Cybersecurity Threat Hunting for SOC Analysts

Now it's time to install our Type 2 hypervisor.  In this lecture we'll install VMWare Workstation Pro and I'll explain a few key settings along the way.  We'll be done in a flash.  Let's go!

Our chief operating VM will be Kali Linux!  In this lightning lecture we'll grab the VMWare version (not the ISO) and prepare for extraction.

Yes! It's time to extract and import baby! We'll talk about some of the files in the VM, a few key settings to establish and then we'll unzip this thing and add to VMWare Workstation Pro!

Now we must pimp our VM.  MUST means it ain't optional! Let's go! 

The TMUX way will become your favorite way to navigate the Linux terminal. In this lecture, you'll learn how to configure this awesome emulator. 

Sweet, now we're going to modify the power settings, tweak the desktop a little and then the best part: I'll teach you how to use TMUX to split panes, resize panes, rename panes, copy and paste from panes, log all your commands and more!  It's going to be a lot of fun so let's go!

Malware of the Day is one of the best places online to get malicious PCAPs for learning and research.  Be careful, they contain real malware and attacks but it is the perfect situation for our setup and study goals.

Malware Traffic Analysis has been around forever... and you'll see why in this short lecture!  We'll take a quick flyover the site and show you how to grab the malicious PCAPs and writeups posted here.

Wireshark ships with Kali and it's beautiful!  Entire courses have been written on just this one tool (I know because I've written one... search on the site for the title).  Wireshark is awesome - the GUI interface lowers the learning curve and you can quickly click a few buttons and get insights into PCAP traffic.  Let me show you how!  Let's go!

tshark is Wireshark's little command-line cousin.  Jump into this micro lecture and get an overview of this tiny yet powerful tool.

Before there was Wireshark... there was TCPDUMP! Almost as old as the internet itself, tcpdump is a powerful weapon in a cyber threat hunters arsenal.  Allow me to introduce the tool and show some basic features!

Most people have never heard of ngrep, even many seasoned cyber threat hunters haven't heard of it.  GREP yes.  ngrep? not so much.  In this lecture we'll take a glance at functionality so we can use it to study PCAPs in later lectures!  Let's go!

capinfos? What's that? It's a little tool for displaying PCAP Information!  Yup! You'll like it because it gives you a 30,000 foot snapshot of a PCAP before you ever open it.  It's fast.  It's simple.  It's capinfos!  And it's waiting for..... you! Let's go!

Ahhhh RITA! Hands down my favorite free beacon detection tool on the internet right now.  RITA is an advanced command and control channel detection tool that sifts through Zeek data mining out evil and surfacing it to you: the capable cyber threat hunter.  Setup isn't supported on Kali Linux but in this lecture I'll show you how to bend the rules starting with our Mongo database.  This will be the backend storage system for detected threats. 

And now the hard part: building RITA from source code?  Yup!  Don't worry, I'm going to careful, and patiently, walk you through the entire process from A to Z.  By the end of this lecture you will have RITA successfully running on Kali Linux

Installing Zeek on Kali Linux? Yup.  So this is actually not as straight forward as it seems.  You can't just download a zeek binary and call it a day. In this lecture I'm going to carefully walk you through the correct way to get zeek up and running in Kali.  I'm also going to help you steer around common pitfalls people make during the installation.  At the end, we'll verify everything is up and running as expected! Let's go!

You guys asked for it and now you got it! I've been reading the Q/A and see many of you are having difficulty installing Zeek in Kali.  I also Googled around and searched Youtube and see there is very little information on how to do this.  Even Zeek's website has an arcane install process.  Let me show you the correct way to install Zeek now!  You ready! LET'S GO!!

Here are the copy and paste commands for getting this working!

READY TO THREAT HUNT YOUR FIRST INCIDENT!!?? It's about to happen - now.  This is one of my favorite lectures in the course because... although I haven't even shared how to threat hunt you will still jump right into the deep end of the pool with me.  Then in later lectures, we'll slow down as I carefully, and methodically, walk you through the hunting process and hunter's mindset.

Hooded hackers in Grandma's basement are so... 1990's.  Welcome to the modern adversary.  In this lecture you'll take a walk with me in the woods of threat intelligence, the new threat scape and the advanced threat actor's we are fighting against!  Let's go!!

Learn why the current way organizations think about modern threats is... broken.  :(

Learn exactly what cyber threat hunting is.  You'll learn about the detection gap and how cyber threat hunters close that gap and minimize adversarial dwell time.  You'll also learn how to critically think about risk and make evidential backed security assessments.  You'll also get the scoop on modern malware techniques and tactics.  Let's go!

What is a beacon? By the end of this lecture you'll know!  It will finally make sense... join me as we take a walk through the woods learning beaconing basics and how advanced adversaries compromise computers.

DNS is used to resolve domain names into IP addresses.  But what is a DNS beacon?  How can you abuse this seemingly simple and benign process for evil? Join me as I share how the bad guys are doing it!

Akamai, AWS, Cloudflare, Microsoft and others have content delivery networks known as CDNs.  They help reduce latency by delivering content to the closest requesting computer.  But bad guys are using it to obfuscate their C2 origins.  How?  Jump inside to learn. Now! lol let's go! :)

One way to detect beaconing is through timing.  In this quick lecture I'll talk about a modern machine learning algorithm used to detect beacons and then I'll share the liabilities with this approach.  Yup, machine learning isn't a panacea!  You'll also learn how to carefully think about beacon detections so you can become a cyber superstar! haha

Session size analysis is amazing.  In this lecture, I'm going to show you how to go from bytes to beacon in such a way that you can not only identify what commands were transferred but also identify the attackers kill chain stage even if all the traffic is encrypted.  YUP.  Learn  you will learn this seemingly magical thinking process in five minutes.

There are two types of connection persistency: long connections and cumulative.  In this lecture you'll learn what connection persistency, then we'll get hands on with Zeek, RITA, grep and some Linux BASH fu to find evil in a mystery pcap!

In this lecture we're going to investigate a real incident containing a pcap where a threat actor used a non-malicious app, TeamViewer, for evil.  You'll learn what Team Viewer is and then we'll twist, cut, slice and dice the pcap using zeek.  There's a lot of zeek action going on in the lecture so get ready!  Let's go!

Let's see how deep this rabbit hole really goes.  We'll get even deeper with Zeek, capinfos and other Linux tools to understand the traffic in our mystery pcap.

We're going to the understand the business need by digging into the Zeek dns log.  We're going to recursively filter the log, removing benign domains as we zero in on evil.   We'll also look at the http and files Zeek logs and use AWK to pivot and understand the traffic flow!

Now it's time to bring in RITA to see what we can find.  You'll see RITA's beacon analysis, user-agent analysis and more. You'll also learn how to use open source tools to understand if there is business justification for a particular network flow.

Do you know the difference between unknown applications on standard ports vs known app on non-standard ports?  You will after this lecture!  We'll also get into JA3/S hashes and I'll share why they can help use understand unknown apps.  Let's do this baby!

Quick quiz: can you imagine an example of unexpected protocol behavior?  If you couldn't answer in five seconds you need to watch this two minute video!  Let's go!

Let's do some research on that sketchy destination IP! Here's how to think through the vetting process...

This is one of the most important lectures in this section of the course.  You'll learn about the fuzzy line between threat hunting and forensic incident response and why you should never cross it without careful calculation! 

Now it's time to install, incontestably, the most powerful open-source IDS in the world: Suricata.  I'll take you through the process step by step, we'll modify the config file and I'll explain the ET-OPEN and ET-PRO rulesets.  I'll even hint how you can LEGALLY grab the paid ET-PRO ruleset for free. 

Now we're going to square off Suricata against RITA to show you why layered defenses are critical.  Will Suricata detect the threat? Or will it miss it?

Okay, let's try this with a more advanced C2 framework: Powershell Empire by BC-Security.  Will Suricata catch it?

It all starts with VMWare Workstation Pro running on a Windows Host. 

In this lecture you will learn what you will build.  Your lab will have Microsoft ATA, Splunk, Windows Event Forwarding, Powershell Transcriptoin logging, OS Query, Fleet, Sysmon, Zeek, Suricata, Guacomole, a Windows 10 endpoint, a Windows Server Domain Controller and more! 

Now we need to grab and install Vagrant. Let's go!

Next, we need to install the VMWare Desktop Vagrant plugin.  We do this through command line... but don't worry - it's super easy.  I've got you covered in 90 seconds!

And now we need the Vagrant VMWare Utility.  Let's knock that out really quick.

Alright, now it's time to download the Detection Lab and extract the setup file!

Okay so before we jump in we need to make sure everything is going to work.  So we can run the prepare Powershell script to make sure we have the green light to go.  We're also going to cover a crucial subject: the Vagrant file and network subnets.  We're going to intercept a common pitfall people experience during setup.  Pay attention here and it will save you many hours of grief later!

