Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/gossithedog/threathunting
Tools for hunting for threats.
https://github.com/gossithedog/threathunting
nexthink threat-hunting
Last synced: 3 months ago
JSON representation
Tools for hunting for threats.
- Host: GitHub
- URL: https://github.com/gossithedog/threathunting
- Owner: GossiTheDog
- License: gpl-3.0
- Created: 2017-12-07T20:51:40.000Z (almost 7 years ago)
- Default Branch: master
- Last Pushed: 2023-08-25T12:12:31.000Z (about 1 year ago)
- Last Synced: 2024-07-29T23:56:58.877Z (3 months ago)
- Topics: nexthink, threat-hunting
- Language: YARA
- Size: 171 KB
- Stars: 566
- Watchers: 50
- Forks: 57
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-security-collection - **105**星
README
# ThreatHunting
I am publishing GPL v3 tools for hunting for threats in your organisations.
# Nexthink modules
Threat hunting - Potential malware downloads v1.0.xml
This is a report which shows all calls to internet domains from common malware document techniques. Most endpoint malware - such as macros, Office exploits etc - use the same set of methods to download their payloads.
The methods currently monitored include:
- rundll32
- mshta
- PowerShell
- wscript/cscript
- wmic
- sct remote calls
- InfDefaultInstall (Inf remote calls)
- certutil
The report will show domains. You can change the report to show users, executables instead if you want, or investigate each domain
In terms of false positives, you will very likely want to add a rule to filter out traffic destined for your internal IP ranges, or whitelist domains inside your environment. For example, when adding a Printer it will call rundll32, and hit the printer for web traffic - which triggers in the report - just whitelist it.