https://github.com/schwartz1375/aws
Threat hunting – Making the jump from alert-based investigation to threat hunting
When thinking about threat hunting, we needs to create a threat hunting strategy for the environment they will be operating in. In this case, AWS, executing at scale with efficiency, is critical. Capabilities to hunt are also tied to the teams maturity.
Threat Hunting Lab
Set up Zeek. Corelight has an appliance. Needs a lot of log storage space (duh).
Use a scoring system. Assign points to indicators, rule the lowest scores safe and set a threshold for high scores to investigate.
Parse Zeek conn.log for longest connection:
cat conn.log | bro-cut id_orig.h id.resp_h duration | sort | grep -v '-' | datamash -g 1,2 sum 3 | sort -k 3 -rn | head -10
Beacon detection: look for average connection interval over long period of time to get consistent average value, factoring out jitter. Cobalt Strike for example will typically produce a bell curve.
You can also look for session size of heartbeat sessions vs. activation sessions (i.e., nothing to do), so there will be many short connections of similar size and an occasional spike.