Six necessary threat tracking tools for threat hunters

Faced with a myriad of intelligence and digital traces , Each threat hunter has a set of familiar tracking methods and tools . Although there are some informal channels for threat hunters to share knowledge and tools , But for novice hunters , Public knowledge is still important , following , We have sorted out six important tools necessary for threatening hunters to travel at home , For your reference ：

Kansa

Kansa It is a very useful tool for threat tracking and incident response , It's a “Powershell Modular event response framework in ”. The tool has a great main function ： Use PowerShell Remoting“ Run the user contribution module in the enterprise host to collect data , In order to respond to events 、 Used during attack traceability or establishment of environmental baseline .”

This makes it easier to collect large amounts of data , what's more , It also allows you to baseline faster . For hunters , One of the biggest challenges they face is probably building... In their environment “ Normal condition ” Baseline .Kansa Can greatly help speed up the task .

Microsoft Sysinternals Kit

You may be surprised that Microsoft's tools are shortlisted , But Microsoft's Sysinternals The kit is really not to be missed . This tool has three very important functions for threat hunters ：

• Process Explorer —— Think of the process explorer as an advanced version of the task manager , It allows hunters to not only view progress , You can also view the process loaded DLL, And open registry entries . This feature is very useful when looking for suspicious and malicious behavior .

• Process monitor —— The process monitor is similar to the resource manager , But it focuses more on file systems , And it can help hunters find out what might happen “ Interesting ” The change of .

• Autoruns—— This program can detect suspicious applications running at startup , This is very convenient for finding resident traces on the system .

Kroll Artifact Parser and Extractor (KAPE)

KAPE（ or Kroll Artifact Parser and Extractor） It is a tool widely used by event response professionals and digital forensics personnel .KAPE Allows the analyst to set specific “ The goal is ”（ It's basically a specific location in the file system ） And automatically parse the results and collect all the evidence . But it is more than just a glossy copy and paste tool . It also parses associations and related data （ Such as EvidenceOfExecution、BrowserHistory etc. ） To speed up classification and analysis .

This tool is very valuable for threat hunters , Especially when they try to collect relevant information from the host during hunting .

GHIDRA

If you are already a veteran of malware Reverse Engineering , It won't be right IDA Pro and GHIDRA And other tools , The latter was designed by a secret Research Bureau of the national security agency .GHIDRA Provides a debugger for security researchers 、 Tools such as hex editor and disassembler , And it's completely free .

In terms of threat search , Reverse malware understanding its internal workings can be critical ！

Regshot

Regshot Like a screenshot tool and “diff”Linux Command line tools , But for your registry . It can help threat hunters quickly and easily obtain the integrity of the registry “ Screen capture ”, And then shoot the second one “ Screen capture ” And find out the difference .

When the threat hunter tries to see what changes have taken place in the baseline , Even when something might have changed between system restarts , This feature can be very useful .

UACME

Finally, the recommended penetration tool should be used legally under the guidance of professionals .UACME（ or UAC-ME） Can let anyone use a variety of methods to easily bypass Windows User account control . For incident investigation and digital forensics staff , This tool can greatly simplify the work process .

For the novice of network security , Threatening hunting is often daunting , Part of the reason is the steep technical threshold and learning curve , Another part of the reason is that information sharing is blocked , If you don't join the community , It's hard to learn and share skills . I hope the list of recommendations in this article can attract jade , Help you find your favorite tool .

In safety analysis 、 Threat search or digital forensics investigation , What tools do you like best ？ You may wish to give your recommendation in the message area .

- End -