When threat hunting, I have faced a lot of tedious repetitive tasks. Luckily, my scripting skill helped me automate a lot of them. In this article I will try to demonstrate how python scripting can help automate some tedious threat hunting task through some use cases. Having basic python scripting skill is a prerequisite for this article.

Use Case 1 — Brute Force Detection

In this scenario, winlogbeat is used to ship windows event logs to elasticsearch, so instead of going through the logs manually, we try to automate some of our tasks, mainly hunting for brute force attempts by scripting.

Line 1 through 7 just imports the modules. elasticsearch module is used for communication with elasticsearch and slackclient is used for communication with slack channel. Then a function is created in line 8. Slack and Elasticsearch object is created in line 9 and 12. Line 18 defines the body that will be used as a query for elasticsearch. In line 26 we actually query index fun-2018.02.16 in elasticsearch for all data. The loop starting in line 13 goes through the obtained result and checks if event id is 4625, which is for login failure. The loop stores login failure attempt counts for each user in a dictionary. The final loop, goes through that dictionary and checks if threshold has succeeded. Here the threshold is only 20, now obviously the threshold should be increased according to requirement. If threshold is exceeded an alert is sent through slack.

Use Case -2 Threat- Intel feed

You used to check, every IP you see in you SIEM, with various threat intel feed for its reputation, since there is no threat Intel feed integration in your system, because you are poor, the company you work for is poor , and you are using a poor mans SIEM. In the beginning it was fun, but now its turned into a chore. You need to automate it. You decided that you would go with cymon. You set up the API key and ready to go.

Url is being setup in line 7 and 9 to query for ip and domain reputation respectively. Adding headers in line 10, sending request in line 11, printing or returning in line 13. Just a quick reminder, You are poor.

Conclusion and some suggestions

As you can see, we can automate a lot of threat hunting tasks via scripting. It leaves the threat hunter for much more time to perform actual analysis. Some suggestions I would like to give from my own experience

Before writing script to automate or solve a problem, check if some one else has already done it, if so, use the script. Learn from it, tweak it, use it.

To solve the problem you are thinking of, check if a high level module is already available. For ex, to request a webpage from a website, you don’t need to use the low level socket module of python, rather requests module, (which is a high level library for requesting web resources) is available. Again to parse a web page just use beautiful soup module instead of requests module. Google it .

module of python, rather module, (which is a high level library for requesting web resources) is available. Again to parse a web page just use module instead of requests module. . Check for API available from third party resources, that can make your task easier.

For more scripts like the ones above, check my git hub repo.

References:

ELK (What it is? How to use it?): https://www.elastic.co/elk-stack

Winlogbeat (What it is? How to use it?): https://www.elastic.co/guide/en/beats/winlogbeat/current/index.html

Python tutorial: https://automatetheboringstuff.com/

Elasticsearch module: https://elasticsearch-py.readthedocs.io/en/master/

Slackclient module: https://pypi.org/project/slackclient/