Wes Lambert - Augmenting the (Security) Onion: Facilitating Enhanced Detection and Response

all right hey guys hope everybody's doing well hope you all got to see some good talks today so far and hopefully you'll enjoy this one as well just a quick show of hands was anybody here at the security and in conference yesterday ok fair warning this talk will be fairly similar in fact very similar to the talk that I gave yesterday so just trying to give you a heads up there just in case you know there might be another talk that you're interested in as well but without further ado I'll go ahead and begin so again my name is Wes Lambert I'm a husband and father of four also known as the co manager of

household operations right so I love cheap coffee yes cheap coffee Indian food and I also love free and open source software oh yes thank you thank you yes especially open source security software right like I mean you look back maybe five years ago versus now and we've really come a long way with being able to share the tools that we have or that private industry has had with the community and I think that's pretty awesome and that's what I'm going to be talking to you about today so quick to our hands who's used security onion before okay awesome awesome because this talk will assume that that you have a fair knowledge of security and in or have used it before

but I'll still go through some of those data types that we provide and how it can be a benefit to you regardless so just to get before I get into that yes I am the senior engineer at security onion solutions or a senior senior engineer we have several now the company has grown been growing at a pretty good pace recently here and I'm pretty excited to see where it goes and just just real quick so what security and solutions is of course the the the platform is completely free and opensource we just provide training and support for the platform alright so again an introduction we've really come away from that black BOTS black box approach of just to prevent everything

from getting into our network right we really have to step away from this approach and take a step back and look at really you know why or how these people are getting in to our environment and you know we have to have have ways to detect that so we just we know or we should know that bad guys will get in at some point regardless and we need to find a way to or we need to have a way to find them so again we need the substitute detection for prevention we need to find a way to retrieve that data that we're recording about our network we need to make sure it's easily digestible we need a way to correlate it

with other sources other data we need context we need to build upon network security monitoring principles and implement enterprise security monitoring so we can bring in all of that host telemetry and all that other good data that can provide that good context around the events occurring in our network so some of the some of the data that security security onion itself provides is going to be of the above so we have alert data things like IDs alerts from snort or sericata we have session data from bro extracted I'm sorry transaction data from bro stuff like HTTP or DNS traffic we have full content data stuff like pcap from net sniffing G we have post data that we

can bring in from wazoo agents or beats so that's gonna be elastic mechanism for bringing in those host logs like wind log beat or file beat or something of that nature we also have things like system on and auto runs that we can collect via you know stuff like when log beat or file beat stuff like that we have alerting so we can alert on the state at that that we collect write and also the data enrichment and visualization that we provide is gonna be by leveraging the elastic stack so elasticsearch log stash and Cabana of course I'm sure many of you have heard of it who has not heard of it okay all right so continuing we want all of

that data and we need all that data but we do not want this data right well I don't know maybe for like AI or you know some kind of cool machine learning type stuff oh no see keep that in mind all right but again that alert data is going to be like that snort or so rakata alert something that you might view in squeal or squirt like this at session data looking through Qabbani you can see that bro data that's gonna be similar to net flow think about that that con log right it can identify a certain service type but it's not going to give you many more details beyond that net flow type data so that transaction data that we

talked about again is gonna be like HTTP traffic DNS DHCP give any more details about the actual transactions that are occurring extracting content so things extracted out of the network streams like exe is extracted from Burroughs file extraction framework you know we can do things like this to like send them to a sandbox we can use something like files containing framework or stroke ax which I'll talk about in a little bit and of course that full content dated that pcap that I was referring to that whole transcript or that conversation that we recording off the wire and of course that host data so wazoo agents when log beat OS query system on all sorts our sources that we

can bring in and enrich our current data and provide more context and again the alerting that I mentioned so this alerting is going to encompass things like destinations from elastol eart so what a last alert will do is run in a docker container and then it's going to query elasticsearch for any conditions that you specify this would be similar to if you query elasticsearch or a Cabana so you can see this type of query here that we have on the screen event type snort so any events of type snort will trigger on that and right now that alert type in the description is just debug so it's just going to output it to a debug log but there are several

destinations like email slack and JIRA and lots of other good stuff so we're not done yet though we need more right we need more detection mechanisms we need more context again more response mechanisms and of course more cookies right everybody loves cookies so we need we need more all this stuff so one way to get more is to implement something like Sigma right so has anybody here implemented or heard of at least Sigma rules okay so to the uninitiated Sigma rules are gonna be really a generic format for rules for something like a simmer and IDs or something that behaves in that manner they're gonna be in the ammo written in the ml very well-defined

syntax and it's gonna be vendor agnostic and allow you to be or allow you to easily share these detection right and the great thing about Sigma is that again you have this syntax right here so it's a pretty convenient and familiar for for many folks who work in InfoSec there's a lot of tools that rely on the mo config files or or you know in other institutions so you can see that example there and the great thing about Sigma in particular is the guys that maintained the repo florian Roth and Thomas passkey also have this Sigma converter right so we can take the Sigma converter and we can convert these standard Sigma rules they have a ton of example rules in that

repo and we can take these and use these with something like the last alert so we run this command like so as described up here the Sigma - Tia last alert and so on and then we can generate a last alert rules from these standards Sigma rules and we can also apply automated processes to this for example josh at security in the conference talked about his playbook initiative where he's taking these Sigma rules and we're automatically you just paste it in and then we're converting them to a last roller rules right and then they're placed in the last alert rule directory and you don't have to touch it you don't know how how to you don't have to know how to write in a

Lassiter rule you don't have to mess with the Sigma stuff you just paste it in and go so a tool like Sigma is a very convenient in that manner so another tool we're going to talk about is Miss anybody messed with Miss for her to miss Pat all okay cool so Miss is another open-source tool it's a platform for sharing threaten so it provides the ability of course to correlate with different or from different IOC s and entities and things of that nature and it has a really rich API to be able to pull in this data and use it in other applications so one of the concepts or constructs of Miss is the concept of an

event so within an event you might have various information such as attributes that reference the events or might have you know maybe IOC's that you've extracted their relative to the event and you paste it in there with it a threat level analysis level and various other details to give you more context around what's going on with that event and so the thing with miss is that you can share these different events and attributes of among organizations and among communities and different miss instances so essentially anyone with a miss instance you can share with each other and then from there you can go on and do as you wish with these i/o sees now keeping in mind you know of course

all IOC s are not gonna be high fidelity so you definitely want to vet your sources and you know make sure you do your homework when using some of these again I spoke about attributes so an event can contain several if not many attributes these types are gonna include stuff like source and destination IP ease registry keys file names hashes things of that nature and like I said you can add as many of these to an advantage you want you can tag these attributes with certain tags like if it's relevant to c2 or maybe the fallout exploit kit or whatever you would like to do cybercrime you know some any type of fraud however you

like to do that another thing is the concept of fees so these events are typically generated you can have them auto published or not published at all through these feeds and these fees comes with a default set I'm sorry default set of feeds and different feeds available but I would definitely caution you to not select all and import these feeds because you would have a lot of work on your hands no but let me log back in here and I'll give you a give you a look real quick all right so this right here this is gonna be an example of some of these feeds that you can pull in as you can see you see some of the Zeus stuff

up here emerging threats block rules and these enabled and caching enabled flags so I've got one enable here and our domain lists that maybe I'm using to generate some rules or some other IFC data but you can mix and match different ones but again I urge you not to select them all and these are really just examples that you can pull in unless you're using some of your own feeds or you know custom mechanisms to bring IOC's into the platform

all right so another thing with these feeds is that these attributes can be used in IDs signatures so if your security onion user you may be familiar with the bro and cell framework and the fact that you can use local rules to implement your own rules with snort or sericata right so these feeds can be exported and used in these signatures so right here we have an example of the export types that you have right so we see bro snort Cercado we see Jason if you have some other system that you want to pull this into we have all this stuff available at our fingertips and again I mentioned that API makes it very simple

so the API they do offer the folks that work on this do offer a Python client known as PI miss I believe the updated version may be expanded by minute but what this does it allows you for the ability to conduct automation right the things that I mentioned the knids export for snort or sericata or bro you also have elasticsearch enrichment opportunities which I'll talk about in just a second you can add sightings for a particular IOC you can manage users and do all sorts of other things so it's elasticsearch enrichment that I mentioned this is one way to take these IOC s and then enrich your existing security onion data with this data right

so you can take in these ICS and then in the pipeline you can in rich your bro events or other events to see if you get any particular hits and then you can refer back to these hits in minutes to get a little more context on that particular event or gain additional insight into attribute other attributes that may be present so what I've done here in this example it's basically a docker eyes method to do this there's a guy who did this on Twitter a little while back as Twitter handle is DC security DK but the concept is pretty much the same some of the configuration is similar but I've just docker eyes it and made it a little bit easier to

so essentially what happens is that we query mist right using this docker container and then these values get populated into an in-memory memcache database and then logstash polls that database and then inserts that's enrichment into the event and then of course indexes pushes to elastic search and elastic search indexes then we can see all that goodness and Kabana right so an example of that real quick you can see so let's go back to my event that I have over here onions are us

okay sorry squirrel brain for a second anyway we see these different values here we'll see some different values such as these sha-256 hash is and the domain down here online dating for live info right and then we see some tags associated with these whoops sorry about that I thought I was gonna be duplicated

well you need to refresh the yeah oh it's still in there it's weird slideshow yeah can you try refreshing maybe see it's still on the I'm not even in the slideshow there alright let's do this

[Music]

it's wigging out all right yeah it's thinking really hard I got all these beams running about there we go I think we're back to basics right all right cool all right we're back in business alright now what I was talking about sorry about that intermission alright so these Josh 256 hashes over here uh yeah okay so you can see them up here and then this domain online dating for live info we had those in the Mizpah vents alright and then we're using that did doctrine container isn't that docker container right to pull in all that stuff so to do docker PS yes all right we see it running right there all right and let me just do it

history grab for all right seven all right and then what I'm doing right here I'm just looking at the trying to show you guys looking at that memcache database you can see all these entries on here this hive domain right here which I'll talk about in just a second and we also see a domain online-dating for live info and this sha-256 hash is right there all right so that long stashed pipeline config that I have an Etsy stash custom cat 8300 this is a log stash config and just to give you an idea I'm basically looking at these fields and if they exist I'm just gonna make it look out to memcached and then I'm gonna look for

that prefix all right like hash md5 or md5 or domain I'm gonna get that and I'm gonna pop that into a field called mismatch all right so let's look in Kabana here okay there we go all right so we get a couple hits right how about this okay okay it's mismatch and it's tagged with fallout never remember seeing that tag over here right so you can tag these with you know of course more descriptive type things if their default tags that you have in your organization you can of course use those and you can you can of course do a number of things this is just really intended to give you an example of what's possible you can go from here and

do crazy things right so I see that it's tagged I see that of course I got this match for Miss and then I can go check it out right now but that's the main idea is is that you know you can pull in this data and enrich your existing in lastik search data with it right and then so we've taken that is see we've ingested into our detection pipeline and now we're enriching our data with that

so another thing is the the knids rules and the bro Intel right so we can take these we can pull these down via the Miss API and then we can implement those into our detection pipeline as those snort or Surakarta rules or that bro Intel framework and we've got kind of the workflow here of course we have a bash script that we can run right we can query for knids rules we have the MIT miss pay P I can push those out we can pull them in and then once we pull them in we get things like this all right so I'm gonna show you in just a second would it actually generated but you can

see in Kabana we have needs alerts so things from snores ricotta from from those miss biases right it's tagged miss P 1 fallout outgoing TTP domain online dating for live data info exactly what we hadn't missed right so you can see how we can leverage this threatened cell to augment our pipeline so just to give you an idea real quick what that actually looks like on disk

all right and it's a little hard to read I'm sure but you can see here the snort rule that was generated and populated into the downloaded dot rules as a result of rule update running and pulling in those custom miss rules but it can be very powerful again and pulling that stuff in and augmenting that current pipeline like I said and again so these things that I'm presenting of course aren't aren't aren't meant to be you know just things you know go take and run in production or whatever but just uh just to give you an idea of maybe some PLC's or things that you can take and run with and now some of this code I've documented on

