Read the original article: Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine
Skilled adversaries can deceive
detection and often employ new measures in their tradecraft. Keeping a
stringent focus on the lifecycle and evolution of adversaries allows
analysts to devise new detection mechanisms and response processes.
Access to the appropriate tooling and resources is critical to
discover these threats within a timely and accurate manner. Therefore,
we are actively compiling the most essential software packages into a
Windows-based distribution: ThreatPursuit VM.
ThreatPursuit Virtual Machine (VM) is a fully customizable,
open-sourced Windows-based distribution focused on threat intelligence
analysis and hunting designed for intel and malware analysts as well
as threat hunters to get up and running quickly. The threat
intelligence analyst role is a subset and specialized member of the
blue team. Individuals in this role generally have a strong impetus
for knowing the threat environment. Often their traits, skills and
experiences will vary depending on training and subject matter expertise.
Their expertise may not be technical and may include experiences and
tradecraft earned by operating within a different domain (e.g.,
geospatial, criminal, signals intelligence, etc.). A key aspect of the
role may include the requirement to hunt, study and triage previously
undiscovered or recently emerging threats by discerning data for evil.
Threat analysts apply a variety of structured analytical methods in
order to develop meaningful and relevant products for their customers.
With this distribution we aim to enable users to:
- Conduct hunting activities or missions
- Create
adversarial playbooks using evidence-based knowledge - Develop and apply a range of analytical products amongst
datasets - Perform analytical pivoting across forensic
artifacts and elements - Emulate advanced offensive security
tradecraft - Enable situational awareness through intelligence
sharing and reporting - Applied data science techniques &
visualize clusters of symbolic data - Leverage open
intelligence sources to provide unique insights for defense and
offense
Akin to both FLARE-VM
and Commando
VM, ThreatPursuit VM uses Boxstarter, Chocolatey and MyGet packages to install software
that facilitates the many aspects related to roles performed by
analysts. The tools installed provide easy access to a broad range of
tooling, including, but not limited to, threat analytics, statistics,
visualisation, threat hunting, malware triage, adversarial emulation,
and threat modelling. Here are some of the tools, but there are many more:
- MISP
- OpenCTI
-
Elasticsearch, Kibana,
Logstash - Splunk
-
Threat
Hunter Playbook -
CSIRO Data61
Constellation - Maltego
- RStudio
- MITRE CALDERA
- Jupyter Notebook
- Python
- SilkETW
For a full list of tools, please visit our GitHub repository.
Installation
Similar to FLARE-VM and Commando VM, it’s
recommended to install ThreatPursuit VM in a virtual machine. The
following is an overview of the minimal and recommended installation requirements.
Requirements
- Windows 10 1903 or greater
- 60 GB Hard Drive
- 4 GB RAM
Recommended
- Windows 10 1903
- 80+ GB Hard Drive
- 6+ GB
RAM - 1 network adapter
- OpenGL Graphics Card
1024mb - Enable Virtualization support for VM
- Required
for Docker (MISP, OpenCTI)
- Required
Standard Install
The easiest way to install ThreatPursuit VM is to use the following
steps. This will install all the default tools and get you finding
evil in no time!
- Create and configure a new Windows 10 VM with the
aforementioned requirements.- Ensure VM is updated
completely. You may need to check for updates, reboot and check
again until no more remain.
- Ensure VM is updated
- Install your
specific VM guest tools (e.g., VMware Tools) to allow additional
features such as copy/paste and screen resizing. - Take a
snapshot of your machine! This allows you to always have a clean
state. - Download and copy
install.ps1
to your newly configured VM. - Open PowerShell as an
administrator.
Next, unblock the install file by running: Unblock-File
.\install.ps1, as seen in Figure 1.
Figure 1: Unblock-File installation script
Enable script execution by running: Set-ExecutionPolicy
Unrestricted -f , as seen in Figure 2.
Figure 2: Set-ExecutionPolicy
Unrestricted -f script
Finally, execute the installer script as follows: .\install.ps1
After executing install.ps1, you’ll be prompted for the
administrator password in order to automate host restarts during
installation as several reboots occur. Optionally, you may pass your
password as a command-line argument via ".\install.ps1
-password <password>". If you do not have a password
set, hitting enter when prompted will also work.
This will be the last thing you will need to do before the
installation is unattended. The script will set up the Boxstarter
environment and proceed to download and install the ThreatPursuit VM
environment, as seen in Figure 3.
Figure 3: Installation script execution
The installation process may take upwards of several hours depending
on your internet connection speed and the web servers hosting the
various files. Figure 4 shows the post-installation desktop
environment, featuring the logo and a desktop shortcut. You will know
when the install is finished with the VM’s logo placed on the background.
