Threat Hunting Tools

1 readme.md

How to install various tools useful for threat hunting.

grep.md

Ripgrep

Generic Linux

1. Find the latest release here
2. Pick the "x86_64-unknown-linux-musl" version. example
3. Extract and move rg into the path.

CentOS

1. Find the latest release here.
2. Download the RPM wget https://copr-be.cloud.fedoraproject.org/results/carlwgeorge/ripgrep/epel-7-x86_64/01858399-ripgrep/ripgrep-12.1.1-1.el7.x86_64.rpm (If no internet then download this on a different machine and use scp or similar to copy it over.)
3. sudo yum install ripgrep-*.rpm

Debian

sudo apt install ripgrep

If you're a Debian user (or a user of a Debian derivative like Ubuntu), then ripgrep can be installed using a binary .deb file provided in each ripgrep release.

curl -LO https://github.com/BurntSushi/ripgrep/releases/download/12.1.1/ripgrep_12.1.1_amd64.deb
sudo dpkg -i ripgrep_12.1.1_amd64.deb

Ugrep

Download the Dockerfile for building from ugrep's repo.

Statically compiling and linking

# one of these is likely uncessary
CFLAGS='-static -static-libstdc++ -static-libgcc'
CXXFLAGS='-static -static-libstdc++ -static-libgcc'
./configure --enable-pretty
make -j

ldd bin/ugrep
# should output: not a dynamic executable

file bin/ugrep
# should output: statically linked

# cuts the size down a bit
strip bin/ugrep

Note: This doesn't work and segfaults. Likely it doesn't include all libraries.

trace-summary.md

https://github.com/zeek/trace-summary

# See below for offline pysubnettree install
python -m pip install pysubnettree
wget -qO /usr/local/bin/trace-summary https://raw.githubusercontent.com/zeek/trace-summary/master/trace-summary
chmod +x /usr/local/bin/trace-summary

Building Pysubnettree

https://packaging.python.org/guides/distributing-packages-using-setuptools/#platform-wheels

docker run -v `pwd`:/host --rm -it python:3.6 bash
cd /host
git clone https://github.com/zeek/pysubnettree
cd pysubnettree
python setup.py bdist_wheel
# wheel is in dist/pysubnettree-0.35-cp36-cp36m-linux_x86_64.whl

Then on the target system:

python3 -m pip install pysubnettree-0.35-cp36-cp36m-linux_x86_64.whl

Note this must require some runtime dependencies. Currently gives this error on CentOS 7 (Security Onion 2)

ImportError: /lib64/libstdc++.so.6: version `CXXABI_1.3.9' not found (required by /usr/local/lib64/python3.6/site-packages/_SubnetTree.cpython-36m-x86_64-linux-gnu.so)

zeek-cut.md

https://github.com/zeek/zeek-aux/

Package

Debian

apt install -y bro-aux || apt install -y zeek-aux

Alpine

apk add -t .build-deps gcc libc-dev
wget -qO /tmp/zeek-cut.c https://raw.githubusercontent.com/zeek/zeek-aux/master/zeek-cut/zeek-cut.c
gcc --static -o /usr/local/bin/zeek-cut /tmp/zeek-cut.c
apk del .build-deps

CentOS

yum install -y gcc glibc-devel wget
wget -qO /tmp/zeek-cut.c https://raw.githubusercontent.com/zeek/zeek-aux/master/zeek-cut/zeek-cut.c
# couldn't get this to work with static compilation on CentOS
gcc -o /usr/local/bin/zeek-cut /tmp/zeek-cut.c