some of these slides I'll be in their separate get repos so you can go pull that down and mess with it if you want tell me how bad it is tell me how good it is make it better so just let me know so another tool that we're gonna talk about is the hive anybody here familiar with the hive awesome awesome okay so the hive is an open source security incident response platform it's super awesome we're actually gonna be integrating this natively and our hybrid hunter security and in hybrid hunter release that we're currently in the works with but it's used for tracking those incidents right like as a team so going in and maybe you

get installers and you need to go investigate something and you need to attach observables and you need to have tasks associated with it it's very good for that and I'm gonna talk about that in just a minute it integrates well with myth they vary they do a lot of work together to integrates and benefit each other and again gather more context around events using each other's tools it has a very fit feature-rich API as well so a core concept within the hive of course is going to be cases typically with an investigation you might have a case that you're working right so it's going to be populated with different observables and different information based on whatever you're doing right

like maybe a threat level tags or things like that another feature that's that's pretty useful within the hive is the the ability to apply case templates right so what a case template is it's going to be a template that you can apply to an alert when it's imported as a case so typically with a hive you'll receive an alert and you'll review that alert and from there you can decide if you want to ignore it or mark it as red or you can import that into a case and a case template allows you to define reputable functions right that may be an entry level analyst form or even stuff that if you have a lot of stuff that you do

regularly that you don't want to keep reminding yourself to do or maybe you're not sure of and you don't have to keep looking back just put it as a task in a case template and then it'll be generated in the case every time you go to perform the investigation that's based on particular attributes for example if you have an alert that contains the word Trojan in it or you know ransomware in it you can have a case template based on that right so you can basically have it import those tasks based on whatever you're looking for or whatever you're looking at again there's alerts that can be generated from a noteworthy event from the external

source and it generally it'll offer maybe a snippet of what may be going on of course but you're gonna have to do more investigation to get more context it can be merged into a case if further investigation is needed as I mentioned just a second ago or it can just be discarded again there's observables that I mentioned that can be IP addresses domains hashes actual files things of that nature or something else you know all together you can define your own observable types for your organization and you can go from there another function or feature that ships with the hive or at least is you know native to the hives core framework it's going to be cortex so cortex has these

things called analyzers so they're gonna take the data in the cases right and you can run these analyzers against them and then you can get more context around them right so you can get more data about them or at least some kind of reputation or make you know help you make some determination on these some of these default analyzers include cuckoo sandbox so you could send a file to the sandbox automatically right great noise you could look up the reputation of the IPS right miss I mentioned that before and many many more again the hive offers a feature-rich API you can use the hyper PI Python client and you can create a case from that you

can attach m0 voules right you can attach a task to a case for the API and you can also raise an alert which can be pretty useful from external entities and right here I've got an example basically where I've run a flow Google ger and then i've attached the resulting zip file using the same Python script to the hive right so these are just examples of how you can automate processes and add that context into the event and go from there and hit the ground running when you see that alert now another way that we can alert to the hive using that API is going to be elastol eart so we have this in our documentation down here at

this link but you can create an elastomer rule to use a hive alerter right what this one does right here will match for any alerts right here it actually doesn't show that it does at the top okay event type snort so we're gonna alert on any IDs events all right any knids events and then we're gonna push those to the hive and we're going to attach the source IP and the destination IP so it's pretty cool to be able to do that but you do want to be careful with the types of events and the volume of events that you're pushing of course there are different options in the elastic rules themselves to help you limit that and

there are also different filtering techniques you can use with that query or the search terms there now that's all fine and dandy but what about what if we want a little bit more and if we want to maybe we want to push it from something like kibana or from a web interface and and you know perform a little more automation in that manner so we can certainly do that with the hive and with some other endpoints so another thing that we can use is something called octopus and kind of silly name but it's like an octopus for the sock okay so what we think of here is reaching out to different end points and performing different actions based

on whatever you're trying to do or whatever you're looking for right so we have some end points here in sock to push again that flask API we have some different end points for the hive miss our TIR fi our gir planned for velociraptor you can do it natively with slack and also with stroke oh and again this is something that were it's kind of kind of at leap with the current security inin is more of a POC but will be something that's natively integrated in the sinestro next hi every time I release that I'm mentioning again the date on that is it's not necessarily confirmed but just keep an eye out for blog posts and other info on that but

