Threat Hunting & Detection techniques

Threat Hunting general techniques

OTRF/ThreatHunter-Playbook

The Threat Hunter Playbook is a community-based open source project developed to share threat hunting concepts and aid the development of techniques and hypothesis for hunting campaigns by leveraging security event logs from diverse operating systems. This project provides not only information about detections, but also other very important activites when developing analytics such as data documentation, data modeling and even data quality assessments.

github.com

Excelerating Analysis - Tips and Tricks to Analyze Data with Microsoft Excel

Incident response investigations don't always involve standard host-based artifacts with fully developed parsing and analysis tools. At FireEye Mandiant, we frequently encounter incidents that involve a number of systems and solutions that utilize custom logging or artifact data.

www.fireeye.com

Excelerating Analysis - Tips and Tricks to Analyze Data with Microsoft Excel

Hunting based on logs

Enabling your Windows logs

Cheat-Sheets - Malware Archaeology

"Windows logging Cheat Sheet", "Splunk Logging Cheat Sheet"

www.malwarearchaeology.com

Elastic Security opens public detection rules repo

At Elastic, we believe in the power of open source and understand the importance of community. By putting the community first, we ensure that we create the best possible product for our users. With Elastic Security, two of our core objectives are to stop threats at scale and arm every analyst.

www.elastic.co

Elastic Security opens public detection rules repo

Neo23x0/sigma

Generic Signature Format for SIEM Systems Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file.

github.com

Useful Windows Event Logs during an investigation

THREAT HUNTING WITH WINDOWS SECURITY EVENT LOGS - Blue Team Blog

Threat hunting can be a long, difficult process. Due to this, many companies simply don't bother threat hunting whatsoever. Many guides out there also use Sysmon for threat hunting. Sysmon is great, but for various reasons many people simply don't have this set up, or lack the knowledge to use it properly.

blueteamblog.com

THREAT HUNTING WITH WINDOWS SECURITY EVENT LOGS - Blue Team Blog

Finding Forensic Goodness In Obscure Windows Event Logs

If you've been doing some digital forensics or threat hunting for some time. You'll know that one of the key sources of information are the Windows event logs. Most of the talks around the windows event logs only mention the "main" sources of logs such as "System" or "Application", even though windows provide many sources.

nasbench.medium.com

Finding Forensic Goodness In Obscure Windows Event Logs

Configuring AWS logs

How to respond in AWS?

Detection based on Windows artefacts and tools used by the attacker

Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk) Tom Ueltschi, Swiss Post CERT.

www.botconf.eu

Attack Defense & Detection

This page is meant to be a resource for Detecting & Defending against attacks. I provide references for the attacks and a number of defense & detection techniques. Active Directory & Windows Security ATTACK AD Recon Active Directory Recon Without Admin Rights SPN Scanning - Service Discovery without Network Port Scanning Beyond Domain Admins - ...

adsecurity.org

HoldMyBeer

Sysinternals is my go to Windows toolkit for malware analysis, incident response, and troubleshooting. Sysinternals contain tools that enable the user to analyze the inner workings of a Windows system. In this blog post, I will be covering how to use Sysinternals in Red vs.Blue competitions to detect Red team activity.

holdmybeersecurity.com

Defending Against PowerShell Attacks | PowerShell

Updated Feb 20th, 2020 with latest guidance] The security industry is ablaze with news about how PowerShell is being used by both commodity malware and attackers alike. Surely there's got to be a way to defend yourself against these attacks! There absolutely is.

devblogs.microsoft.com

Defending Against PowerShell Attacks | PowerShell

Hunting on Azure

Microsoft Threat Protection advanced hunting cheat sheet

Cheat sheets can be handy for penetration testers, security analysts, and for many other technical roles. They provide best practices, shortcuts, and other ideas that save defenders a lot of time. They are especially helpful when working with tools that require special knowledge like advanced huntin...

techcommunity.microsoft.com

Microsoft Threat Protection advanced hunting cheat sheet

Enhancing your detection capabilities

Introducing the Funnel of Fidelity

The Funnel of Fidelity depicts the process of applying different analytical procedures to manage millions of contextual events and apply limited investigative resources to the events or situations that are most likely to be malicious. The funnel consists of 5 stages: collection, detection, triage, investigation, and remediation.

posts.specterops.io

Host-based Threat Modeling & Indicator Design

Last week, my colleague Brian Reitz (@brian_psu) wrote a brilliant post about leveraging PSReflect to model malware techniques. This post builds upon his thought process and explicitly lays out SpecterOps' methodology surrounding threat modeling and design of defensive indicators. Ultimately, this process is designed to facilitate researching a technique from the underlying technology all the way to specific implementations.

posts.specterops.io

Host-based Threat Modeling & Indicator Design

Stateful detection engineering

Detection engineering at Elastic is both a set of reliable principles - or methodologies - and a collection of effective tools. In this series, we'll share some of the foundational concepts that we've discovered over time to deliver resilient detection logic.

www.elastic.co

🗃️

AppCompatProcessor

logparsingosxlinux

🦹🏼

Attack Data by Splunk

adversary emulationsplunk

🔍

Autopsy

all-in-oneforensicsanalyticsartifact collectionartifact analysis

🦠

Crits

cyber threat intelligenceanalytics

DetectionLab

detection toolsandboxwindowsactive directory

🗃️

DFIR-O365RC

artifact collectionlogo365

📑

Fenrir

ioc scannerlinuxosx

🦌

HELK

analytics

📑

Logdissect

logparsing

⏰

LOKI

yaraioc scanner

📑

LORG

logartifact analysishttpd

📑

MEEKRAT

windowsartifact collectionioc scanner

⚙️

MSTIC Jupyter and Python Security Tools

acquisitionartifact collectionanalyticsartifact analysisazure sentinel

🔍

osquery

analyticssystem monitoringosxlinuxwindowsfreebsd

📄

OSSEM

logstandardizationdocumentation

📑

PyaraScanner

yaraioc scanner

📑

rastrea2r

yaraartifact analysiswindowslinuxosx

🔍

Redline (FireEye)

forensicsanalyticswindowslinuxosxartifact collection

Security Onion

all-in-oneanalyticslinux distribution

📑

Sigma

logyararulesetsiemalerting

🦌

SOF ELK

analytics

⏰

StreamAlert

analyticsserverlessalertinglogawslambda

🌟

Sysmon DFIR

windowsartifact collectiondetection toolrulesetsystem monitoringsysmon

🦠

ThreatFox

saascyber threat intelligenceartifact analysismalware analysisioc scanner

⏰

Yara

cyber threat intelligenceyara

⏰

Yara-Rules

cyber threat intelligenceyararuleset