Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
repo-2396-awesome-threat-detection
https://github.com/orgTestCodacy11KRepos110MB/repo-2396-awesome-threat-detection
Last synced: 3 days ago
JSON representation
-
Threat Detection and Hunting
-
Tools
- HELK - A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.
- Brosquery - A module for osquery to load Bro logs into tables
- osquery-configuration - A repository for using osquery for incident detection and response.
- Sysmon-DFIR - Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
- sysmon-config - Sysmon configuration file template with default high-quality event tracing.
- sysmon-modular - A repository of sysmon configuration modules. It also includes a [mapping](https://github.com/olafhartong/sysmon-modular/blob/master/attack_matrix/README.md) of Sysmon configurations to MITRE ATT&CK techniques.
- Revoke-Obfuscation - PowerShell Obfuscation Detection Framework.
- DeepBlueCLI - A PowerShell Module for Hunt Teaming via Windows Event Logs
- Invoke-ATTACKAPI - A PowerShell script to interact with the MITRE ATT&CK Framework via its own API.
- Flare - An analytical framework for network traffic and behavioral analytics.
- RedHunt-OS - A Virtual Machine for Adversary Emulation and Threat Hunting. RedHunt aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment.
- Oriana - Lateral movement and threat hunting tool for Windows environments built on Django comes Docker ready.
- Bro-Osquery - Bro integration with osquery
- Dispatch - An open-source crisis management orchestration framework
- EQL - Event Query Language
- BZAR - based Analytics and Reporting) - A set of Zeek scripts to detect ATT&CK techniques
- Security Onion - An open-source Linux distribution for threat hunting, security monitoring, and log management. It includes ELK, Snort, Suricata, Zeek, Wazuh, Sguil, and many other security tools
- Varna - A quick & cheap AWS CloudTrail Monitoring with Event Query Language (EQL)
- BinaryAlert - Serverless, real-time & retroactive malware detection
- hollows_hunter - Scans all running processes, recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
- ThreatHunting - A Splunk app mapped to MITRE ATT&CK to guide your threat hunts
- YARA - The pattern matching swiss knife
- Intel Owl - An Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale.
- Splunk Security Content - curated detection content that can easily be used accross many SIEMs (see Uncoder Rule Converter.)
- Threat Bus - Threat intelligence dissemination layer to connect security tools through a distributed publish/subscribe message broker.
- zeek2es - An open source tool to convert Zeek logs to Elastic/OpenSearch. You can also output pure JSON from Zeek's TSV logs!
- ElastAlert - A framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch
- StreamAlert - A serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define
- Kolide Fleet - A flexible control server for osquery fleets
- Zeek Agent - An endpoint monitoring agent that provides host activity to Zeek
- Velociraptor - Endpoint visibility and collection tool
- Sysdig - A tool for deep Linux system visibility, with native support for containers. Think about sysdig as strace + tcpdump + htop + iftop + lsof + ...awesome sauce
- go-audit - An alternative to the Linux auditd daemon
- OSSEC - An open-source Host-based Intrusion Detection System (HIDS)
- WAZUH - An open-source security platform
- Zeek - A network security monitoring tool
- ntopng - A web-based network traffic monitoring tool
- Joy - A package for capturing and analyzing network flow data and intraflow data, for network research, forensics, and security monitoring
- Netcap - A framework for secure and scalable network traffic analysis
- Stenographer - A full-packet-capture tool
- JA3 - A method for profiling SSL/TLS Clients and Servers
- HASSH - Profiling Method for SSH Clients and Servers
- FATT - A pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic
- FingerprinTLS - A TLS fingerprinting method
- Mercury - Network fingerprinting and packet metadata capture
- GQUIC Protocol Analyzer for Zeek
- Recog - A framework for identifying products, services, operating systems, and hardware by matching fingerprints against data returned from various network probes
- Hfinger - Fingerprinting HTTP requests
- JARM - An active Transport Layer Security (TLS) server fingerprinting tool.
