Endpoint System Logs: Cryptominer Analysis
In this lab, you’ll investigate a host that’s exhibiting signs of being compromised by a Cryptominer. As this lab focuses on a real-world scenario, the Indicators of Compromise (IoCs) that you’ll uncover will be heavily related to a threat actor named Rocke. You’ll investigate a Rocke-like campaign by diving into the Linux Auditing System’s logs. Even better, you’ll learn how to easily parse these logs through osquery!
Terms and conditions apply.
Challenge
Linux Audit Framework: Introduction
In this challenge, you’ll learn how to threat hunt via the Linux Auditing System.
Challenge
Linux Audit Framework: Event Searching
In this challenge, you’ll search for Kernel events related to MITRE’s Initial Access tactic.
Challenge
osquery: Initial Access Threat Hunting
In this challenge, you’ll learn about osquery and how to use osquery for threat hunting. In particular, you’ll leverage MITRE’s Initial Access technique to hunt for signs of compromise.
Challenge
osquery: Persistence Threat Hunting
In this challenge, you’ll learn about osquery and how to use osquery for threat hunting. In particular, you’ll leverage MITRE’s Persistence technique to hunt for signs of compromise.
Challenge
The Last Challenge
This is the last challenge of this lab and your last chance to experience the environment for additional practice. When you click Finish lab, it will close the lab environment window and end this small little world that flittered into existence just for you.
Provided environment for hands-on practice
We will provide the credentials and environment necessary for you to practice right within your browser.
Guided walkthrough
Follow along with the author’s guided walkthrough and build something new in your provided environment!
Did you know?
On average, you retain 75% more of your learning if you get time for practice.
Recommended prerequisites
- Basic Linux knowledge