Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/OTRF/ThreatHunter-Playbook

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.
https://github.com/OTRF/ThreatHunter-Playbook

dfir hunter hunting hunting-campaigns hypothesis mitre mitre-attack-db sysmon threat-hunting

Last synced: about 1 month ago
JSON representation

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

Awesome Lists containing this project

README

        

# The Threat Hunter Playbook

[![Binder](https://mybinder.org/badge_logo.svg)](https://mybinder.org/v2/gh/OTRF/ThreatHunter-Playbook/master)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![Twitter](https://img.shields.io/twitter/follow/HunterPlaybook.svg?style=social&label=Follow)](https://twitter.com/HunterPlaybook)
[![Open_Threat_Research Community](https://img.shields.io/badge/Open_Threat_Research-Community-brightgreen.svg)](https://twitter.com/OTR_Community)
[![Open Source Love](https://badges.frapsoft.com/os/v3/open-source.svg?v=103)](https://github.com/ellerbrock/open-source-badges/)

The Threat Hunter Playbook is a community-driven, open source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. All the detection documents in this project follow the structure of [MITRE ATT&CK](https://attack.mitre.org/) categorizing post-compromise adversary behavior in tactical groups and are available in the form of [interactive notebooks](https://docs.jupyter.org/en/latest/projects/architecture/content-architecture.html#the-jupyter-notebook-format). The use of notebooks not only allow us to share text, queries and expected output, but also code to help others run detection logic against [pre-recorded security datasets](https://securitydatasets.com) locally or remotely through [BinderHub](https://mybinder.readthedocs.io/en/latest/index.html) cloud computing environments.

## Docs: https://threathunterplaybook.com/
## Goals

* Expedite the development of techniques an hypothesis for hunting campaigns.
* Help security researchers understand patterns of behavior observed during post-exploitation.
* Share resources to validate analytics locally or remotely through cloud computing environments for free.
* Map pre-recorded datasets to adversarial techniques.
* Accelerate infosec learning through open source resources.

## Author

Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g)

## Official Committers

* Jose Luis Rodriguez [@Cyb3rPandaH](https://twitter.com/Cyb3rPandaH) is adding his expertise in data science to it.

## Acknowledgements

* We document and share our content via a [Jupyter Book](https://jupyterbook.org/intro.html) which was created by [Sam Lau](http://www.samlau.me/) and [Chris Holdgraf](https://predictablynoisy.com/) with support of the **UC Berkeley Data Science Education Program and the [Berkeley Institute for Data Science](https://bids.berkeley.edu/)**