5/16/22, 9:41 AM Gmail - [advisory-board-open] Detection Engineering Resources

hieu tran <hieuttmmo@gmail.com>

[advisory-board-open] Detection Engineering Resources

8 messages

Walaa Kabbani via advisory-board-open <advisory-board-open@lists.sans.org> Fri, May 13, 2022 at 6:12 PM
Reply-To: Walaa Kabbani <walaakabbani@gmail.com>
To: advisory-board-open@lists.sans.org

Hello Everyone,

What are good recommended resources / books / websites on detection engineering.

Best Regards,
Walaa Kabbani
Security Engineering
Security Operations Center

_______________________________________________

advisory-board-open mailing list

advisory-board-open@lists.sans.org

https://lists.sans.org/mailman/listinfo/advisory-board-open

If you want to unsubscribe from this list, navigate to:

https://lists.sans.org/mailman/listinfo/advisory-board-open

To unsubscribe, you'll need your list password.

If you forgot your password, you can get a reminder at the bottom of

https://lists.sans.org/mailman/listinfo/advisory-board-open

Paul Masek via advisory-board-open <advisory-board-open@lists.sans.org> Fri, May 13, 2022 at 8:02 PM
Reply-To: Paul Masek <Paul.Masek@ruoff.com>
To: Walaa Kabbani <walaakabbani@gmail.com>
Cc: advisory-board-open <advisory-board-open@lists.sans.org>

Walaa,
 
https://mail.google.com/mail/u/0/?ik=6acf903820&view=pt&search=all&permthid=thread-f%3A1732709360364956760&simpl=msg-f%3A1732709360364956760&simpl=msg-f%3A1732892770325500586&simpl=msg-f%3A1732893… 1/9
5/16/22, 9:41 AM Gmail - [advisory-board-open] Detection Engineering Resources
This is a broad, but also fantastic question! Here are *some* resources I’ve amassed over the last few years. I say some as there are many other really
good voices and resources
in this realm, but this will give you a start.
 
SIEM Rulesets (all open and free):
Mitre CAR - https://car.mitre.org/
Splunk - https://github.com/splunk/security_content/tree/develop/detections
Elastic - https://github.com/elastic/detection-rules
Sigma - https://github.com/SigmaHQ/sigma/tree/master/rules
 
***
 
Some Free / Some Paid: SIEM Rule Marketplace: https://socprime.com/
 
Great Threat Hunting Guide: https://www.threathunting.net/files/hunt-evil-practical-guide-threat-hunting.pdf
 
Detection engineering guide. Excellent places to look first: https://redcanary.com/threat-detection-report/
 
SANS Hunt Evil Poster: https://www.sans.org/posters/hunt-evil/ == use this also to spot normal processes such as smss.exe and to know what it should be
spawned by etc, to then
search for anomalies such as smss.exe with a different parent than system or smss.exe started in a location other than system32...
 
Good log source guide: "Advice on best log sources and why - Florian Roth @cyb3rops" https://twitter.com/cyb3rops/status/1193191644679544834
 
Follow going forward and read their history of posts as if they are some of the best books written on detection engineering.
https://twitter.com/nas_bench
https://twitter.com/SBousseaden/
https://twitter.com/cyb3rops
https://mail.google.com/mail/u/0/?ik=6acf903820&view=pt&search=all&permthid=thread-f%3A1732709360364956760&simpl=msg-f%3A1732709360364956760&simpl=msg-f%3A1732892770325500586&simpl=msg-f%3A1732893… 2/9
5/16/22, 9:41 AM Gmail - [advisory-board-open] Detection Engineering Resources
 
SANS Threat Hunting & Incident Response Summits – e.g. 2021 -
https://www.youtube.com/watch?v=OCTz62fN8OA&list=
PLfouvuAjspTpxI8P68vblkcLAtJWKuOxu
A couple of my favorite SANS Instructors on Detection Engineering are Eric Conrad and John Hubbard. Look up videos and other resources from them.
 
Sources of IOC's (also Chrome Bookmarks Folder "IOCs"):
- Mitre ATT&CK - https://attack.mitre.org/matrices/enterprise/ (TTP Techniques Tactics and Procedures-Centric - Provides evidence to base rules on)
    - Refer to this over and over and over again. It’s a gold mine!
- Top ATT&CK Techniques Published - https://ctid.mitre-engenuity.org/our-work/top-attack-techniques/
- https://jpcertcc.github.io/ToolAnalysisResultSheet/
- https://lolbas-project.github.io/ (aka lolbins)
- https://github.com/sophoslabs/IoCs
- https://github.com/3CORESec/MAL-CL
- YT InfoSec Conf Talks (in particular SANS Summits and BSides conferences)
- CERT Reports/Alerts such as: http://www.us-cert.gov/channels/techalerts.rdf
- InfoSec White Papers
- InfoSec Blog Posts
    - https://thedfirreport.com/
    - https://isc.sans.edu/diary
- InfoSec Tweets
    - Shameless plug on one I started here, when I posed the question: "What SIEM query has netted you the most evil?" - https://twitter.com/paul_
masek/status/1443895841824051218
 
Simulate IOC's:
- Atomic Red Team - https://github.com/redcanaryco/atomic-red-team
 
https://mail.google.com/mail/u/0/?ik=6acf903820&view=pt&search=all&permthid=thread-f%3A1732709360364956760&simpl=msg-f%3A1732709360364956760&simpl=msg-f%3A1732892770325500586&simpl=msg-f%3A1732893… 3/9
5/16/22, 9:41 AM Gmail - [advisory-board-open] Detection Engineering Resources
Paul Masek
 

From: advisory-board-open <advisory-board-open-bounces@lists.sans.org>

On Behalf Of Walaa Kabbani via advisory-board-open

Sent: Friday, May 13, 2022 7:12 AM

To: advisory-board-open@lists.sans.org

Subject: [advisory-board-open] Detection Engineering Resources

 

CAUTION: This email originated from outside of the

Ruoff organization. Do not click links or open attachments unless you recognize the sender
and know the content is safe.

[Quoted text hidden]

_______________________________________________

advisory-board-open mailing list

advisory-board-open@lists.sans.org

https://lists.sans.org/mailman/listinfo/advisory-board-open

If you want to unsubscribe from this list, navigate to:

https://lists.sans.org/mailman/listinfo/advisory-board-open

To unsubscribe, you'll need your list password.

If you forgot your password, you can get a reminder at the bottom of

https://lists.sans.org/mailman/listinfo/advisory-board-open

Steven D via advisory-board-open <advisory-board-open@lists.sans.org> Sun, May 15, 2022 at 1:03 AM

Reply-To: Steven D <pheerless@hotmail.com>
To: Paul Masek <Paul.Masek@ruoff.com>, Walaa Kabbani <walaakabbani@gmail.com>
Cc: advisory-board-open <advisory-board-open@lists.sans.org>

Paul

Pretty excellent list... I humbly submit a few from my stash as well... What isn't already duplicate. 

Most are focused on Windows logging, since you can't dectect what you can't see/log. :)

Malware Archeology, lots of logging cheat sheets:

https://www.malwarearchaeology.com/cheat-sheets 

https://mail.google.com/mail/u/0/?ik=6acf903820&view=pt&search=all&permthid=thread-f%3A1732709360364956760&simpl=msg-f%3A1732709360364956760&simpl=msg-f%3A1732892770325500586&simpl=msg-f%3A1732893… 4/9
5/16/22, 9:41 AM Gmail - [advisory-board-open] Detection Engineering Resources

Also MS has a decent spot the bad guy via logging here:

https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

Various government resources:

https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm

https://github.com/nsacyber/Event-Forwarding-Guidance

https://www.cyber.gov.au/sites/default/files/2021-10/PROTECT%20-%20Windows%20Event%20Logging%20and%20Forwarding%20%28October%202021%29.pdf

Detection Lab, because It's awesome and you gotta have a place to test detections.

https://www.detectionlab.network/

Sysmon Simulator for those though to generate events.

https://github.com/ScarredMonk/SysmonSimulator

Simulate more TTPs with Caldera (it's what MITRE uses for it's assessments)

https://caldera.mitre.org/

https://github.com/mitre/caldera

Regards,

Steven.
[Quoted text hidden]

_______________________________________________

advisory-board-open mailing list

advisory-board-open@lists.sans.org

https://lists.sans.org/mailman/listinfo/advisory-board-open

If you want to unsubscribe from this list, navigate to:

https://lists.sans.org/mailman/listinfo/advisory-board-open

To unsubscribe, you'll need your list password.

If you forgot your password, you can get a reminder at the bottom of

https://mail.google.com/mail/u/0/?ik=6acf903820&view=pt&search=all&permthid=thread-f%3A1732709360364956760&simpl=msg-f%3A1732709360364956760&simpl=msg-f%3A1732892770325500586&simpl=msg-f%3A1732893… 5/9
5/16/22, 9:41 AM Gmail - [advisory-board-open] Detection Engineering Resources

https://lists.sans.org/mailman/listinfo/advisory-board-open

Chris Crowley via advisory-board-open <advisory-board-open@lists.sans.org> Sun, May 15, 2022 at 5:02 AM
Reply-To: Chris Crowley <chris@montance.com>
To: Steven D <pheerless@hotmail.com>
Cc: advisory-board-open <advisory-board-open@lists.sans.org>

TL;DR: build a pipeline then fill in details, then improve the pipeline.

Great lists of references with technical details above, glad these got consolidated. I'll surely use them.  I'll contribute one that isn't already on the list. David J Bianco's Toppling
the Stack:

https://www.youtube.com/watch?v=7q7GGg-Ws9s

To me, detection engineering is a part of the larger use case development program (as in, the people, processes, and technology to make something happen). Further
elaboration here:

https://www.youtube.com/watch?v=Dd_R-BeyS2I

Detection Engineering entails an engineering effort, and the use case development I describe above is the pipeline for creation of detections (I call them detection opportunities
in that video) occur. One feasible implementation might be in a SIEM or a SOAR.

Chris Crowley 

[Quoted text hidden]

[Quoted text hidden]
_______________________________________________

advisory-board-open mailing list

advisory-board-open@lists.sans.org

https://lists.sans.org/mailman/listinfo/advisory-board-open

If you want to unsubscribe from this list, navigate to:

https://lists.sans.org/mailman/listinfo/advisory-board-open

To unsubscribe, you'll need your list password.

If you forgot your password, you can get a reminder at the bottom of

https://lists.sans.org/mailman/listinfo/advisory-board-open

_______________________________________________

advisory-board-open mailing list

advisory-board-open@lists.sans.org

https://lists.sans.org/mailman/listinfo/advisory-board-open

If you want to unsubscribe from this list, navigate to:

https://mail.google.com/mail/u/0/?ik=6acf903820&view=pt&search=all&permthid=thread-f%3A1732709360364956760&simpl=msg-f%3A1732709360364956760&simpl=msg-f%3A1732892770325500586&simpl=msg-f%3A1732893… 6/9
5/16/22, 9:41 AM Gmail - [advisory-board-open] Detection Engineering Resources
https://lists.sans.org/mailman/listinfo/advisory-board-open

To unsubscribe, you'll need your list password.

If you forgot your password, you can get a reminder at the bottom of

https://lists.sans.org/mailman/listinfo/advisory-board-open

Michael via advisory-board-open <advisory-board-open@lists.sans.org> Sun, May 15, 2022 at 5:33 AM

Reply-To: Michael <infosec.michael@pm.me>
To: Chris Crowley <chris@montance.com>, Steven D <pheerless@hotmail.com>
Cc: advisory-board-open <advisory-board-open@lists.sans.org>

If I may ask a related question, is anyone else working to streamline detection engineering using an actual devops/CI pipeline and git repo?

Any thoughts on that?

BR,
Michael
[Quoted text hidden]

_______________________________________________

advisory-board-open mailing list

advisory-board-open@lists.sans.org

https://lists.sans.org/mailman/listinfo/advisory-board-open

If you want to unsubscribe from this list, navigate to:

https://lists.sans.org/mailman/listinfo/advisory-board-open

To unsubscribe, you'll need your list password.

If you forgot your password, you can get a reminder at the bottom of

https://lists.sans.org/mailman/listinfo/advisory-board-open

Chris Crowley via advisory-board-open <advisory-board-open@lists.sans.org> Sun, May 15, 2022 at 7:40 AM
Reply-To: Chris Crowley <chris@montance.com>
To: Michael <infosec.michael@pm.me>
Cc: advisory-board-open <advisory-board-open@lists.sans.org>

I have a customer I am working with this on. Can't provide additional details now.  I'll likely be able to eventually abstract it and share it to the community.

Chris
[Quoted text hidden]

https://mail.google.com/mail/u/0/?ik=6acf903820&view=pt&search=all&permthid=thread-f%3A1732709360364956760&simpl=msg-f%3A1732709360364956760&simpl=msg-f%3A1732892770325500586&simpl=msg-f%3A1732893… 7/9
5/16/22, 9:41 AM Gmail - [advisory-board-open] Detection Engineering Resources

_______________________________________________

advisory-board-open mailing list

advisory-board-open@lists.sans.org

https://lists.sans.org/mailman/listinfo/advisory-board-open

If you want to unsubscribe from this list, navigate to:

https://lists.sans.org/mailman/listinfo/advisory-board-open

To unsubscribe, you'll need your list password.

If you forgot your password, you can get a reminder at the bottom of

https://lists.sans.org/mailman/listinfo/advisory-board-open

Ahmed via advisory-board-open <advisory-board-open@lists.sans.org> Sun, May 15, 2022 at 6:47 PM

Reply-To: Ahmed <a.n.elshaer@gmail.com>
To: Chris Crowley <chris@montance.com>
Cc: advisory-board-open <advisory-board-open@lists.sans.org>

In a previous company i have built a pipeline where we have rules maintained i GitHub and a workflow for reviews and approvals they get deployed into SIEM.

Those rules are either built by an analyst or an automated hunting rules built automatically using Jinja templates based on a very custom rules in a Threat Intel platform. 

[Quoted text hidden]

--

Best Regards,
Ahmed Elshaer

_______________________________________________

advisory-board-open mailing list

advisory-board-open@lists.sans.org

https://lists.sans.org/mailman/listinfo/advisory-board-open

If you want to unsubscribe from this list, navigate to:

https://lists.sans.org/mailman/listinfo/advisory-board-open

To unsubscribe, you'll need your list password.

If you forgot your password, you can get a reminder at the bottom of

https://lists.sans.org/mailman/listinfo/advisory-board-open

Steven Goossens via advisory-board-open <advisory-board-open@lists.sans.org> Sun, May 15, 2022 at 7:04 PM
Reply-To: Steven Goossens <stevengoo88@gmail.com>
https://mail.google.com/mail/u/0/?ik=6acf903820&view=pt&search=all&permthid=thread-f%3A1732709360364956760&simpl=msg-f%3A1732709360364956760&simpl=msg-f%3A1732892770325500586&simpl=msg-f%3A1732893… 8/9
5/16/22, 9:41 AM Gmail - [advisory-board-open] Detection Engineering Resources
To: Ahmed <a.n.elshaer@gmail.com>, Chris Crowley <chris@montance.com>
Cc: advisory-board-open <advisory-board-open@lists.sans.org>

We are doing that based on the https://github.com/splunk/security_content project.

Basically, the rules are written in a yaml format by a detection engineer
and jinja templates translate it to Splunk config. The pipeline checks for basic syntax related stuff and builds a config set. You could take it further and
release the new content from
the pipeline as well to a test environment and run sample event sets to perform automated testing.

Outlook voor Android downloaden

From: advisory-board-open <advisory-board-open-bounces@lists.sans.org> on behalf of Ahmed via advisory-board-open <advisory-board-open@lists.

sans.org>

Sent: Sunday, May 15, 2022 1:47:12 PM

To: Chris Crowley <chris@montance.com>

[Quoted text hidden]
 
[Quoted text hidden]

_______________________________________________

advisory-board-open mailing list

advisory-board-open@lists.sans.org

https://lists.sans.org/mailman/listinfo/advisory-board-open

If you want to unsubscribe from this list, navigate to:

https://lists.sans.org/mailman/listinfo/advisory-board-open

To unsubscribe, you'll need your list password.

If you forgot your password, you can get a reminder at the bottom of

https://lists.sans.org/mailman/listinfo/advisory-board-open

https://mail.google.com/mail/u/0/?ik=6acf903820&view=pt&search=all&permthid=thread-f%3A1732709360364956760&simpl=msg-f%3A1732709360364956760&simpl=msg-f%3A1732892770325500586&simpl=msg-f%3A1732893… 9/9