Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
.. image:: https://github.com/opencybersecurityalliance/kestrel-lang/raw/develop/logo/logo_w_text.svg :width: 432 :alt: Kestrel Threat Hunting Language
.. image:: https://img.shields.io/pypi/pyversions/kestrel-lang :target: https://www.python.org/ :alt: Python 3
.. image:: https://img.shields.io/badge/code%20style-black-000000.svg :target: https://github.com/psf/black :alt: Code Style: Black
.. image:: https://codecov.io/gh/opencybersecurityalliance/kestrel-lang/branch/develop/graph/badge.svg?token=HM4ax10IW3 :target: https://codecov.io/gh/opencybersecurityalliance/kestrel-lang :alt: Code Coverage
.. image:: https://img.shields.io/pypi/v/kestrel-lang :target: https://pypi.python.org/pypi/kestrel-lang :alt: Latest Version
.. image:: https://img.shields.io/pypi/dm/kestrel-lang :target: https://pypistats.org/packages/kestrel-lang :alt: PyPI Downloads
.. image:: https://readthedocs.org/projects/kestrel/badge/?version=latest :target: https://kestrel.readthedocs.io/en/latest/?badge=latest :alt: Documentation Status
|
[News] Kestrel session at Black Hat USA 2023
_
Kestrel is a threat hunting language aiming to make cyber threat hunting fast by providing a layer of abstraction to build reusable, composable, and shareable hunt-flow. Starting with:
#. Black Hat USA 2022 session recording
_
#. Black Hat USA 2022 Kestrel hunting lab
_
#. Kestrel live tutorial in a cloud sandbox
_
Software developers write Python or Swift than machine code to quickly turn business logic into applications. Threat hunters write Kestrel to quickly turn threat hypotheses into hunt-flow. We see threat hunting as an interactive procedure to create customized intrusion detection systems on the fly, and hunt-flow is to hunts as control-flow is to ordinary programs.
What does it mean by hunt fast?
|
.. image:: https://github.com/opencybersecurityalliance/data-bucket-kestrel/raw/main/images/github_homepage_animation.gif :width: 90% :target: https://www.youtube.com/watch?v=tASFWZfD7l8 :alt: Kestrel Hunting Demo
.. image:: https://github.com/opencybersecurityalliance/kestrel-lang/raw/develop/docs/images/overview.png :width: 100% :alt: Kestrel overview.
Kestrel language: a threat hunting language for a human to express what to hunt.
Kestrel runtime: a machine interpreter that deals with how to hunt.
Visit Kestrel documentation
_ to learn Kestrel:
Learn concepts and syntax:
A comprehensive introduction to Kestrel
_The two key concepts of Kestrel
_Interactive tutorial with quiz
_Language reference book
_Hunt in your environment:
Kestrel runtime installation
_How to connect to your data sources
_How to execute an analytic hunt step in Python/Docker
_How to use Kestrel via API
_How to launch Kestrel as a Docker container
_Kestrel huntbook
_: community-contributed Kestrel huntbooksKestrel analytics
_: community-contributed Kestrel analytics#. Building a Huntbook to Discover Persistent Threats from Scheduled Windows Tasks
_
#. Practicing Backward And Forward Tracking Hunts on A Windows Host
_
#. Building Your Own Kestrel Analytics and Sharing With the Community
_
#. Setting Up The Open Hunting Stack in Hybrid Cloud With Kestrel and SysFlow
_
#. Try Kestrel in a Cloud Sandbox
_
#. Fun with securitydatasets.com and the Kestrel PowerShell Deobfuscator
_
#. Kestrel Data Retrieval Explained
_
Talk summary (visit Kestrel documentation on talks
_ to learn details):
Black Hat USA 2023
_Infosec Jupyterthon 2022
_ [IJ'22 live hunt recording
_]Black Hat USA 2022
_ [BH'22 recording
_ | BH'22 hunting lab
_]Cybersecurity Automation Workshop
_SC eSummit on Threat Hunting & Offense Security
_ (free to register/playback)Infosec Jupyterthon 2021
_ [IJ'21 live hunt recording
_]BlackHat Europe 2021
_SANS Threat Hunting Summit 2021
: [SANS'21 session recording
]RSA Conference 2021
: [RSA'21 session recording
]Join Kestrel slack channel:
Get a slack invitation
_ to join Open Cybersecurity Alliance workspace
_
.. image:: https://opencyberallia.wpengine.com/wp-content/uploads/2022/03/OCA-logo-e1646689234325.png :width: 20% :alt: OCA logo
Join the kestrel channel to ask questions and connect with other hunters
Contribute to the language development (Apache License 2.0
_):
GitHub Issue
_ to report bugs and suggest new featurescontributing guideline
_ to submit your pull requestgovernance documentation
_ regarding PR merge, release, and vulnerability disclosureShare your huntbook and analytics:
Kestrel huntbook
_Kestrel analytics
_.. _Kestrel live tutorial in a cloud sandbox: https://mybinder.org/v2/gh/opencybersecurityalliance/kestrel-huntbook/HEAD?filepath=tutorial .. _Kestrel documentation: https://kestrel.readthedocs.io/
.. _A comprehensive introduction to Kestrel: https://kestrel.readthedocs.io/en/stable/overview/ .. _The two key concepts of Kestrel: https://kestrel.readthedocs.io/en/stable/language/tac.html#key-concepts .. _Interactive tutorial with quiz: https://mybinder.org/v2/gh/opencybersecurityalliance/kestrel-huntbook/HEAD?filepath=tutorial .. _Kestrel runtime installation: https://kestrel.readthedocs.io/en/stable/installation/runtime.html .. _How to connect to your data sources: https://kestrel.readthedocs.io/en/stable/installation/datasource.html .. _How to execute an analytic hunt step in Python/Docker: https://kestrel.readthedocs.io/en/stable/installation/analytics.html .. _Language reference book: https://kestrel.readthedocs.io/en/stable/language/commands.html .. _How to use Kestrel via API: https://kestrel.readthedocs.io/en/stable/source/kestrel.session.html .. _How to launch Kestrel as a Docker container: https://kestrel.readthedocs.io/en/stable/deployment/ .. _Kestrel documentation on talks: https://kestrel.readthedocs.io/en/stable/talks.html
.. _Kestrel huntbook: https://github.com/opencybersecurityalliance/kestrel-huntbook .. _Kestrel analytics: https://github.com/opencybersecurityalliance/kestrel-analytics
.. _Building a Huntbook to Discover Persistent Threats from Scheduled Windows Tasks: https://opencybersecurityalliance.org/huntbook-persistent-threat-discovery-kestrel/ .. _Practicing Backward And Forward Tracking Hunts on A Windows Host: https://opencybersecurityalliance.org/backward-and-forward-tracking-hunts-on-a-windows-host/ .. _Building Your Own Kestrel Analytics and Sharing With the Community: https://opencybersecurityalliance.org/kestrel-custom-analytics/ .. _Setting Up The Open Hunting Stack in Hybrid Cloud With Kestrel and SysFlow: https://opencybersecurityalliance.org/kestrel-sysflow-open-hunting-stack/ .. _Try Kestrel in a Cloud Sandbox: https://opencybersecurityalliance.org/try-kestrel-in-a-cloud-sandbox/ .. _Fun with securitydatasets.com and the Kestrel PowerShell Deobfuscator: https://opencybersecurityalliance.org/fun-with-securitydatasets-com-and-the-kestrel-powershell-deobfuscator/ .. _Kestrel Data Retrieval Explained: https://opencybersecurityalliance.org/kestrel-data-retrieval-explained/
.. _RSA Conference 2021: https://www.rsaconference.com/Library/presentation/USA/2021/The%20Game%20of%20Cyber%20Threat%20Hunting%20The%20Return%20of%20the%20Fun .. _RSA'21 session recording: https://www.youtube.com/watch?v=-Xb086R0JTk .. _SANS Threat Hunting Summit 2021: https://www.sans.org/blog/a-visual-summary-of-sans-threat-hunting-summit-2021/ .. _SANS'21 session recording: https://www.youtube.com/watch?v=gyY5DAWLwT0 .. _BlackHat Europe 2021: https://www.blackhat.com/eu-21/arsenal/schedule/index.html#an-open-stack-for-threat-hunting-in-hybrid-cloud-with-connected-observability-25112 .. _Infosec Jupyterthon 2021: https://infosecjupyterthon.com/2021/agenda.html .. _IJ'21 live hunt recording: https://www.youtube.com/embed/nMnHBnYfIaI?start=20557&end=22695 .. _Infosec Jupyterthon 2022: https://infosecjupyterthon.com/2022/agenda.html .. _IJ'22 live hunt recording: https://www.youtube.com/embed/8Mw1yyYkeqM?start=23586&end=26545 .. _SC eSummit on Threat Hunting & Offense Security: https://www.scmagazine.com/esummit/automating-the-hunt-for-advanced-threats .. _Cybersecurity Automation Workshop: http://www.cybersecurityautomationworkshop.org/ .. _Black Hat USA 2023: https://www.blackhat.com/us-23/arsenal/schedule/index.html#identity-threat-hunting-with-kestrel-33662 .. _Black Hat USA 2022: https://www.blackhat.com/us-22/arsenal/schedule/index.html#streamlining-and-automating-threat-hunting-with-kestrel-28014 .. _BH'22 recording: https://www.youtube.com/watch?v=tf1VLIpFefs .. _Black Hat USA 2022 session recording: https://www.youtube.com/watch?v=tf1VLIpFefs .. _BH'22 hunting lab: https://mybinder.org/v2/gh/opencybersecurityalliance/black-hat-us-2022/HEAD?filepath=demo .. _Black Hat USA 2022 Kestrel hunting lab: https://mybinder.org/v2/gh/opencybersecurityalliance/black-hat-us-2022/HEAD?filepath=demo
.. _slack invitation: https://join.slack.com/t/open-cybersecurity/shared_invite/zt-19pliofsm-L7eSSB8yzABM2Pls1nS12w .. _Open Cybersecurity Alliance workspace: https://open-cybersecurity.slack.com/ .. _GitHub Issue: https://github.com/opencybersecurityalliance/kestrel-lang/issues .. _contributing guideline: CONTRIBUTING.rst .. _governance documentation: GOVERNANCE.rst .. _Apache License 2.0: LICENSE.md
FAQs
Kestrel Threat Hunting Language
We found that kestrel-lang demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.