you will be able to use sock to puss or at least mess with it in the Alpha hybrid and release alpha 2 we just released yesterday so you can check that out and also from my github repo you can add it to an existing deployment so some things that you can do with sock deploys

all right say I've got an event here right you go it's a different event actually

all right let's do this one so all right I got this event right a network Trojan was detected so kind of the methodology here is that you know you've got events that you want to automatically alert on right maybe high fidelity alerts maybe you do that with a last alert and send it to the hive or somewhere else or to miss but maybe other ones that you're not sure about or you come across when you're hunting right and Qabbani you're aggregating data you're looking at stuff and you see something that looks unusual maybe you want to push that to somewhere for further investigation so we can do that by simply clicking this link here since a

hive it's gonna take this news alert and I'll be it this is done a little bit better and hybrid hunter it's formatted a little bit better but what we can do here we can see that all right 14:45 ET trojan Vidar stealer client data upload we see that here we can preview it we've got a description that alert there we've got some observables a source IP and a destination IP there right and these are going to be agnostic source and destination agnostic because when you're searching through these you want to see the matches right unless you're doing your own filtering and then we've also got the sensor here in the interface name came from and so you know if we had

case templates apply we're gonna import this into a particular you know trojan or infection template or something like that right so there's lots of stuff you can do there with regard to the hive you could go further and add additional cortex analyzers to enrich that data but you know at least part of the data you know taking the data a copy and pasting going and create an event doing all this other stuff you can ignore that yeah don't nothing to see here yeah that's actually not an artifact to the hi that's more of the way I have it set up right here but um but yeah I mean it's more about expediting that process and getting more that context more

quickly and we can do the same thing with mis right we have an endpoint from is sipping and sent it to miss all right so they is we just sent it to myth and I can list any attributes oh wait that's not true beauty here I know I wasn't able to see you earlier all right yeah so we can see this event here and of course it's going to have that alert populated into the info data and you can go from there adding additional attributes or you can populate those through sock de puss right with a little additional effort so so that's pretty cool that this is just some examples right of how you can use

octopus or that flask API to go ahead and try to automate some of that when you're doing hunting or other types of activity yep

know that I have considered something like that honestly let's so using the update API to update a field or add an additional field right like you're saying an acknowledged field so that's something definitely that I've considered and may pursue but that's a really good question yeah we actually considered using that actually performing an update and using it kind of like a queue but it just I don't know there wasn't enough stuff there I think to really orchestrate that really well and you know in a large fashion when I'm saying you're like yeah you know you know who you are yeah yeah I'd love to talk about that more than all right so another thing another great open-source

tool philosoraptor has anybody heard of Velociraptor okay anybody heard of ger Google ger okay so velociraptor michael Kohan actually used to develop or you know I guess help develop Google ger he used to work at Google now he's at velocity X all right so Velociraptor is kind of a fork of girl are really a rebuild based on a lot of the principles maybe ger is really rigid in nature and you know Mike's vision here I think was to kind of take away some of that complexity and rigidity and allow people like incident responders to really use the tool to what they want for what they want to look for and not use what's you know

provided what you have to use so they make it very easy to integrate with and to customize so again you know the focus there is simplifying architecture improving performance performance is pretty good compared to girl I have to say not to not tabash care by default it performs no analysis itself the collection data collection is really that primary use case and it's got its own syntax similar to sequel called bql or cool that's you know of course there's a little bit of a learning curve there but you know once you get familiar with that can be very powerful very powerful sorry its water so ways in which you can deploy Velociraptor there are a few different

ways a standalone deployment of course you can install it on a box I've got it on a demo box right here just standing up it's a go executable right so I just execute that go binary or yeah and good from there and you can deploy it in the cloud you can have agents to put on machines and reach up there and have your you know your master server or your Lhasa Raptor server in the cloud which can be pretty convenient if you're going on things like client engagements right and and going in and connecting up stuff or you have distributed stuff you know all over the place and you can interact with the triage you can take it go run

it on a host collect the artifacts and then go analyze those artifacts so it's pretty flexible and how it can operate so that vql I mentioned really is that framework for creating these highly customized artifacts that you can collect right and you can pretty much create your own artifacts to look for much anything you want and some of these artifacts you know they're gonna be different types like client artifacts right so client our client artifacts are gonna run directly on the host things like process creation are gonna be monitored you know network events and then you know you can perform post-processing on those later using these server artifacts so you can look at all these all these

different things right and then filter out certain things and then find what you want to look for and then either Alert on that or do further post-processing on those artifacts and other things you can do naturally this is not released yet and an official release but you can use stuff like elastic flows uploads so you can stream this directly to elastic I believe they use the go elastic search plug-in there to do that but again this was just committed a few days ago that's not she'll release but should be very soon so given that we can stream you know client artifacts and these server artifacts straight through security and then running the elastic stack right so

it's pretty neat to be able to take that data and then easily aggregate on it and review that information and tie it in with all these other data sources that we have again providing even more context around events occurring in our network give you an example of that and real quick just to show you the loss of raptors so I've got it running here the server it's fairly simple interface you know kind of no-frills kind of thing let me see if I can go back home here alright so this is just the again the interface here just the server status here is what you've got up front you've got some other things here like a hunt

manager you can view different artifacts that you want to create or edit so if I look here I've got some I'm get one right here a custom elastic flow upload and you can see some of that be cool be cool there but I'm basically specifying to send this off to elasticsearch here after I post process these client flows - okay the hosts here so I've also got a host here it's a vagrant box vagrant 2016 and you can see all the data that was collected on this host all these flows that were run on here and see the different results here all right and just to give an example of some of these so you see

these registry mount points you see Network listening ports so this attack stuff is based on the mitre attack framework and so I think they were generated from the OS query packs but you see other stuff like prefetch evidence of execution I mean there's just tons of stuff on here so if I search Windows and it gives you an example of each of these so you see the applications chrome chocolaty office macros all this good stuff right dah volume shadow copies right VSS yet Kerberos ting you can detect right you got forensics file name you can search for files right you can do a forensics timeline keep targets so if you're running cape and you got cave targets

that you want to collect you can do that alright this NT NTFS I thirty I can check for deleted files right so right here you can card that I thirty index for a directory alright this dream I see what else where is it there's also so stuff lat

yeah so you can also use Yarra right to scan process memory and then you constrain those results back to elastic it's pretty powerful whenever you consider you know the ability to perform this remote forensics you can do this across a whole fleet of hosts right you can schedule hunts across all your hosts and look for different files or different artifacts like this and then have them stream back to elastic and to give an example of how you can visualize that I've got a dashboard here

where it's sending it straight to elastic let me do this so I've actually got to how is that reported but you can see all this different data right you can see my artifact count here you can see the different artifact type system services the network stuff attacks stuff you got the different host names here different sources for you know where these artifacts came from right different names of processes and artifacts and file names just tons of stuff to pour through I'm not going to get go over right here but you can see how far you can take this when you're doing your investigations and then stream the results right back in then have it for a review for later or for

now right so then real quick I just wanted to show you let's see I guess one last thing I've got about let's see it's probably seven minutes here uh strelka so one last tool I'm gonna discuss there's an open source file skinning framework not file skinning framework but our file analysis framework and file skinning system sorry that's written and go in Python three six with G RPC and it's awesome for using to take those extracted files that bro produces from your network sensors and then send those off for further analysis right so a few use cases here really gonna be things like extracting nested files from other files right so identifying malicious scripts and files looking at import

functions for Mac onz files and even Linux TLS stuff alright and you can even from stroke itself you can send that stuff to kuku or an inbox to get reputational information or things of that nature scan results are gonna be native Jason you can specify a snake or camel case got built in log management and compression certain features you know some of the things examples of things that I'll provide other than you know the tons of other useful data things like entropy scores right so you can check for compression or encryption potentially identify ransomware check in passions and those import functions I referred to are gonna be super useful to be able to look at especially you know looking at

those import hashes and other things other different hashes tons of hashing that goes along and they're like SS deep what else is there of course the impasse sha-256 shot 1 etc and then we can also take you know this extracted file name we can tie this in in you know in Cabana then we can pivot over from the bro or it's the extractive bro file and vice versa so you know how it all integrates really again we can bring all this data back in to elasticsearch and look at it in Cabana get again more context right so say I have a bro you know I have at this extracted file I don't want more information on and this is again it's

gonna be helped by sock to puss to help automate some of this but ok alright so what I'm looking for here just a bro files entry that has an extracted file so it's gonna be residing on that network sensor where it extracted it from the network stream oh goodness I am the worst Oh No for some reason it keeps getting stuck whenever I yeah I get better yeah ok yeah some reason it keeps I don't know I'm the worst alright so yeah I'm looking for you know any of the any entry related to the file that was extracted I want to get more information about that file alright so I can click here scan with stroke oh

alright what I'm gonna get I'm gonna get a screen saying that you know this file has been processed and if I want to search for it I can go do that so it's gonna take just a minute I do have a cron job running that's actually looking for any jobs that want to be executed and then it's gonna go take that and it's gonna go copy it over to a directory where I have stroke of monitoring so this is useful if you don't want to run shoka on all of your you know extracted files and have to have all of that log data or all of that performance hit and you can do it on demand like this and

it's very useful in that manner so then if I go back and search I'm just gonna do the last 15 minutes don't get anything just yet I should in just a minute though I'll give it a second but what we'll see is that it will you know it'll populate that and perform that on-demand scan and it's very helpful again for conserving resources disk space and all that kind of stuff so here it is alright so we actually got nine hits that's because it's particularly executable as you know it's comprised of these nine different sections alright so there are different scan results for each of these that we can go through just a minute here I'll try to show you

right here alright so we can see the different scanners that it's using the file scanner right here we get some different file information you know the scan PE section you can see right here the file source we get hash information if we scrolled down to this one down here I believe it's this one we get all sorts of goodness that can later you know honestly be parsed into their own fields but all this stuff from stuff like as exit tool right so you might run exit tool manually on files this does all this for you alright so we see these different keys like source file exit tool version file name file modify date all sorts of stuff and this if I can get

some better stuff all right select company names and it's easy or it's easier to identify anomalies and suspicious things from this and again that octopus helps to simplify that and have it automated at your fingertips and come right back into the stack and real quick before my time is up it's gonna show you a pretty dashboard where you can visualize all that

I'm not saying it's super pretty but it's something but again we see the you know the the different the non logs are the nine sections that I was referring to and we see some different details about these and you can build your dashboard out to include whatever you like but right off the bat we see things like the section names right the file size so you can look for things like that entropy scores mine types we see the node from which the file came so if we're looking trying to find out which stroke a node if we have a cluster of those I came from we can figure that out pretty easily character sets os's and

subsystems it's a dll or what kind of file it is and all this other hash information and lots of good stuff we could add in there just there's too many for me to make you know you know something that appeals to everybody it's just you know you want to tune it to what your organization deems important and it's looking for and just go from there but other than that that is about it for Strelka back all right so all together now here's kind of and this was actually I haven't not updated this for a Velociraptor this is for when I was using derp but it still gives you a good idea of kind of the flow of all these

things together again you may or may not implement these things together you may not do these things at all you may think I'm stupid but again just some ideas and some of the tools that are referenced here and if you want to drop me a line my informations available here just hit me up and let's have a conversation and that is it

all right so anybody who is paying attention does anybody know of any give me one second y'all can't cheat sorry I'm terrible with these questions I can't cite my super long password either all right so can anybody give me an example of theirs attributes or the the benefits that stroke can provide right that work okay I guess I should have announced this but this is an each app 2003 congratulations [Applause]

all right next up Blue team handbook by none other than Don Murdock all right so can anybody tell me a quart sax analyzer available with Cortez anybody remember yes actually very good I didn't say that one but there is so I couldn't tell you no thank you all right no problem that's it for the prizes sorry I'm kind of not a not a great prize presenter but that's what you get so thanks for coming guys I really appreciate it y'all have a good one