OS Analysis with HELK

HELK provides machine learning and graph analysis to world class windows log collection and analysis across your enterprise not found in other tools, for free! In this course, you will learn to hunt adversary activity on endpoints using HELK.
Course info
Level
Intermediate
Updated
Jul 21, 2020
Duration
29m
Table of contents
Description
Course info
Level
Intermediate
Updated
Jul 21, 2020
Duration
29m
Your 10-day individual free trial includes:

Expert-led courses

Keep up with the pace of change with thousands of expert-led, in-depth courses.
Description

Though many cyber attack techniques can be effectively and heuristically identified by analyzing the endpoint logs, there are surprisingly few capabilities that focus solely on parsing windows logs and OS data and providing a platform to perform advanced statistical analysis. In this course, OS Analysis with HELK, you’ll cover how to utilize Hunt ELK to detect adversary endpoint attack techniques in an enterprise environment. First, you’ll see the gap that HELK fills with Windows event log analysis. Next, you'll explore how to operate the advanced hunt features provided by HELK. Finally, you’ll learn how to analyze a live dataset to hunt for adversary activity. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: Kerberoasting T1208, Bits Jobs T1197, and indicator removal on hosts T1070 using HELK.

About the author
About the author

Aaron M. Rosenmund is a cyber security operations subject matter expert, with a background in federal and business defensive and offensive cyber operations and system automation.

More from the author
Getting Started in the Lab Environment
Intermediate
6m
Oct 7, 2021
Dridex Banking Trojan
Intermediate
1h 57m
May 11, 2021
Elastic Stack: Getting Started
Beginner
1h 41m
Feb 4, 2021
More courses by Aaron Rosenmund
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Welcome to Pluralsight and this Blue Team Tools course featuring HELK, the open source OS data analysis tool developed and maintained by Roberto Rodriguez, who goes by the moniker of Cyb3rWard0g. Common detection capabilities are constantly evaded by sufficiently advanced adversaries. To detect the undetected, you, as the security analyst, have to morph into a threat hunter. HELK is engaged on networks to do just that. Collecting Windows logs, including Sysmon, from as many sources as possible, those logs are thoughtfully parsed, and you, the threat hunter, use Jupyter Notebook to invoke Apache Spark and GraphFrames to query for curious connections or relationships between the data that could indicate yet undetected malicious behavior. The extremely well‑crafted Kibana dashboards take it from there, illuminating related attacker techniques with ease. The toolset included in HELK is adept at unearthing a variety of Windows endpoint attacks. In this course, you will track down activity relating to Kerberoasting, BITSADMIN data transfers, and the clearing of Windows logs by attackers attempting to remain stealthy. HELK, known as the Hunt ELK, is built from the ground up for Elastic Stack‑powered threat hunting, and with the modified prey turned predator logo to match, leveraging Elasticsearch, Logstash, and Kibana to provide not just an interface for Windows log analysis, but also a base upon which capabilities for machine learning and enhanced analysis with tools like Apache Spark and GraphFrames can operate. Come join me in learning to harness the power of HELK to discover undetected advanced adversaries, operating in an enterprise environment, much like your own.