Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/a3sal0n/cyberthreathunting

A collection of resources for Threat Hunters
https://github.com/a3sal0n/cyberthreathunting

cybersecurity dfir incident-response threat-hunting threat-intelligence

Last synced: about 2 months ago
JSON representation

A collection of resources for Threat Hunters

Host: GitHub
URL: https://github.com/a3sal0n/cyberthreathunting
Owner: A3sal0n
License: gpl-3.0
Created: 2017-02-25T14:47:59.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2024-07-07T21:13:58.000Z (3 months ago)
Last Synced: 2024-07-31T20:35:57.908Z (about 2 months ago)
Topics: cybersecurity, dfir, incident-response, threat-hunting, threat-intelligence
Language: Python
Homepage:
Size: 41.9 MB
Stars: 834
Watchers: 62
Forks: 168
Open Issues: 0
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

awesome-security-collection - **356**星

README

        # Cyber Threat Hunting

A collection of tools and other resources for threat hunters.

## Sections

- [Hunting Tools](#hunting-tools) - A collection of our open source tools for hunting

- [Resources](#resources) - Useful resources to get started in Threat Hunting

- [Hunting with AI](#hunting-with-ai) - Leverage the power of ChatGPT prompts for Threat Hunting

- [Must Read](#must-read) - Articles and blog posts covering different aspects of Threat Hunting

- [Custom Scripts](tools/README.md) - Our own tools and scripts to support different types of hunts

### Hunting Tools

- [Velociraptor](https://docs.velociraptor.app/)

- [Facebook's osquery](https://osquery.io/)

- [Google's GRR](https://github.com/google/grr)

- [Logging, searching and visualization with ELK](https://www.elastic.co/products/elasticsearch)

- [Back to Basics: Enhance Windows Security with Sysmon and Graylog](https://www.graylog.org/blog/83-back-to-basics-enhance-windows-security-with-sysmon-and-graylog)

- [Building a Sysmon Dashboard with an ELK Stack](https://cyberwardog.blogspot.cz/2017/03/building-sysmon-dashboard-with-elk-stack.html)

- [Advanced Sysmon configuration, Installer & Auto Updater with high-quality event tracing](https://github.com/ion-storm/sysmon-config)

- [Advanced Threat detection Configurations for Graylog](https://github.com/ion-storm/Graylog_Sysmon)

- [Elk + Osquery + Kolide Fleet = Love](https://jordanpotti.com/2018/02/16/elk-osquery-kolide-fleet-love/) - Hunting with ELK, Osquery and Kolide Fleet

- [CyLR — Live Response Collection tool](https://github.com/orlikoski/CyLR)

- [Unix-like Artifacts Collector](https://github.com/tclahr/uac)

- [Kroll Artifact Parser And Extractor (KAPE)](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape)

- [Chainsaw - Rapidly Search and Hunt through Windows Forensic Artefacts](https://github.com/WithSecureLabs/chainsaw)

- [evtx-hunter - Python tool that generates a web report of interesting activity observed in EVTX files](https://github.com/NVISOsecurity/evtx-hunter)

### Resources

- [MITRE ATT&CK](https://attack.mitre.org/wiki/Main_Page) - A curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.

- [MITRE CAR](https://car.mitre.org/wiki/Main_Page) - A knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) threat model.

- [Threat Hunting with Bro IDS](https://www.jamesbower.com/threat-hunting-with-bro-ids/?utm_campaign=crowdfire&utm_content=crowdfire&utm_medium=social&utm_source=social#14225595-tw%231487983917678)

- [Automating APT Scanning with Loki Scanner and Splunk](http://www.redblue.team/2017/04/automating-apt-scanning-with-loki.html?m=1)

- [The ThreatHunting Project](https://github.com/ThreatHuntingProject/ThreatHunting) - A great collection of hunts by @DavidJBianco