- MITRE ATT&CK Navigator - navigator)) - The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel.
- Sentinel Attack - A repository of Azure Sentinel alerts and hunting queries leveraging sysmon and the MITRE ATT&CK framework
- Moloch - A large scale and open source full packet capture and search tool
- Sigma - Generic Signature Format for SIEM Systems
- RDFP - Zeek Remote desktop fingerprinting script based on [FATT](https://github.com/0x4D31/fatt) (Fingerprint All The Things)
- Unfetter - A reference implementation provides a framework for collecting events (process creation, network connections, Window Event Logs, etc.) from a client machine and performing CAR analytics to detect potential adversary activity.
- Brim - A desktop application to efficiently search large packet captures and Zeek logs
- Capa - An open-source tool to identify capabilities in executable files.
- DetectionLab - Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices.
- Snort - A network intrusion detection tool
- Suricata - A network threat detection engine
- VAST - A network telemetry engine for data-driven security investigations.
- EQLLib - The Event Query Language Analytics Library (eqllib) is a library of event based analytics, written in EQL to detect adversary behaviors identified in MITRE ATT&CK™.
- CimSweep - A suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows
-
Dataset
- Boss of the SOC (BOTS) Dataset Version 1
- Boss of the SOC (BOTS) Dataset Version 2
- Boss of the SOC (BOTS) Dataset Version 3
- theZoo - A repository of LIVE malwares
- PCAP-ATTACK - A repo of PCAP samples for different ATT&CK techniques.
- EVTX-ATTACK-SAMPLES - A repo of Windows event samples (EVTX) associated with ATT&CK techniques ([EVTX-ATT&CK Sheet](https://docs.google.com/spreadsheets/d/12V5T9j6Fi3JSmMpAsMwovnWqRFKzzI9l2iXS5dEsnrs/edit#gid=164587082)).
- CIC Datasets - Canadian Institute for Cybersecurity datasets
- Netresec's PCAP repo list - A list of public packet capture repositories, which are freely available on the Internet.
- Mordor - Pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files. The data is categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework.
- EMBER - The EMBER dataset is a collection of features from PE files that serve as a benchmark dataset for researchers
- SecRepo.com - Samples of security related data.
-
Resources
- The ThreatHunting Project - A great [collection of hunts](https://github.com/ThreatHuntingProject/ThreatHunting/tree/master/hunts) and threat hunting resources.
- CyberThreatHunting - A collection of resources for threat hunters.
- Hunt-Detect-Prevent - Lists of sources and utilities to hunt, detect and prevent evildoers.
- Alerting and Detection Strategy Framework
- Malware Persistence - Collection of various information focused on malware persistence: detection (techniques), response, pitfalls and the log collection (tools).
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Awesome YARA - A curated list of awesome YARA rules, tools, and resources
- Alerting and Detection Strategies Framework - A framework for developing alerting and detection strategies.
- Windows Hunting - A collection of Windows hunting queries
- Tool Analysis Result Sheet
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- osquery for Security — Part 2 - Advanced osquery functionality, File integrity monitoring, process auditing, and more.
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Expert Investigation Guide - Threat Hunting
- Active Directory Threat Hunting
- Windows Commands Abused by Attackers
- Slides
- Threat Hunting Techniques - AV, Proxy, DNS and HTTP Logs
- Detecting Malware Beacons Using Splunk
- Data Science Hunting Funnel
- Use Python & Pandas to Create a D3 Force Directed Network Diagram
- Catching attackers with go-audit and a logging pipeline
- The Coventry Conundrum of Threat Intelligence
- Bro-Osquery - Large-Scale Host and Network Monitoring Using Open-Source Software
- Threat Hunting with Jupyter Notebooks
- How Dropbox Security builds tools for threat detection and incident response
- Introducing Event Query Language
- The No Hassle Guide to Event Query Language (EQL) for Threat Hunting - EQLforThreatHunting.pdf))
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Lessons Learned in Detection Engineering - A well experienced detection engineer describes in detail his observations, challenges, and recommendations for building an effective threat detection program.
