[News] Kestrel arsenal session coming to Black Hat USA 2022 (spin up your copy of BH22 demo to hunt)
Kestrel is a threat hunting language aiming to make cyber threat hunting fast by providing a layer of abstraction to build reusable, composable, and shareable hunt-flow.
Try Kestrel in a cloud sandbox without install (Blog: Try Kestrel in a Cloud Sandbox).
Software developers write Python or Swift than machine code to quickly turn business logic into applications. Threat hunters write Kestrel to quickly turn threat hypotheses into hunt-flow. We see threat hunting as an interactive procedure to create customized intrusion detection systems on the fly, and hunt-flow is to hunts as control-flow is to ordinary programs.
What does it mean by hunt fast?
- Do not write the same TTP pattern in different data source queries.
- Do not write one-time-use adapaters to connect hunt steps.
- Do not waste your existing analytic scripts/programs in future hunts.
- Do construct your hunt-flow from smaller reuseable hunt-flow.
- Do share your huntbook with your future self and your colleagues.
- Do get interactive feedback and revise hunt-flow on the fly.
Kestrel in a Nutshell
- Kestrel language: a threat hunting language for a human to express what to
hunt.
- expressing the knowledge of what in patterns, analytics, and hunt flows.
- composing reusable hunting flows from individual hunting steps.
- reasoning with human-friendly entity-based data representation abstraction.
- thinking across heterogeneous data and threat intelligence sources.
- applying existing public and proprietary detection logic as analytic hunt steps.
- reusing and sharing individual hunting steps, hunt-flow, and entire huntbooks.
- Kestrel runtime: a machine interpreter that deals with how to hunt.
- compiling the what against specific hunting platform instructions.
- executing the compiled code locally and remotely.
- assembling raw logs and records into entities for entity-based reasoning.
- caching intermediate data and related records for fast response.
- prefetching related logs and records for link construction between entities.
- defining extensible interfaces for data sources and analytics execution.
Basic Concepts and Howto
Visit Kestrel documentation to learn Kestrel:
- Learn concepts and syntax:
- Hunt in your environment:
Kestrel Huntbooks And Analytics
- Kestrel huntbook: community-contributed Kestrel huntbooks
- Kestrel analytics: community-contributed Kestrel analytics
Kestrel Hunting Blogs
- Building a Huntbook to Discover Persistent Threats from Scheduled Windows Tasks
- Practicing Backward And Forward Tracking Hunts on A Windows Host
- Building Your Own Kestrel Analytics and Sharing With the Community
- Setting Up The Open Hunting Stack in Hybrid Cloud With Kestrel and SysFlow
- Try Kestrel in a Cloud Sandbox
Talks And Demos
Visit Kestrel documentation on talks to learn more about the talks:
- 2022/08 Black Hat USA 2022 (spin up your copy of BH22 demo to hunt)
- 2022/06 Cybersecurity Automation Workshop
- 2022/04 SC eSummit on Threat Hunting & Offense Security (free to register/playback)
- 2021/12 Infosec Jupyterthon 2021 [IJ'21 live hunt recording]
- 2021/11 BlackHat Europe 2021
- 2021/10 SANS Threat Hunting Summit 2021: [SANS'21 session recording]
- 2021/05 RSA Conference 2021: [RSA'21 session recording]
Connecting With The Community
Join Kestrel slack channel:
Get a slack invitation to join Open Cybersecurity Alliance workspace
Join the kestrel channel to ask questions and connect with other hunters
Contribute to the language development (Apache License 2.0):
- Create a GitHub Issue to report bugs and suggest new features
- Follow the contributing guideline to submit your pull request
- Refer to the governance documentation regarding PR merge, release, and vulnerability disclosure
Share your huntbook and analytics:
