Tools & Tech-Stack

Let's discuss what my setup is made of, before we really start Hunting and building our analytics Repository.

We'll starting with a very basic Setup.We'll have 3 virtual machines respectively to start with:

• Central Logging and Attacking Virtual Machine - Centos

• The Victim_win - Windows Virtual Machine - Windows 10

• The Victim_lin - Linux Virtual Machine - Ubuntu 20.4 LTS

Choice of EDR for Visibility

My alignment of Hunting is more towards process monitoring, Hence EDR was esssential for me.

In my career as a Security Professional, I've worked on multiple enterprise-grade SOC tools and Most of Them have been EDRs. I've tested,worked and performed POC on almost all of the popular Tools(Crowdstrike Falcon/Carbon-Black/WDATP/Elastic-EDR/Cortex-XDR/Mcafee Envision) so I've a pretty solid administrative and Quering skills on an EDR solution. I was looking for a open source tool that would let me have Siminar Experience, but when i broke down my requirements i realized, i'm only looking for Visibility and Tememetry to determine the presence of an undetected threat, do analysis and write better detection, So I discarded all the other fancy cool things such as Containment/prevention/process-blocking/host-inventory/Intelligence Integration and a lot of other things to look for a Solution that would help me have visibility over my Victim machine.

Visibility & Telemetry : Elastic EndPoint Detection & Response

I plan to run either Windows VM or Linux VM only at one point of time along with monitoring stack running 24X7 for logging. since I'll be focusing on only one OS type at one point of time, also this would mean lateral movement attacks are severly limited. I"ll seek to expand my Setup in future, but at this point i wanted to get started and not wait until eternity to get my dream setup(I know, I will never we satiated with what I have!!).

Central Logging Configuration,choices and Consequences :

Hardware : 8 GB RAM / 4 Core Virtual Machine running locally. This Machine is being used to run all my logging & monitoring tools in containerized form using docker. Software : I tried a lot of different tools/ Pre-built solutions (security onion/SIEM Monster etc etc) and while they were solving most of the problems, i just could'nt adapt to it and make it my own cause i was troubled by the configuration files,setups and these introduced jitters to my flow.I wanted to work on tools that did the job and if there was something i missing i could add on or build. you understand you infrastructure/tooling/capabilities better when you build it yourself. so I just installed Docker and started writing yamls to build my own containerized environment, i would not lie, i referred a lot of stackoverflow, tool documentation, Issues, resolutions,forums, discussion boards and would sincerly thank the community & folks to guide.

I'm building the Endpoint Side of the story first, I'll evaluate the Logs to determine the level of Visibility and then Move on to stich the Network side of the Story in future.

• EDR Fleet server is running on this machine along side the below mentioned tools.

• This machine has two NICs, Once is connected to Network-1 which is an internet enabled Network to which all of my VMs can connect to access internet,but my Host machine cannot connect to it.(Hence my host machine is not discoverable by any victim machine for lateral movement).

• There is another NIC that connects to Network-2, which is another network enabled Network to which my host can connect for SSH/SFTP to this machine.

• Since this machine is Linux based, attacks on windows machine cannot successfully laterally move from

  • Windows(victim Machine,network 1) -> linux(logging machine,network1,2) -> windows(My host machine,network-2)

  • Linux(victim Machine, network 1) -> Linux(logging machine,network1,2) -> windows(My Host Machine,network-2)

It would be best if you could seperate your Personal Workstation and Lab Environment, but not everybody has that kind of a privilege. wish I could do privilege escalation in real life.

To Summarize the current Tooling:

• Data Aggregation/visualization/Querying Tool : ElasticSearch + Kibana

  • Query language : EQL/KQL

• EDR : ElasticEDR

• Intelligence : MISP + OpenCTI

  • (Integrated with ELK to Send IOC attributes from MISP to Elastic Index via Filebeat)

The Victim_win Configuration :

8GB RAM /2C/2T Virtual Machine Running Windows (https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) and Fire-Eye Threat Pursuit Tools on top of it (https://www.fireeye.com/blog/threat-research/2020/10/threatpursuit-vm-threat-intelligence-and-hunting-virtual-machine.html).

• An EDR Agent running on it to capture host level logs & forward them to my logging machine.

• This machine has only one NIC (let's call it NIC-1) that is connected to a seperate internet enabled network(Network-1).This network is unreachable from my Host-machine, & hence my Host machine is Not-discoverable from this network.

• No VMware Tools is running on this, Most of the generic softwares are installed to mimic a regular user's computer

• A clean State-Snapshot has been taken to always revert to after a successful attack completion.

(You can use Ninite to install to install regular softwares in one shot : https://ninite.com/)

The Victim_lin Configuration :

8GB RAM /2C/2T Core Virtual Machine Running Ubuntu 20.04 LTS (https://ubuntu.com/download/desktop).

• This machine also has only one NIC and is connected to Network-1.

I run everything as Docker Containers:

Containers Currently I have deployed in the Environment

Capabilities I intend to implement soon are:

• Add Jupyter for Data Analytics & Programmatic Control over Data

• Add OSQUERY for Live Forensics Capability

Untill then, let's stick with what's around and not delay the party, cause as always, I'll not be satiated with that I have.

Reference -My naive & dirty ways of quickly setting up the essentials of this lab can be found at: https://github.com/sakshamtushar/THOR-Threat-Hunting-Open-Research