Related Awesome Lists

• Awesome Honeypots
• Awesome Incident Response
• Awesome Malware Analysis
• Awesome Security

Email Monitoring

• ThreatHunter-Playbook - A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns.
• Alerting and Detection Strategy Framework
• Generating Hypotheses for Successful Threat Hunting
• Expert Investigation Guide - Threat Hunting
• Threat Hunting for Fileless Malware
• Windows Commands Abused by Attackers
• On TTPs
• Slides
• Threat Hunting Techniques - AV, Proxy, DNS and HTTP Logs
• Detecting Malware Beacons Using Splunk
• Data Science Hunting Funnel
• Use Python & Pandas to Create a D3 Force Directed Network Diagram
• Syscall Auditing at Scale
• Catching attackers with go-audit and a logging pipeline
• The Coventry Conundrum of Threat Intelligence
• DFIR - security-summit/archives/cyber-defense)) - Threat hunting, Blue Team and DFIR summit slides
• Bro-Osquery - Large-Scale Host and Network Monitoring Using Open-Source Software
• Threat Hunting with Jupyter Notebooks
• How Dropbox Security builds tools for threat detection and incident response
• Introducing Event Query Language
• The No Hassle Guide to Event Query Language (EQL) for Threat Hunting - EQLforThreatHunting.pdf))
• Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
• Detection Spectrum - DetectionSpectrum.pdf))
• Capability Abstraction - CapabilityAbstraction.pdf))
• Defining ATT&CK Data Sources - A two-part blog series that outlines a new methodology to extend ATT&CK’s current data sources.
• DETT&CT: MAPPING YOUR BLUE TEAM TO MITRE ATT&CK™ - A blog that describes how to align MITRE ATT&CK-based detection content with data sources.
• Lessons Learned in Detection Engineering - A well experienced detection engineer describes in detail his observations, challenges, and recommendations for building an effective threat detection program.
• A Research-Driven process applied to Threat Detection Engineering Inputs
• Investigation Scenario
• Oh My Malware - A video series focused on malware execution and investigations using Elastic Security.
• Alerting and Detection Strategy Framework
• Threat Hunting with Jupyter Notebooks
• Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
• Detection Spectrum - DetectionSpectrum.pdf))
• Capability Abstraction - CapabilityAbstraction.pdf))
• A Research-Driven process applied to Threat Detection Engineering Inputs
• Alerting and Detection Strategy Framework
• Threat Hunting with Jupyter Notebooks
• Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
• Detection Spectrum - DetectionSpectrum.pdf))
• Capability Abstraction - CapabilityAbstraction.pdf))
• A Research-Driven process applied to Threat Detection Engineering Inputs
• Part 1, - cd-detection-engineering-splunk-s-attack-range-part-2.html)[and Part 3](https://www.splunk.com/en_us/blog/security/ci-cd-detection-engineering-failing-part-3.html) - A multipart series describing how detection as code can be successfully deployed in a Splunk environment.

Windows

• Active Directory Threat Hunting
• Windows Logging Cheat Sheets
• Windows Commands Abused by Attackers
• JPCERT - Detecting Lateral Movement through Tracking Event Logs
• Splunking the Endpoint: Threat Hunting with Sysmon
• Hunting with Sysmon
• Threat Hunting with Sysmon: Word Document with Macro
• Part I (Event ID 7)
• Part II (Event ID 10)
• botconf 2016 Slides - Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf))
• The Sysmon and Threat Hunting Mimikatz wiki for the blue team
• Splunkmon — Taking Sysmon to the Next Level
• Sysmon Threat Detection Guide - SysmonThreatAnalysisGuide.pdf))
• Paper - 17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science.pdf))
• Hunting the Known Unknowns (With PowerShell)
• HellsBells, Let's Hunt PowerShells!
• Hunting for PowerShell Using Heatmaps

Frameworks

• MITRE ATT&CK - A curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.
• A Simple Hunting Maturity Model - The Hunting Maturity Model describes five levels of organizational hunting capability, ranging from HMM0 (the least capability) to HMM4 (the most).
• The Pyramic of Pain - The relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them.
• The PARIS Model - A model for threat hunting.
• Cyber Kill Chain - It is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
• The DML Model - The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks.
• NIST Cybersecurity Framework
• MITRE Engage - A framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals.
• MaGMa Use Case Defintion Model - A business-centric approach for planning and defining threat detection use cases.

Osquery

• osquery Across the Enterprise
• osquery for Security — Part 1
• osquery for Security — Part 2 - Advanced osquery functionality, File integrity monitoring, process auditing, and more.
• Tracking a stolen code-signing certificate with osquery
• Monitoring macOS hosts with osquery
• The osquery Extensions Skunkworks Project
• osquery Across the Enterprise
• osquery Across the Enterprise
• osquery Across the Enterprise

Blogs

• Alexandre Teixeira
• David Bianco's Blog
• DFIR and Threat Hunting Blog
• CyberWardog's Blog
• Chris Sanders' Blog
• Anton Chuvakin
• Kolide Blog

DNS

• Detecting DNS Tunneling
• Hunting the Known Unknowns (with DNS)
• Detecting dynamic DNS domains in Splunk
• Random Words on Entropy and DNS
• Tracking Newly Registered Domains
• Suspicious Domains Tracking Dashboard
• Proactive Malicious Domain Search
• DNS is NOT Boring - Using DNS to Expose and Thwart Attacks
• Actionable Detects - Blue Team Tactics