This IS the most important lecture for making the Detection Lab work.  If your networking isn't setup correctly everything will fail.  In this quick video I'll show you the EXACT network settings you need to have success with your cyber range!  Let's do this baby!

Okay, now we're going to setup the first VM in the Detection Lab: Logger.  This VM includes, Velociraptor, Splunk  Zeek, Suricata and more so we need to make sure this one works.  I'll share some of the problems I encountered along the way and provide tips to help you avoid them!  Let's do this baby!!

What's an Active Directory lab without a domain controller? NOTHING! haha, in this lecture we'll setup our DC and I'll share commentary during the installation process to help you avoid any setup errors you might encounter. 

What the heck is a WEF? hahaha it's the Windows Event Forwarder - it collects the logs from the DC and Windows 10 endpoint and ships it to Splunk for indexing.  It also hosts our Microsoft ATA instance so we need to make sure we get this one right too.  Don't worry - I got your back!  I'll share tips and tricks as we set this one up.  Follow my lead and you'll be good to go. 

Now we create our employee endpoint.  This is patient zero!  The system we'll pop, infect and own in our lab.  Let's set 'er up!

This is a really fun lecture.  I'm going to show you how to use Splunk to threat hunt for evil in our Zeek logs.  You're going to learn some awesome Splunk queries that are going to make you look really smart :)

Hunting evil on the host using Sysmon is soo much fun.  I'm going to show you my favorite Splunk queries for threat hunting evil on the host using Sysmon!  We're going to use stats... sort... and all that good stuff.

Now it's time to dive head first into Fleet DM and use some canned OS Queries to threat hunt across our environment! It's super fun - let's do this!

Roar!!! One of my favorite incident response tools is here! VELOCIRAPTOR! Yes yes yes!  We'll use it to access the file system of our target, pull down files, run hunting artifacts and basically gain unprecedented visibility into our endpoint!  LETS GO!!

Yup, we're going to run Mimikatz malware on our Windows 10 host... and guess what? It's not going to show up in our SOC Dashboard!!!  But don't worry! I'm going to show you how to use Splunk, Process Hacker and OS Query to find it - anyway!   Yup, malware can't hide from us! LET'S GO!!!

What the heck??? Yup, in this lesson you will use the Metasploit Framework to create a malicious binary, drop it on the target, gain a reverse shell via Meterpreter, inject into a process and then detect the attack using Splunk and Velociraptor.  I honestly don't know how I could have made this lecture any more awesome!  hahaha - let's go!

Entire multi-hour courses have been created for just this one tool: Atomic Red Team.  In this lecture I'll condense all the goodness into a tidy lecture you can take with you and start running attacks in Atomic Red Team.  I'll show you how to map Atomic Red Team to MITRE ATT&CK using layers, you'll learn how to actually use the Atomic Red Team in our detection lab and we'll run a few attacks so you can see the real value of this amazing tool.

In this quick lesson, I'll show you how to use Purple Sharp with playbooks and we'll run some attacks in our Detection Lab

Sysmon Simulator isn't included in the Detection Lab so in this lesson I'll show you how to install and run it.  Then we'll check Splunk to observe the attack telemetry we generated!

MITRE Caldera is a mature, open-source, breach and attack simulation platform.  It's sooo awesome but kind of difficult to setup.  So in this lecture I'll show you how to setup the tool and then how to use it.  You'll also get a behind the scenes peek into my thought process as I think through some hurdles I'll encounter along the way.

Now it's time to talk about a promising premium breach and attack simulation platform: Prelude Operator.  It was built by the same team who created Caldera so you know it's awesome!  We'll also explore some other paid attack simulation platforms for your general awareness.

Now we're going to use Bad Blood to inject realism into our Active Directory lab.  Then we'll use Bloodhound, Sharphound and Microsoft ATA to attack and detect recon activity in our environment!!

Yes! Boss of the SOC! In this lecture you'll learn about the famous BOTS CTF and learn how you can level up your threat hunting on this FREE cloud training platform being provided by Splunk right now!

Now it's time to explore C2 frameworks you've NEVER heard of before.  This project is awesome! Not only does it show you new C2 frameworks but it also tells you the license, price and website to learn more.  You'll also see all the C2 channels used by the C2 products (along with their capabilities).  There's also columns for detections (yes JA3 for some!) and how well maintained the product is!  I can't wait to show this one off to you guys - let's go!!!