SysmonHunter

The Top 30 Mitre Attack Open Source Projects (ATT&CK在Github中，重要熱門專案)：https://awesomeopensource.com/projects/mitre-attack

防護APT攻擊的必學戰略：MITRE ATT&CK框架https://www.ithome.com.tw/article/131277

https://www.itu.int/en/ITU-D/Cybersecurity/Documents/CyberDrill-2020/Cyber%20Threat%20Hunting%20Workshop%20-%20ITU%2019112020.pdf

其中2019 BlackHat Arsenal的SysmonHunter以Github得到1294顆星星名列第四，https://github.com/baronpan/SysmonHunter

Preliminary study

EvtxToElk: A Python Module to Load Windows Event Logs into ElasticSearch, https://www.dragos.com/blog/industry-news/evtxtoelk-a-python-module-to-load-windows-event-logs-into-elasticsearch/

(Medium) LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. https://github.com/JPCERTCC/LogonTracer

(Easy-Medium) Analyzing Packet Captures with Python, https://vnetman.github.io/pcap/python/pyshark/scapy/libpcap/2018/10/25/analyzing-packet-captures-with-python-part-1.html

(Easy) Using Python Pandas for Log Analysis, https://akshayranganath.github.io/Using-Python-Pandas-for-Log-Analysis/

Hacking communities in the deep web [updated 2021], https://resources.infosecinstitute.com/topic/hacking-communities-in-the-deep-web/

How to Elastic SIEM (part 1), https://itnext.io/how-to-elastic-siem-part-1-a39167b8bd23

(*) Detecting Signs of Ransomware: WannaCry and the Elastic Stack, https://www.elastic.co/blog/malware-analysis-wannacry-elastic-stack

Elastcisearch, WannaCry在系統惡意行為(1~2 teams)-> Threat Hunting

Threat Hunting with Windows Event Logs & Sysmon, https://www.netscylla.com/blog/2020/02/01/Threat-hunting-with-Windows-Event-Logs.html

Windows EVTX Samples [200 EVTX examples]:, https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES

(*) A Python package to interact with MITRE ATT&CK Frameworks, https://github.com/swimlane/pyattck

ThreatHunting-book, https://github.com/12306Bro/Threathunting-book

Learning the Associations of MITRE ATT&CK Adversarial Techniques, https://arxiv.org/pdf/2005.01654.pdf

EVTX2CSV: https://github.com/jeriel20?tab=repositories

EVTX2XML: https://www.alishaaneja.com/evtx/

https://superuser.com/questions/1332580/is-there-a-powershell-way-to-convert-evt-to-csv

How to Elastic SIEM (part 1)Medium

Using Elasticsearch to Detect Signs of Ransomware like WannaCryElastic Blog

docker下安装elasticSearch报错：[1]: max virtual memory areas vm.max_map_count [65530] is too low

docker下安装elasticSearch报错：[1]: max virtual memory areas vm.max_map_count [65530] is too low-CSDN博客blog.csdn.net

Ubuntu16.04安装ElasticSearch、Kibana_kibana does not support the current node.js versio-CSDN博客blog.csdn.net

How to Elastic SIEM (part 1)Medium

系統實測

下載VM(Ubuntu 16.04 Desktop)

https://drive.google.com/drive/u/0/folders/1lXVJmMEvdYJ7YMsk_aaewLMwva-uNI6R

(password: password@@)

https://github.com/baronpan/SysmonHunter

sysmonhunter_server:

(OS: ubuntu 16.04)

Python 2.7

SysmonHunter實驗環境架構圖

期末作業

繳交時間 6/20前，以github連結繳交（透過LINE的回文貼上自己的github作業位置，建議連同之前作業，期末作業已專題報告形式呈現，題目可涵蓋本學期的課程範圍，以下幾個題目建議同學可以參考(3人以下)。

(1) SysmonHunter 系統建構與資料收容實證：以BlackHat 2019的Arsenal的SysmonHunter專案，透過Winlogbeat在個人電腦收集運作日誌，並透過SysmonHunter中的ATT&CK對攻擊類型的定義，進行入侵偵測，其中可演練一些知名的攻擊事件分析。

建議可先說明SysmonHunter這個工具的功能，接著說明如何運作，安裝實驗架構為何？Winlogbeat安裝設定方式，並收集電腦日誌進行分析。

Winlogbeat -> Elasticsearch -> winlogbeat(Index) -> SysmonHunter -> Behaviors -> Events

https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/tree/master/ https://github.com/williballenthin/python-evtx

(2) Python Data Analytics 分析資安日誌的異常事件：可參考利用Pandas對於Excel的檔案進行分析，並參考網路相關利用Pandas對於access log進行關聯與分析，並從其中找出異常事件。

建議可先說明參考資料的來源與內容，並將範例實作，將實作底結果做一個說明，最後說明實作困難點。

(3) 暗網探索：透過tor對於DarkWeb進行分析，可以從Reddit找出2021的DarkWeb位置清單，對於今年暗網的發展趨勢給予一個分析報告。