Helpful resources to learn a little bit more about Threat Hunting.
- Gather as many resources as I can about Threat Hunting to share them with the community all at once.
- Share interesting/valuable resources that helped me and others to learn more about Threat Hunting.
| Name | Description | Author |
|---|---|---|
| Hunter | A threat hunting / data analysis environment based on Python, Pandas, PySpark and Jupyter Notebook | @DavidJBianco |
| Clearcut | Clearcut is a tool that uses machine learning to help you focus on the log entries that really need manual review | @DavidJBianco |
| Assimilate | Assimilate is a series of python scripts for using the Naïve Bayes algorithm to find potential malicious activity in HTTP headers | @Soinull |
| Appcompatprocessor | A tool designed to efficiently process and analyse ShimCache and AmCache data at scale for enterprise-wide hunting purposes | Matias Bevilacqua |
| Get-InjectedThreat | A pure powershell tool built on PSReflect that allows a hunter to automatically analyze memory across systems and rapidly highlight injected in-memory-only attacks across systems at scale | @jaredcatkinson & @dez_ _ |
| ACE | The Automated Collection and Enrichment (ACE) platform is a suite of tools for threat hunters to collect data from many endpoints in a network and automatically enrich the data. The data is collected by running scripts on each computer without installing any software on the target. ACE supports collecting from Windows, macOS, and Linux hosts | @jaredcatkinson & @robwinchester3 |
| NOAH | NOAH is an agentless open source Incident Response framework based on PowerShell, called "No Agent Hunting" (NOAH), to help security investigation responders to gather a vast number of key artifacts without installing any agent on the endpoints saving precious time | @pabraeken |
| Invoke-ATTACKAPI | A PowerShell script to interact with the MITRE ATT&CK Framework via its own API in order to gather information about techniques, tactics, groups, software and references provided by the MITRE ATT&CK Team @MITREattack. Very helpful to identify use cases for hunting campaigns. | @Cyb3rWard0g |
| Get-ClrReflection | Scans all processes for executables that are in memory regions of MEM_MAPPED type, PAGE_READWRITE permissions, and are not associated with a file on disk. These criteria are consistent with memory-only CLR (.NET) reflection and are considered suspicious. | @dez_ |
| Atomic-Red-Team | Small and highly portable detection tests mapped to the Mitre ATT&CK Framework. | @redcanaryco |
| Name | Description | Author |
|---|---|---|
| Subverting Trust in Windows | Trust is inherently subjective. What is important is that each organization carefully consider what it means to place trust in technology. | @mattifestation |
| Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science | Revoke-Obfuscation is the result of industry research collaboration between Daniel Bohannon - Senior Applied Security Researcher at Mandiant/FireEye, and Lee Holmes - Lead Security Architect of Azure Management at Microsoft. | @danielhbohannon & @Lee_Holmes |
| Finding Cyber Threats With ATT&CK-Based Analytics | This paper presents a methodology for using the MITRE ATT&CK framework, a behavioral-based threat model, to identify relevant defensive sensors and build, test, and refine behavioral-based analytic detection capabilities using adversary emulation | @MITREattack |
| Advanced Threat Detection And Response | Using Splunk software to defend against advanced threats | Splunk |
| Network Profiling Using Flow | This report provides a step-by-step guide for profiling—discovering public-facing assets on a network—using network flow (netflow) data | SEI |
| Detecting Lateral Movement through Tracking Event Logs | the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) extracted tools used by many attackers by investigating recently confirmed cases of targeted attacks. Then, a research was conducted to investigate what kind of logs were left on the server and clients by using such tools, and what settings need to be configured to obtain logs that contain sufficient evidential information | @jpcert |
| Name | Description | Author |
|---|---|---|
| How Hot is your Hunt Team? | MITRE ATT&CK framework in the form of a heat map in order to measure the effectiveness of a Hunt Team. | @Cyb3rWard0g |
| Host-based Threat Modeling & Indicator Design | This post explicitly lays out SpecterOps’ methodology surrounding threat modeling and design of defensive indicators. | @jaredatkinson |
| Hunting in Memory | Low noise approach to hunting for adversaries that are hiding in memory. | @dez_ |
| HHunting For In-Memory .NET Attacks | This post investigates an emerging trend of adversaries using .NET-based in-memory techniques to evade detection. | @dez_ |
| Building Operational Threat Hunting Models | 5 Threat Hunting Models that can be used to frame discussions about a threat hunting program and its objectives. | @kathayra |
| How to Use Windows API Knowledge to Be a Better Defender | The Windows API is a large, complex topic with decades of development history and design behind it. Although it is far too vast to cover in a single article, even a cursory knowledge is enough to improve your event analysis and your basic malware analysis skills. | @Bewg12 |
| Thoughts on Host-based Detection Techniques | Three different concepts used by SpecterOps to describe detections | @jaredcatkinson |
| What's in a name? TTPs in InfoSec | What are TTPs? | @robwinchester3 |
| Session Title | Description | Speaker | Reference |
|---|---|---|---|
| Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science | Revoke-Obfuscation is the result of industry research collaboration between Daniel Bohannon - Senior Applied Security Researcher at Mandiant/FireEye, and Lee Holmes - Lead Security Architect of Azure Management at Microsoft. | @danielhbohannon & @Lee_Holmes | Video |
| Building A Successful Internal Adversarial Simulation Team | @carnal0wnage & indi303 | Video | |
| Go to Hunt Then Sleep | You know you should be hunting for these threats, but where do you start? | @DavidJBianco | Slides |
| Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | Introduction on Sysmon and public resources. Brief recap of BotConf talk with examples. Threat Hunting & Advanced Detection examples. | @c_APT_ure | Slides |
| Hunting for Memory-Resident Malware | emerging trend of adversaries using .NET-based in-memory techniques to evade detection | @dez_ | Video |
| Blue Team Keeping Tempo with Offense | What does it take to build a defensive strategy that assumes as little as possible, favoring suppression of the good over alerting to the bad? | @kwm & @subTee | Video |
| Detecting the Elusive. AD Threat Hunting | Active Directory Threat Hunting | @PyroTek3 | Video |
| Purpose Driven Hunt: What do I do with all this data? | This talk focuses on the often overlooked first step of hunt hypothesis generation which can help guide targeted collection and analysis of forensic artifacts. We will demonstrate how to use the MITRE ATTACK Framework and our five-phase Hypothesis Generation Process to develop actionable hunt processes, narrowing the scope of your Hunt operation and avoiding “analysis paralysis.” | @jaredcatkinson & @robwinchester3 | Video |
| Windows Event Logs -- Zero 2 Hero | In this talk you will be shown logging, consuming, and analyzing (on a small & large scale) WMI tracing logs, Windows Event Logs, PowerShell logs, Cuckoo malware sandbox Windows logs (to give yourself new ideas/hunts), and more. | @neu5ron & @acalarch | Video |
| Tracing Adversaries: Detecting Attacks with ETW | operationalizing ETW to combat contemporary intrusion methodologies and tradecraft | @mhastings & @davehull | Video |