Version 6.0.0 of AC-Hunter Has Been Released!
The Christmas lights are dark, the tree is down, and it’s freezing outside. Grab a cup of hot cocoa and enjoy a new release of AC-Hunter!
In AC-Hunter v6.0, we bring in a brand new module, Cyber Deception! This new module will allow you to create canary tokens in Windows environments for file access and user-account login monitoring to detect individuals trying to pry on your network before they access something you don’t want them to.
Any time a resource you’re monitoring via a canary token is accessed, that event will trigger an alert to AC-Hunter and be viewable within the Cyber Deception module. You can then investigate the IP address that triggered that event or even view the full Windows Event Log generated from the triggered event. We hope that this new feature will assist in detecting potential data and network breaches.
The v6.0 User Guide includes a section on how to set up canary tokens.
If you’re interested in seeing a sample data set with deception events, please open up the “dnscat-ja3-strobe” sample data set in v6.0.
Certificate Screen Removed
The process of designing and implementing RITA and AC-Hunter has been a fluid one; we’ve looked at customer needs and available data, and have tried to find good matches between the two. In most cases, these fit well together and we provide tools that help find Threats in your network.
The Certificate tab hasn’t lived up to what we, and you, need. While it’s nice to know that a certificate on a TLS or SSL server has issues, this rarely (if ever) leads to a Threat in the way that the other investigation features of AC-Hunter do. Since both RITA and AC-Hunter are primarily focused on Threat Hunting, we deprecated the AC-Hunter Certificate screen last fall and have removed it in release 6.0.0.
For those that have used this screen to identify certificate issues in the past, it will still be possible to locate the certificates with problems using the certificate-issues command line tool. Sample output:
#Seen source_ip server_ip srv_prt TLS_ver hostname Invalid Certificate Code 6 10.0.0.117 188.8.131.52 443 TLSv12 v10.events.data.microsoft.com unable to get local issuer certificate 18 10.0.0.103 184.108.40.206 443 TLSv12 gsas.apple.com self signed certificate in certificate chain 6 10.0.0.103 220.127.116.11 443 TLSv12 gsa.apple.com self signed certificate in certificate chain 18 10.0.0.117 18.104.22.168 443 TLSv12 v10.events.data.microsoft.com unable to get local issuer certificate 12 10.0.0.117 22.214.171.124 443 TLSv12 v10.events.data.microsoft.com unable to get local issuer certificate 6 10.0.0.117 126.96.36.199 443 TLSv12 v20.events.data.microsoft.com unable to get local issuer certificate 6 10.0.0.117 188.8.131.52 443 TLSv12 v10.events.data.microsoft.com unable to get local issuer certificate
The script is available at https://github.com/activecm/certificate-issues . To pull down the main script directly, you can request https://raw.githubusercontent.com/activecm/certificate-issues/main/certificate_issues.sh . There are examples of how to use it at the top of the script. If you have any questions or comments about this, please reach out to us.
Starting with this release we’ll be using the term “safelist” instead of “whitelist”. These changes will be pulled in over the next few releases.
Bug Fixes and Improvements
Any searches entered in another module will be cleared when you come back to the Dashboard.
Our investigation menu for IP addresses has some new entries: Censys, Onyphe, and Symantec Site Review. If you’re doing a brand new install, these will show up by default. If you are upgrading, you can copy these new entries from /etc/AC-Hunter/config.yaml.default to /etc/AC-Hunter/config.yaml . (Make sure you restart AC-Hunter by running “hunt up -d –force-recreate” when done.)
Previous releases ran into a “missing tool” problem when the install was started on a Mac and the install command line used hostnames. This has been resolved.
The distributed tar file includes a “Where do I start?” document in both text and PDF formats, covering where to find resources to get going with AC-Hunter.
We resolved an issue where logs were not being imported when the sensor had a custom name.
When a data set contains more than 24 hours worth of data (due to long connections longer than 24 hours, for example), we now display the most recent 24 hours where the most interesting data can be found.
As always, there are lots of other behind-the-scenes changes and tweaks to AC-Hunter.
We’d like to extend our thanks to the individuals who were willing to Beta test this release.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Bill has authored numerous articles and tools for client use. He also serves as a content author and faculty member at the SANS Institute, teaching the Linux System Administration, Perimeter Protection, Securing Linux and Unix, and Intrusion Detection tracks. Bill’s background is in network and operating system security; he was the chief architect of one commercial and two open source firewalls and is an active contributor to multiple projects in the Linux development effort. Bill’s articles and tools can be found in online journals and at http://github.com/activecm/ and http://www.stearns.org.