Figure 4: ThreatPursuit VM desktop installed
Custom Install
Is the standard installation too much for you? We provide a custom
installation method that allows you to choose which chocolatey
packages get installed. For additional details, see the Custom
Install steps at our GitHub repository.
Installing Additional Packages
Since ThreatPursuit VM uses the Chocolatey Windows package manager,
it’s easy to install additional packages not included by default. For
example, entering the command cinst github as administrator
installs GitHub Desktop on your system.
To update all currently installed packages to their most recent
versions, run the command cup all as administrator.
Getting Started: A Use Case
As threat analysts, what we choose to pursue will depend on the
priorities and requirements of our current role. Often, they vary with
each threat or adversary encountered such as financial crime,
espionage, issue-motivated groups or individuals. The role broadly
encompasses the collection and analysis of threat data (e.g., malware,
indicators of attack/compromise) with the goal of triaging the data
and developing actionable intelligence. For example, one may want to
produce detection signatures based on malware network communications
to classify, share or disseminate indicators of compromise (IOCs) in
standardized ways. We may also use these IOCs in order to develop and
apply analytical products that establish clusters of analogous nodes
such as MITRE ATT&CK tactics and techniques, or APT groups. On the
other hand, our goal can be as simple as triaging a malware sample
behavior, hunting for indicators, or proving or disproving a
hypothesis. Let’s look at how we might start.
Open Hunting
To start our use case, let’s say we are interested in reviewing
latest threat actor activity reported for the quarter. We sign in to
the Mandiant
Advantage portal (Figure 5) using our public subscription to get a
snapshot view of any highlighted activity (Figure 6).
Figure 5: Mandiant Advantage portal
Figure 6: Actor activity for Q3 2020
Based on Mandiant Advantage report, we notice a number of highly
active APT and FIN actors. We choose to drill in to one of these
actors by hovering our mouse and selecting the actor tag FIN11.
We receive a high-level snapshot summary view of the threat actor,
their targeted industry verticals, associated reports and much more,
as seen in Figure 7. We also may choose to select the most recent
report associated with FIN11 for review.
Figure 7: FIN11 actor summary
By selecting the “View Full Page” button as seen at the top right
corner of Figure 6, we can use the feature to download indicators, as
seen in the top right corner of Figure 8.
Figure 8: Full FIN11 page
Within the FIN11 report, we review the associated threat
intelligence tags that contain finished intelligence products.
However, we are interested in the collection of raw IOCs (Figure 9)
that we could leverage to pivot off or enrich our own datasets.
Figure 9: Downloaded FIN11 indicators
Using the Malware
Information Sharing Platform (MISP)as our collection point, we
are going to upload and triage our indicators using our local MISP
instance running on ThreatPursuit VM.
Please note you will need to ensure your local MISP instance is
running correctly with the configuration of your choosing. We select
the “Add Event” button, begin populating all needed fields to prepare
our import, and then click “Submit”, as shown in Figure 10.
Figure 10: MISP triage of events
Under the tags section of our newly created FIN11 event, we apply
relevant tags to begin associating aspects of contextual information
related to our target, as seen in Figure 11.
Figure 11: MISP Event setup for FIN11
We then select “Add Attribute” into our event, which will allow us
to import our MD5 hashes into the MISP galaxy, as seen in Figure 12.
Using both the category and type, we select the appropriate values
that best represent our dataset and prepare to submit that data into
our event.
Figure 12: MISP import events into FIN11 event
MISP allows for a streamlined way to drill and tag indicators as
well as enrich and pivot with threat intelligence. We can also choose
to perform this enrichment process within MISP using a variety of open
intelligence sources and their modules, such as Mandiant
Advantage, PassiveTotal,
Shodan and VirusTotal. We
can also achieve the same result using similar tools already packaged
in ThreatPursuit VM.
Using Maltego CE, installed as part of the VM, we can automate
aspects of targeted collection and analysis of our FIN11 malware
families and associated infrastructure. The following are just some of
the Maltego plugins that can be configured post installation to help
with the enrichment and collection process:
Targeting the suspected payload, we attempt to pivot using its MD5
hash value (113dd1e3caa47b5a6438069b15127707) to discover additional
artifacts, such as infrastructure, domain record history, previously
triaged reports, similar malware samples, timestamps, and the rich headers.
Importing our hash into Maltego CE, we can proceed to perform a
range of queries to hunt and retrieve interesting information related
to our FIN11 malware, as seen in Figure 13.
Figure 13: Maltego CE querying MD5 hash
Quite quickly we pull back indicators; in this case, generic named
detection signatures from a range of anti-malware vendors. Using
VirusTotalAPI Public, we perform a series of collection and triage
queries across a variety of configured open sources, as shown in
Figure 14.
Figure 14: Aut
[…]
Read the original article: Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine