Feb 19, 2020
Full notes and graphics are on www.brakeingsecurity.com
Episode 2020-006
Book club
“And maybe blurb for the cast could go something like this. Book club is starting up again with Hands-On AWS penetration testing with Kali Linux from Gilbert and Caudill. You read and get together to discuss or demo every Monday. Get the book, start reading and meet us for the kick off Monday the 24 at 10pm eastern. The book club meets virtually on zoom, and organizes on slack..get invited like this.”
Book: https://smile.amazon.com/Hands-Penetration-Testing-Kali-Linux/dp/1789136725
NolaCon Training:
https://nolacon.com/training/2020/security-detect-and-defense-ttx
Roberto Rodriguez
Bio
@Cyb3rWard0g on Twitter
Threat Intel vs. Threat Hunting = what’s the difference?
What datasets are you using?
Did you start with any particular dataset, or created your own?
Technique development - what skills are needed?
C2 setup
Detection mechanisms
Honeypots
How can people get involved?
Blacksmith - create ‘mordor’ environment to push scripts to setup honeypot/nets
https://Threathunterplaybook.com
https://github.com/hunters-forge/ThreatHunter-Playbook
https://www.exploit-db.com/exploits/47995 - Sudo buffer overflow
Mordor: The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption.
YAML Example: https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/WIN-190810201010.yaml
Notebook Example:
Jupyter notebook - Definition: https://jupyter-notebook-beginner-guide.readthedocs.io/en/latest/what_is_jupyter.html
Lateral Movement - WMI - IMAGE Below
SIGMA?
Think of a notebook as a document that you can access via a web interface that allows you to save input (i.e live code) and output (i.e code execution results / evaluated code output) of interactive sessions as well as important notes needed to explain the methodology and steps taken to perform specific tasks (i.e data analysis).
Have a goal for expanding to other parts of ATT&CK?
Sub-techniques:
https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a
Slack Channel:
https://launchpass.com/threathunting
Twitter;
https://twitter.com/mattifestation
https://twitter.com/Cyb3rPandaH