# THBS - Threat Hunting with BELK stack and Sigma rules
## Abstract
3 days full hands-on workshop on how to attack and defend a complete recreated company IT landscape. During this workshop the attendees will learn how to use a Threat Hunting platform based on BELK stack, how to detect typical Red Team and adversaries’ attacks based on MITRE ATT\&CK, create automatic alerts and quickly react to contain and eradicate the threats. The Threat Hunting platform will be provided as open source project.
## Complete Abstract
Being part of Blue Teams means being continuously looking for suspicious activities that could lead in harmful data breach but being able to react fast after an alert is triggered in not always enough to prevent damage. In this training we want to switch the threat hunter role from reactive to proactive, being able to identify suspicious behaviour and take actions before the systems get fully compromised. To do so we provide a full hands-on training where the attendees, presented with a complete IT landscape that simulates a Red Team exercise or a real attack, will learn how to build and operate a Threat Hunting platform built on top of the (B)ELK stack. Students will deploy Beats and custom script in provided machines to collect and enrich information, will normalize the information using Logstash, present valuable info in a Kibana dashboard and translate Sigma rules to ElastAlert alerts that will be sent over a Slack channel. To understand the different attacks carried out by the platform, each machine will have few scenario that will replicate the MITRE ATT\&CK use cases.
## Some of the scenarios we will go through
* Spear phishing attacks and malicious attachments
* Malware and C2 server detection
* Privilege escalation
* Lateral movement
* Data exfiltration detection using canaries
* Registry manipulation and task creation for persistence
* Web application vulnerability exploitation
* DDoS attacks
Each student will conduct 5 to 8 labs a day. The ELK stack will be provided as open-source project, together with some of the Sigma rules that will be used during the course.
## What will you learn
* How to setup a threat hunting platform using the BELK stack
* How to collect security and network events from different hosts in the network
* How to analyze them using Kibana
* How to create automatic rules on security incidents based on the MITRE ATT\&CK framework
* How to alert and get more insights on the detected issues
* How to react and contain the damage
## What will you need
* Docker (docker-compose) with 4GB of RAM
* A Slack account
* A Windows VM (we suggest Windows 10). During the course a complete simulated environment will be provided. This is needed only for self-study
## Why should people attend this course
This course will teach how to create and operate a 100% free Threat Hunting platform based on the ELK stack, getting familiar with the MITRE ATT\&CK and some of the techniques using by attackers to get access to companies’ assets. Small and Medium companies could use this knowledge to enhance their security defense, building a complete Threat Hunting platform without spending a fortune.
## Syllabus
| **Module** | **Topic** | **Time** |
| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- |
| | | |
| **\[1] Threat Hunting** | | |
| | The TH process | |
| | Alerting vs Proactivity | |
| | Use cases development (MITRE ATT\&CK) | |
| | Information Gathering | |
| | Tooling (not only a SIEM) | |
| | Red vs Blue Team | |
| **\[2] BELK Stack** | | |
| | BELK stack introduction | |
| | Elasticsearch | |
| | Kibana | |
| | Logstash | |
| | Beats: Packetbeat, WinlogBeat, AuditBeat, FileBeat | |
| | ElastAlert | |
| **\[3] SIEM and security rules** | | |
| | SIEM and Blue Team | |
| | Sigma rules | |
| | MITRE ATT\&CK and Sigma rules | |
| | From Sigma to Elasticsearch: ElastAlert | |
| | Alerting on Slack | |
| **\[4] Use cases** | | |
| | Attacker patterns and behaviors | |
| | Hypothesis and IOC | |
| | Post-infection investigation through SIEM timeline and Kibana: Event IDs | |
| **\[5] Network detection** | | |
| | Identify C2 servers | |
| | Identify bots and automated activities | |
| | Identify data exfiltration using canary | |
| | Identify possible phishing domains | |
| **\[6] Host threat detection** | | |
| | Identify irregular processes
Identify registry manipulation
Identify privilege escalation techniques
Identify malware and ransomware
Identify abnormal user behavior
| |
| **\[7] Web Application Threats** | | |
| | Collect web server logs | |
| | Identify exploited vulnerabilities (SQL injection, XXE, RCE, LFI, RFI etc) | |
| | Webshells
Phishing domain detection
DDoS attacks
| |
Download the setup and try out a few of our labs!!
{% embed url="" %}
{% hint style="info" %}
### Interested? Contact us at
{% endhint %}