This chapter covers
- Preparing for your first threat-hunting expedition
- Conducting your first threat-hunting expedition
- Exploring the use of Sysmon
- Exploring techniques and tools used to conduct a hunt
- Practicing the threat-hunting process, focusing on the execution phase
It is time to conduct our first threat-hunting expedition. In this chapter, we get the chance to practice the knowledge gained from chapter 2 to create a good threat-hunting play and formulate a threat-hunt hypothesis. We start with a scenario that typically triggers the threat-hunting process.
We practice creating a threat-hunting play and running a hunting expedition to prove the hypothesis. Then, examples show us how to use Sysmon as a data source for threat hunting and search events in a data store to uncover clues and evidence and build a threat-execution timeline.
After concluding the expedition, we map the hunting activities we performed to the three phases of the threat-hunting process: preparation, execution, and communication. Finally, we examine Sysmon, one of the richest Windows data sources for security monitoring teams and threat hunters.
3.1 Hunting for compromised endpoints
You have been handed your first threat-hunting assignment. The red team shared with you the results of an exercise they conducted recently.