Skip to content
A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns.
Python Dockerfile
Branch: master
Clone or download

Latest commit

Latest commit 2f8918a Feb 15, 2020


Type Name Latest commit message Commit time
Failed to load latest commit information.
docs Update Gemfile.lock Feb 15, 2020
playbooks Updated Mordor Datasets Locations Jan 1, 2020
resources Updated documentation Dec 17, 2019
scripts Updated Repo Dec 25, 2019
signatures/sigma Updated BinderHub Repo and playbooks Dec 26, 2019
.gitignore Revamping Project May 15, 2019
Dockerfile Updated BinderHub Repo and playbooks Dec 26, 2019
LICENSE Book Test & License Update Jul 30, 2019 Updated OS badge Jan 21, 2020

The ThreatHunter-Playbook

Binder License: GPL v3 Twitter Open Source Love

The Threat Hunter Playbook is a community-based open source project developed to share threat hunting concepts and aid the development of techniques and hypothesis for hunting campaigns by leveraging security event logs from diverse operating systems. This project provides not only information about detections, but also other very important activites when developing analytics such as data documentation, data modeling and even data quality assessments.

In addition, the analytics shared in this project represent specific chains of events exclusively at the host and network level and in a SQL-like format so that you can take them and apply the logic in your preferred tool or query format. The analytics provided in this repo also follow the structure of MITRE ATT&CK categorizing post-compromise adversary behavior in tactical groups.

Finally, the project documents detection strategies in the form of interactive notebooks to provide an easy and flexible way to visualize the expected output and be able to run the analytics against pre-recorded mordor datasets through BinderHub cloud computing environments.


  • Expedite the development of techniques an hypothesis for hunting campaigns.
  • Help Threat Hunters understand patterns of behavior observed during post-exploitation.
  • Reduce the number of false positives while hunting by providing more context around suspicious events.
  • Share real-time analytics validation examples through cloud computing environments for free.
  • Distribute Threat Hunting concepts and processes around the world for free.
  • Map pre-recorded datasets to adversarial techniques.
  • Accelerate infosec lerning through open source resources.

A Jupyter Book

I converted the whole repo into a book for you to read and follow as part of the documentation


Roberto Rodriguez @Cyb3rWard0g

Official Committers

  • Jose Luis Rodriguez @Cyb3rPandaH is adding his expertise in data science to it.


Can't wait to see other hunters' pull requests with awesome ideas to detect advanced patterns of behavior. The more chains of events you contribute the better this playbook will be for the community.

  • Submit Pull requests following the TEMPLATE format.
  • Highly recommend to test your chains of events or provide references to back it up before submitting a pull request (Article, whitepaper, hunter notes, etc).
    • Hunter notes are very useful and can help explaining why you would hunt for specific chains of events.
  • Feel free to submit pull requests to enhance hunting techniques. #SharingIsCaring


  • OSX & Linux Playbooks
  • Cloud AWS Playbooks
  • Update Binder Libraries (Testing)
You can’t perform that action at this time.