- [Threat Hunting Techniques - AV, Proxy, DNS and HTTP Logs](http://www.brainfold.net/2016/08/threat-hunting-techniques-av-proxy-dns.html)

- [Cyber Threat hunting with Sqrrl (From Beaconing to Lateral Movement)](https://cyber-ir.com/2017/04/19/cyber-threat-hunting-with-sqrrl-from-beaconing-to-lateral-movement/amp/)

- [The ThreatHunter-Playbook](https://github.com/VVard0g/ThreatHunter-Playbook) - Hunting by leveraging Sysmon and Windows Events logs

- [Detecting Lateral Movement through Tracking Event Logs](https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf)

- [How to build a Threat Hunting platform using ELK Stack](https://www.peerlyst.com/posts/how-to-build-a-threat-hunting-platform-using-elk-stack-chiheb-chebbi?utm_source=LinkedIn&utm_medium=Application_Share&utm_content=peerlyst_post&utm_campaign=peerlyst_shared_post)

- [Endpoint Detection of Remote Service Creation and PsExec](https://countercept.com/blog/endpoint-detection-of-remote-service-creation-and-psexec/) - Hunting for lateral movement with Event Tracing for Windows (ETW)

### Hunting with AI

- [10 ways to use ChatGPT for Threat Hunting](https://infosecwriteups.com/learn-10-ways-to-use-chatgpt-for-threat-hunting-right-now-9fab5507f3b8)

- [ChatGPT for CTI Professionals](https://socradar.io/chatgpt-for-cti-professionals/)

- [Complete ChatGPT Guide for DevSecOps: Top 20 Most Essential Prompts](https://levelup.gitconnected.com/complete-chatgpt-guide-for-devsecops-top-20-most-essential-prompts-ef21e0aa4830)

- [ChatGPT Use Cases for CyberSecurity Folks](https://atrhein.medium.com/chatgpt-use-cases-for-cybersecurity-folks-c4ae83656b92)

- [60 Chat GPT Prompts for Cyber Security by Experts](https://nextdoorsec.com/chat-gpt-prompts-for-cyber-security/)

### Must Read

- [Threat Hunting:Open Season on the Adversary](https://www.sans.org/reading-room/whitepapers/analyst/threat-hunting-open-season-adversary-36882)

- [The Who, What, Where, When, Why and How of Effective Threat Hunting](https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785)

- [Incident Response is Dead... Long Live Incident Response](https://medium.com/@sroberts/incident-response-is-dead-long-live-incident-response-5ba1de664b95)

- [Hunting, and Knowing What To Hunt For](http://windowsir.blogspot.cz/2015/06/hunting-and-knowing-what-to-huntnot-for.html)

- [Cyber Hunting: 5 Tips To Bag Your Prey](http://www.darkreading.com/risk/cyber-hunting-5-tips-to-bag-your-prey/a/d-id/1319634?_mc=RSS_DR_EDT)

- [A Simple Hunting Maturity Model](http://detect-respond.blogspot.cz/2015/10/a-simple-hunting-maturity-model.html)

- [A Framework for Cyber Threat Hunting](http://sqrrl.com/media/Framework-for-Threat-Hunting-Whitepaper.pdf)

- [Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations](https://digitalguardian.com/blog/seek-evil-and-ye-shall-find-guide-cyber-threat-hunting-operations)

- [A Guide to Cyber Threat Hunting Operations](https://www.infosecurity-magazine.com/opinions/a-guide-to-cyber-threat-hunting/)

- [Inside 3 top threat hunting tools](http://www.networkworld.com/article/3150473/security/threat-hunting-tools-could-be-a-security-game-changer.html#slide13) - High level overview of Sqrrl, Infocyte and EndGame

- [True Threat Hunting: more than just threats and anomalies](http://www.baesystems.com/en/cybersecurity/blog/true-threat-hunting#) - Some valid thoughts on what's needed for an effective Threat Hunting program