Fingerprinting

• JA3: SSL/TLS Client Fingerprinting for Malware Detection
• TLS Fingerprinting with JA3 and JA3S
• HASSH - a profiling method for SSH Clients and Servers
• HASSH @BSides Canberra 2019 - Slides
• Finding Evil on the Network Using JA3/S and HASSH
• RDP Fingerprinting - Profiling RDP Clients with JA3 and RDFP
• Effective TLS Fingerprinting Beyond JA3
• TLS Fingerprinting in the Real World
• HTTP Client Fingerprinting Using SSL Handshake Analysis
• TLS fingerprinting - Smarter Defending & Stealthier Attacking
• JA3er - a DB of JA3 fingerprints
• An Introduction to HTTP fingerprinting
• TLS Fingerprints
• The use of TLS in Censorship Circumvention
• HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
• Markov Chain Fingerprinting to Classify Encrypted Traffic
• HeadPrint: Detecting Anomalous Communications through Header-based Application Fingerprinting
• HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
• HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting

Research Papers

• Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
• The Diamond Model of Intrusion Analysis
• EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis
• Paper
• On Botnets that use DNS for Command and Control

• MITRE ATT&CK Navigator - attack/attack-navigator)) - The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel.
• Uncoder - An online translator for SIEM saved searches, filters, queries, API requests, correlation and Sigma rules
• Capa - An open-source tool to identify capabilities in executable files.

Endpoint Monitoring

• Sysmon - A Windows system service and device driver that monitors and logs system activity to the Windows event log

Network Monitoring

• Moloch - A large scale and open source full packet capture and search tool

Email Monitoring

• Splunk Detections
• MITRE CAR - The Cyber Analytics Repository is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) adversary model.

Email Monitoring

• SecRepo.com - Samples of security related data.
• EMBER - The EMBER dataset is a collection of features from PE files that serve as a benchmark dataset for researchers
• CIC Datasets - Canadian Institute for Cybersecurity datasets
• Netresec's PCAP repo list - A list of public packet capture repositories, which are freely available on the Internet.

Related Awesome Lists

• Cloud Security Podcast
• Detection: Challenging Paradigms
• Darknet Diaries - True stories from the dark side of the Internet.

Related Awesome Lists

• SANS Threat Hunting and IR Summit 2017
• SANS Threat Hunting and IR Summit 2016
• BotConf 2016 - Advanced Incident Detection and Threat Hunting using Sysmon and Splunk
• BSidesCharm 2017 - Detecting the Elusive: Active Directory Threat Hunting
• BSidesAugusta 2017 - Machine Learning Fueled Cyber Threat Hunting
• Toppling the Stack: Outlier Detection for Threat Hunters
• BSidesPhilly 2017 - Threat Hunting: Defining the Process While Circumventing Corporate Obstacles
• Black Hat 2017 - Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science
• DefCon 25 - MS Just Gave the Blue Team Tactical Nukes
• BSides London 2017 - Hunt or be Hunted
• SecurityOnion 2017 - Pivoting Effectively to Catch More Bad Guys
• SkyDogCon 2016 - Hunting: Defense Against The Dark Arts
• BSidesAugusta 2017 - Don't Google 'PowerShell Hunting'
• BSidesAugusta 2017 - Hunting Adversaries w Investigation Playbooks & OpenCNA
• Visual Hunting with Linked Data
• RVAs3c - Pyramid of Pain: Intel-Driven Detection/Response to Increase Adversary's Cost
• BSidesLV 2016 - Hunting on the Endpoint w/ Powershell
• Derbycon 2015 - Intrusion Hunting for the Masses A Practical Guide
• BSides DC 2016 - Practical Cyborgism: Getting Start with Machine Learning for Incident Detection
• SANS Webcast 2018 - What Event Logs? Part 1: Attacker Tricks to Remove Event Logs
• Profiling And Detecting All Things SSL With JA3
• ACoD 2019 - HASSH SSH Client/Server Profiling
• QueryCon 2018 - An annual conference for the osquery open-source community ([querycon.io](https://querycon.io))
• Visual Hunting with Linked Data Graphs
• SecurityOnion Con 2018 - Introduction to Data Analysis
• Insider Threats Detection at Airbus – AI up Against Data Leakage and Industrial Espionage
• Cyber Security Investigations with Jupyter Notebooks

Related Awesome Lists

• Applied Network Defense
• Security Blue Team
• TryHackMe - Hands-on cyber security training through real-world scenarios.
• Investigating Windows Endpoints
• HackTheBox - While not directly related to threat detection, the website features training modules on general security and offensive topics that can be beneficial for junior SOC analysts.
• TryHackMe - Hands-on cyber security training through real-world scenarios.

Related Awesome Lists

• Splunk Boss of the SOC - Hands-on workshops and challenges to practice threat hunting using the BOTS and other datasets.

Related Awesome Lists

• "Awesome Detection" Twitter List - Twitter accounts that tweet about threat detection, hunting and DFIR.

Related Awesome Lists

• MITRE's Adversary Emulation Plans
• Payload Generation using SharpShooter
• SpecterOps Blog
• Threat Hunting
• Advanced Threat Tactics - A free course on red team operations and adversary simulations.
• C2 Matrix - GR4zGZi0ooPYtBe4IgPsSc))
• SpecterOps Blog
• Threat Hunting
• SpecterOps Blog
• Threat Hunting