My key takeaways
- the juicy stuff is the traffic leaving the network: is there a business need for it?
- Bro / Zeek : Bro old, Zeek new, almost same
- Figuring out beacons best over long period of times, eg 24h
- almost all c2 beacons are encrypted, use meta information to detect them
- today heartbeats without jitter timing: 50% chance of a false positive
- ==RITA does not install on Ubuntu 20.04==
Env
- Provided by Active Countermeasures
- Presenter: Chris Brenton
- Moderator: Bill Stearn
additional links
- https://www.activecountermeasures.com/cyber-threat-hunting-training-course/
- https://jensoroger.wordpress.com/2021/02/22/attending-cyber-threat-hunting-level-1-w-chris-brenton-4-hours-and-want-to-run-the-vm-in-qemu-kvm-this-is-how-i-got-it-to-work-activecmeasures-activecountermeasures-aihunter-threathunting-bea/
- https://cheatography.com/mbwalker/cheat-sheets/tshark-wireshark-command-line/
- https://github.com/markusthilo/PyZeekCut
- A fake SSH server that lets everyone in and logs their activity
- https://www.bc-security.org/post/ja3-s-signatures-and-how-to-avoid-them/
- http://www.gnu.org/software/datamash/
- https://explainshell.com/explain?cmd=cat+conn.log+%7C+bro-cut+id.orig_h+id.resp_h+duration+%7C+sort+%7C+grep+-v+%27-%27+%7C+datamash+-g+1%2C2+sum+3+%7C+sort+-k+3+-rn+%7C+head+-10
- excercise with pcaps
- Whitelisting in Rita
- Recording from v1 of this training: