In this lab, you’ll investigate a host that’s exhibiting signs of being compromised by a Cryptominer. As this lab focuses on a real-world scenario, the Indicators of Compromise (IoCs) that you’ll uncover will be heavily related to a threat actor named Rocke. You’ll investigate a Rocke-like campaign by diving into the Linux Auditing System’s logs. Even better, you’ll learn how to easily parse these logs through osquery!
* Our Labs are Available for Enterprise and Professional plans only. Terms and conditions apply.
Zach describes himself as “an ordinary guy who’s extraordinarily curious about technology.” This curiosity has led to roles in Software Development, Application Security, DevOps, and Security Engineering. Currently, Zach is the Lead Security Engineer at Credible where he helps lead the security vision of a highly sensitive Fintech product. Outside of his day job, Zach has spoken at SyntaxCon, created cybersecurity tutorials through Securing The Stack, led an AWS Meetup group, and has provided cy... morebersecurity consulting services. When not hitting the keyboard, Zach is hitting the trails! He is an avid hiker and enjoys the simplicity of nature. In fact, Zach’s favorite quote is “Simplicity is the ultimate sophistication” by Leonardo Da Vinci. Zach’s fondness of simplicity has manifested in his tutorials, where he aims to simplify complex topics in the areas of Software Development, DevOps, and Security.
In this challenge, you’ll learn how to threat hunt via the Linux Auditing System.
Linux Audit Framework: Event Searching
In this challenge, you’ll search for Kernel events related to MITRE’s Initial Access tactic.
osquery: Initial Access Threat Hunting
In this challenge, you’ll learn about osquery and how to use osquery for threat hunting. In particular, you’ll leverage MITRE’s Initial Access technique to hunt for signs of compromise.
osquery: Persistence Threat Hunting
In this challenge, you’ll learn about osquery and how to use osquery for threat hunting. In particular, you’ll leverage MITRE’s Persistence technique to hunt for signs of compromise.
The Last Challenge
This is the last challenge of this lab and your last chance to experience the environment for additional practice. When you click Finish lab, it will close the lab environment window and end this small little world that flittered into existence just for you.
Provided environment for hands-on practice
We will provide the credentials and environment necessary for you to practice right within your browser.
Follow along with the author’s guided walkthrough and build something new in your provided environment!
Did you know?
On average, you retain 75% more of your learning if you get time for practice.