirm/deny our hypothesis. Thirdly, we will use our informal threat hunting exercise as a foundational jumping off point to formally hunt our fictitious adversary using the Endgame threat hunting process. Second, we will utilize the actions performed by Goofball to perform an informal threat hunting exercise that will hunt the artifacts generated by our fictious adversary using Sysmon and the Elastic stack. The outcome of this red team exercise is the creation of a story or, in this case, the creation of a fictious advanced persistent threat (APT) known as Goofball. To re-enforce this methodology there is a red team exercise utilizing Powershell Empire to perform an APT style attack. It will utilize the same ideas and techniques used for that workshop reiterating specifics and points for the greater InfoSec community to use.įirst, we will start by understanding the attacker mindset with the Mandiant Attack Lifecycle. The content used here is a written adaptation of my DefCon 2020 Blue Team village workshop. This series will have a strong focus on understanding the attacker mindset, how to interpret actions performed by an adversary from a defenders perspective, and how to transition findings from your hunts into future detections or environmental improvements. Over time this learning experience helped me develop a teaching philosophy to help novices go from zero to hero threat hunter, which is what I will be us ing to teach the threat hunting fundamentals. This blog post series is a culmination of my learning experience in becoming a threat hunter. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |