{"id":15034429,"url":"https://github.com/otrf/threathunter-playbook","last_synced_at":"2025-10-17T00:25:13.522Z","repository":{"id":37398642,"uuid":"86409009","full_name":"OTRF/ThreatHunter-Playbook","owner":"OTRF","description":"A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.","archived":false,"fork":false,"pushed_at":"2024-02-15T15:54:34.000Z","size":34473,"stargazers_count":4160,"open_issues_count":9,"forks_count":825,"subscribers_count":373,"default_branch":"master","last_synced_at":"2025-04-05T11:03:02.415Z","etag":null,"topics":["dfir","hunter","hunting","hunting-campaigns","hypothesis","mitre","mitre-attack-db","sysmon","threat-hunting"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OTRF.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-03-28T03:07:05.000Z","updated_at":"2025-04-04T05:16:59.000Z","dependencies_parsed_at":"2022-07-11T02:51:24.927Z","dependency_job_id":"a9fa500e-64b0-45d8-835c-b4db6ec3d474","html_url":"https://github.com/OTRF/ThreatHunter-Playbook","commit_stats":null,"previous_names":["cyb3rward0g/threathunter-playbook"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OTRF%2FThreatHunter-Playbook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OTRF%2FThreatHunter-Playbook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OTRF%2FThreatHunter-Playbook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OTRF%2FThreatHunter-Playbook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OTRF","download_url":"https://codeload.github.com/OTRF/ThreatHunter-Playbook/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248573070,"owners_count":21126757,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dfir","hunter","hunting","hunting-campaigns","hypothesis","mitre","mitre-attack-db","sysmon","threat-hunting"],"created_at":"2024-09-24T20:25:01.049Z","updated_at":"2025-10-17T00:25:08.482Z","avatar_url":"https://github.com/OTRF.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# The Threat Hunter Playbook\n\n[![Binder](https://mybinder.org/badge_logo.svg)](https://mybinder.org/v2/gh/OTRF/ThreatHunter-Playbook/master)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![Twitter](https://img.shields.io/twitter/follow/HunterPlaybook.svg?style=social\u0026label=Follow)](https://twitter.com/HunterPlaybook)\n[![Open_Threat_Research Community](https://img.shields.io/badge/Open_Threat_Research-Community-brightgreen.svg)](https://twitter.com/OTR_Community)\n[![Open Source Love](https://badges.frapsoft.com/os/v3/open-source.svg?v=103)](https://github.com/ellerbrock/open-source-badges/)\n\n\u003cimg src=\"docs/images/logo/logo.png\" width=200\u003e\n\nThe Threat Hunter Playbook is a community-driven, open source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. All the detection documents in this project follow the structure of [MITRE ATT\u0026CK](https://attack.mitre.org/) categorizing post-compromise adversary behavior in tactical groups and are available in the form of [interactive notebooks](https://docs.jupyter.org/en/latest/projects/architecture/content-architecture.html#the-jupyter-notebook-format). The use of notebooks not only allow us to share text, queries and expected output, but also code to help others run detection logic against [pre-recorded security datasets](https://securitydatasets.com) locally or remotely through [BinderHub](https://mybinder.readthedocs.io/en/latest/index.html) cloud computing environments. \n\n## Docs: https://threathunterplaybook.com/\n## Goals\n\n* Expedite the development of techniques an hypothesis for hunting campaigns.\n* Help security researchers understand patterns of behavior observed during post-exploitation.\n* Share resources to validate analytics locally or remotely through cloud computing environments for free.\n* Map pre-recorded datasets to adversarial techniques.\n* Accelerate infosec learning through open source resources.\n\n## Author\n\nRoberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g)\n\n## Official Committers\n\n* Jose Luis Rodriguez [@Cyb3rPandaH](https://twitter.com/Cyb3rPandaH) is adding his expertise in data science to it.\n\n## Acknowledgements\n\n* We document and share our content via a [Jupyter Book](https://jupyterbook.org/intro.html) which was created by [Sam Lau](http://www.samlau.me/) and [Chris Holdgraf](https://predictablynoisy.com/) with support of the **UC Berkeley Data Science Education Program and the [Berkeley Institute for Data Science](https://bids.berkeley.edu/)**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fotrf%2Fthreathunter-playbook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fotrf%2Fthreathunter-playbook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fotrf%2Fthreathunter-playbook/lists"}