- MITRE CAR - The Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) adversary model.
- The PARIS Model - A model for threat hunting.
- NIST Cybersecurity Framework
- MITRE Shield - A knowledge base of active defense techniques and tactics ([Active Defense Matrix](https://shield.mitre.org/matrix/))
- MaGMa Use Case Defintion Model - A business-centric approach for planning and defining threat detection use cases.
- Hunting the Known Unknowns (with DNS)
- Tracking Newly Registered Domains
- Proactive Malicious Domain Search
- DNS is NOT Boring - Using DNS to Expose and Thwart Attacks
- Actionable Detects - Blue Team Tactics
- Watch Your Containers - A malware using DogeCoin based DGA to generate C2 domain names.
- All the DoH - A Twitter thread on malware families and utilities that use DNS-over-HTTPS.
- osquery Across the Enterprise
- Tracking a stolen code-signing certificate with osquery
- The osquery Extensions Skunkworks Project
- Threat Hunting via Windows Event Logs
- Windows Commands Abused by Attackers
- JPCERT - Detecting Lateral Movement through Tracking Event Logs
- Threat Hunting with Sysmon: Word Document with Macro
- Part I (Event ID 7)
- Part II (Event ID 10)
- The Sysmon and Threat Hunting Mimikatz wiki for the blue team
- Paper - 17/thursday/us-17-Bohannon-Revoke-Obfuscation-PowerShell-Obfuscation-Detection-And%20Evasion-Using-Science.pdf))
- Hunting the Known Unknowns (With PowerShell)
- Hunting for PowerShell Using Heatmaps
- HASSH @BSides Canberra 2019 - Slides
- RDP Fingerprinting - Profiling RDP Clients with JA3 and RDFP
- Effective TLS Fingerprinting Beyond JA3
- TLS Fingerprinting in the Real World
- TLS fingerprinting - Smarter Defending & Stealthier Attacking
- JA3er - a DB of JA3 fingerprints
- An Introduction to HTTP fingerprinting
- TLS Fingerprints
- The use of TLS in Censorship Circumvention
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Markov Chain Fingerprinting to Classify Encrypted Traffic
- HeadPrint: Detecting Anomalous Communications through Header-based Application Fingerprinting
- On Botnets that use DNS for Command and Control
- Anton Chuvakin
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Alerting and Detection Strategy Framework
- Deception-as-Detection - Deception based detection techniques mapped to the MITRE’s ATT&CK framework.
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Defining ATT&CK Data Sources - A two-part blog series that outlines a new methodology to extend ATT&CK’s current data sources.
- DETT&CT: MAPPING YOUR BLUE TEAM TO MITRE ATT&CK™ - A blog that describes how to align MITRE ATT&CK-based detection content with data sources.
- osquery for Security — Part 1
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Alerting and Detection Strategy Framework
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Part 1, - cd-detection-engineering-splunk-s-attack-range-part-2.html)[and Part 3](https://www.splunk.com/en_us/blog/security/ci-cd-detection-engineering-failing-part-3.html) - A multipart series describing how detection as code can be successfully deployed in a Splunk environment.
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- ThreatHunter-Playbook - A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns.
- Threat Hunting with Jupyter Notebooks
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Random Words on Entropy and DNS
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- DFIR - security-summit/archives/cyber-defense)) - Threat hunting, Blue Team and DFIR summit slides
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Threat Hunting with Jupyter Notebooks
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Threat Hunting for Fileless Malware
- Alerting and Detection Strategy Framework
- Signal the ATT&CK: Part 1 - Building a real-time threat detection capability with Tanium that focuses on documented adversarial techniques.
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- MITRE ATT&CK - A curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Detecting dynamic DNS domains in Splunk
- osquery Across the Enterprise
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- HellsBells, Let's Hunt PowerShells!
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
- Alerting and Detection Strategy Framework
- Threat Hunting with Jupyter Notebooks
- Introducing the Funnel of Fidelity - IntroducingtheFunnelofFidelity.pdf))
- Detection Spectrum - DetectionSpectrum.pdf))
- Capability Abstraction - CapabilityAbstraction.pdf))
- HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting
-
Videos
- BotConf 2016 - Advanced Incident Detection and Threat Hunting using Sysmon and Splunk
- BSidesCharm 2017 - Detecting the Elusive: Active Directory Threat Hunting
- BSidesAugusta 2017 - Machine Learning Fueled Cyber Threat Hunting
- Toppling the Stack: Outlier Detection for Threat Hunters
- BSidesPhilly 2017 - Threat Hunting: Defining the Process While Circumventing Corporate Obstacles
- Black Hat 2017 - Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science
- DefCon 25 - MS Just Gave the Blue Team Tactical Nukes
- BSides London 2017 - Hunt or be Hunted
- SecurityOnion 2017 - Pivoting Effectively to Catch More Bad Guys
- SkyDogCon 2016 - Hunting: Defense Against The Dark Arts
- BSidesAugusta 2017 - Don't Google 'PowerShell Hunting'
- BSidesAugusta 2017 - Hunting Adversaries w Investigation Playbooks & OpenCNA
- Visual Hunting with Linked Data
- RVAs3c - Pyramid of Pain: Intel-Driven Detection/Response to Increase Adversary's Cost
- BSidesLV 2016 - Hunting on the Endpoint w/ Powershell
- Derbycon 2015 - Intrusion Hunting for the Masses A Practical Guide
- BSides DC 2016 - Practical Cyborgism: Getting Start with Machine Learning for Incident Detection
- SANS Webcast 2018 - What Event Logs? Part 1: Attacker Tricks to Remove Event Logs
- Profiling And Detecting All Things SSL With JA3
- ACoD 2019 - HASSH SSH Client/Server Profiling
- Visual Hunting with Linked Data Graphs
- SecurityOnion Con 2018 - Introduction to Data Analysis
-
Trainings
- SANS SEC555 - SIEM with Tactical Analytics.
- SpecterOps Adversary Tactics: Detection
- eLearnSecurity THP - Threat Hunting Professional
-
Twitter
- "Awesome Detection" Twitter List - Security guys who tweet about threat detection, hunting, DFIR, and red teaming
-
-
Threat Simulation
-
Resources
- SpecterOps Blog
- Threat Hunting
- Payload Generation using SharpShooter
- SpecterOps Blog
- Threat Hunting
- C2 Matrix - GR4zGZi0ooPYtBe4IgPsSc))
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- SpecterOps Blog
- Threat Hunting
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- SpecterOps Blog
- Threat Hunting
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- Threat Hunting
- Threat Hunting
- Threat Hunting
- Threat Hunting
- SpecterOps Blog
- Threat Hunting
- Threat Hunting
- Threat Hunting
- Threat Hunting
- Threat Hunting
-
Programming Languages
Sub Categories
Keywords
threat-hunting
13
security
11
dfir
8
incident-response
6
cybersecurity
5
malware-analysis
5
malware-detection
5
detection
5
mitre-attack
4
fingerprinting
4
threat-intelligence
4
python
4
security-tools
3
threatintel
3
nsm
3
elasticsearch
3
network
3
sysmon
3
yara
3
zeek
3
lambda
2
aws
2
honeypot
2
intrusion-detection
2
ids
2
network-analysis
2
serverless
2
terraform
2
pcap
2
network-monitoring
2
splunk
2
ioc
2
pci-dss
2
detection-engineering
2
compliance
2
infosec
2
analysis
2
docker
2
packet-capture
2
powershell
2
octo-correct-managed
2
osquery
2
kibana
2
malware
2
malware-research
2
hunting
2
monitoring
2
cif3
1
cif
1
responses
1