A curated list of awesome threat detection and hunting resources
Go to file
2018-01-17 12:11:13 +11:00
CODE-OF-CONDUCT.md Initial commit 2018-01-13 21:52:27 +11:00
CONTRIBUTING.md Initial commit 2018-01-13 21:52:27 +11:00
README.md Updated the Sysmon section 2018-01-17 12:11:13 +11:00

Awesome Threat Detection and Hunting

Awesome

A curated list of awesome threat detection and hunting resources

Contents

Threat Detection and Hunting

Tools

  • HELK - A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.
  • osquery - An operating system instrumentation framework for Windows, OS X (macOS), Linux, and FreeBSD. It exposes an operating system as a high-performance relational database.
  • osquery-configuration - A repository for using osquery for incident detection and response.
  • DetectionLab - Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices.
  • Sysmon-DFIR - Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
  • sysmon-config - Sysmon configuration file template with default high-quality event tracing.
  • Atomic Red Team - Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.
  • Revoke-Obfuscation - PowerShell Obfuscation Detection Framework.
  • NOAH - PowerShell No Agent Hunting.
  • PSHunt - Powershell Threat Hunting Module.

Resources

Frameworks

  • MITRE ATT&CK - A curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversarys lifecycle and the platforms they are known to target.
  • MITRE CAR - The Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) adversary model.
  • Alerting and Detection Strategies Framework - A framework for developing alerting and detection strategies.
  • A Simple Hunting Maturity Model - The Hunting Maturity Model describes five levels of organizational hunting capability, ranging from HMM0 (the least capability) to HMM4 (the most).
  • The Pyramic of Pain - The relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them.
  • A Framework for Cyber Threat Hunting
  • The PARIS Model - A model for threat hunting.
  • Cyber Kill Chain - It is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
  • The DML Model - The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks.
  • Endgame Hunt Cycle
  • NIST Cybersecurity Framework

Research Papers

Blogs

DNS

Command and Control

PowerShell

Osquery

Sysmon

Videos

Trainings

Twitter

Contribute

Contributions welcome! Read the contribution guidelines first.

License

CC0

To the extent possible under law, Adel "0x4D31" Karimi has waived all copyright and related or neighboring rights to this work.