A curated list of awesome threat detection and hunting resources
Switch branches/tags
Nothing to show
Clone or download
Latest commit 955bc3c Sep 12, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
CODE-OF-CONDUCT.md Initial commit Jan 13, 2018
CONTRIBUTING.md Initial commit Jan 13, 2018
README.md Update README.md Sep 12, 2018

README.md

Awesome Threat Detection and Hunting

Awesome

A curated list of awesome threat detection and hunting resources

Contents

Threat Detection and Hunting

Tools

  • MITRE ATT&CK Navigator(source code) - The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel.
  • HELK - A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.
  • osquery - An operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. It exposes an operating system as a high-performance relational database.
  • osquery-configuration - A repository for using osquery for incident detection and response.
  • DetectionLab - Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices.
  • Sysmon-DFIR - Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
  • sysmon-config - Sysmon configuration file template with default high-quality event tracing.
  • sysmon-modular - A repository of sysmon configuration modules. It also includes a mapping of Sysmon configurations to MITRE ATT&CK techniques.
  • Revoke-Obfuscation - PowerShell Obfuscation Detection Framework.
  • Invoke-ATTACKAPI - A PowerShell script to interact with the MITRE ATT&CK Framework via its own API.
  • Unfetter - A reference implementation provides a framework for collecting events (process creation, network connections, Window Event Logs, etc.) from a client machine and performing CAR analytics to detect potential adversary activity.
  • NOAH - PowerShell No Agent Hunting.
  • PSHunt - Powershell Threat Hunting Module.
  • Flare - An analytical framework for network traffic and behavioral analytics.
  • go-audit - An alternative to the auditd daemon that ships with many distros.
  • sqhunter - A simple threat hunting tool based on osquery, Salt Open and Cymon API.
  • RedHunt-OS - A Virtual Machine for Adversary Emulation and Threat Hunting. RedHunt aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment.
  • Oriana - Lateral movement and threat hunting tool for Windows environments built on Django comes Docker ready.
  • JA3 - A method for profiling SSL/TLS Clients
  • Bro-Osquery - Bro integration with osquery
  • Brosquery - A module for osquery to load Bro logs into tables
  • Kolide Fleet - A flexible control server for osquery fleets
  • DeepBlueCLI - A PowerShell Module for Hunt Teaming via Windows Event Logs

Dataset

Resources

Frameworks

  • MITRE ATT&CK - A curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.
  • MITRE CAR - The Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) adversary model.
  • Alerting and Detection Strategies Framework - A framework for developing alerting and detection strategies.
  • A Simple Hunting Maturity Model - The Hunting Maturity Model describes five levels of organizational hunting capability, ranging from HMM0 (the least capability) to HMM4 (the most).
  • The Pyramic of Pain - The relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them.
  • A Framework for Cyber Threat Hunting
  • The PARIS Model - A model for threat hunting.
  • Cyber Kill Chain - It is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
  • The DML Model - The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks.
  • Endgame Hunt Cycle
  • NIST Cybersecurity Framework
  • Sigma - Generic Signature Format for SIEM Systems

DNS

Command and Control

Osquery

Windows

Sysmon
PowerShell

Research Papers

Blogs

Videos

Trainings

Twitter

Threat Simulation

A curated list of awesome adversary simulation resources

Tools

  • MITRE CALDERA - An automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks.
  • APTSimulator - A Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.
  • Atomic Red Team - Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.
  • Network Flight Simulator - flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility.
  • Metta - A security preparedness tool to do adversarial simulation.
  • Red Team Automation (RTA) - RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
  • SharpShooter - Payload Generation Framework.
  • CACTUSTORCH - Payload Generation for Adversary Simulations.
  • DumpsterFire - A modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events.
  • Empire(website) - A PowerShell and Python post-exploitation agent.
  • PowerSploit - A PowerShell Post-Exploitation Framework.
  • RedHunt-OS - A Virtual Machine for Adversary Emulation and Threat Hunting. RedHunt aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment.

Resources

Contribute

Contributions welcome! Read the contribution guidelines first.

License

CC0

To the extent possible under law, Adel "0x4D31" Karimi has waived all copyright and related or neighboring rights to this work.