Open in app

Sign up

Sign in

Write

Sign up

Sign in

Home

Following

Library

Stories

Stats

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow publication

Threat Hunting Series: Using Threat Emulation for Threat Hunting

Kostas
InfoSec Write-ups
Published in
9 min readOct 10, 2022

--

This post will demonstrate how threat emulation can be used for threat hunting. I often use threat emulation to understand the evidence an attack leaves behind upon execution.

While there are many use cases for threat emulation, this post will focus on emulating attackers’ techniques to help with threat hunting. Threat emulation is a powerful tool that can be used for threat hunting. Security teams can generate the necessary telemetry and test security solutions by emulating attackers' techniques in a lab environment. This process can help you understand an attacker’s mindset and approach, allowing you to hunt for threats more effectively.

As a threat hunter, finding available resources to hunt for an adversarial technique can be difficult at times. Some of the resources could be attack-related information (think threat intelligence/incident response reports) and telemetry (logs). In such cases, you must conduct your own research and employ threat emulation to help generate the necessary data.

IMPORTANT

Before you start emulating the attack and digging through logs, it would be best to establish what you are looking for and the purpose of your research.

It is necessary to have a lab environment to assist with recreating the attack scenarios and collect the generated telemetry. You can then analyze the results and hunt for the unique Indicators of Attack (IoAs) in production environment(s).

Steps to a successful emulation

There are numerous factors to consider before emulating an attack. I have separated the phases of emulation below:

  1. Create a lab environment.
  2. Gather information about the attack
  3. Execute the attack
  4. Analyze the collected data and create your TH queries
  5. Eliminate false positives
  6. Make the threat hunt repeatable

This section will go over these key steps and provide a high-level explanation for each. I will also include an example to solidify the concept. The example use case will enable the Wdigest protocol to extract clear-text credentials.

Here is a mindmap of the below process:

--

--

InfoSec Write-ups
InfoSec Write-ups
Follow

Published in InfoSec Write-ups

57K Followers
Last published 6 hours ago

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Follow
Kostas
Kostas
Follow

Written by Kostas

1.1K Followers
21 Following

I am a security researcher. My interests lie in #ThreatIntel, #malware, #IR & #Threat_Hunting. I either post here or at http://thedfirreport.com/

Follow

Responses (2)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech