Threat Hunting general techniques
The Threat Hunter Playbook is a community-based open source project developed to share threat hunting concepts and aid the development of techniques and hypothesis for hunting campaigns by leveraging security event logs from diverse operating systems. This project provides not only information about detections, but also other very important activites when developing analytics such as data documentation, data modeling and even data quality assessments.
Excelerating Analysis - Tips and Tricks to Analyze Data with Microsoft Excel
Incident response investigations don't always involve standard host-based artifacts with fully developed parsing and analysis tools. At FireEye Mandiant, we frequently encounter incidents that involve a number of systems and solutions that utilize custom logging or artifact data.
Hunting based on logs
Enabling your Windows logs
Cheat-Sheets - Malware Archaeology
"Windows logging Cheat Sheet", "Splunk Logging Cheat Sheet"
Elastic Security opens public detection rules repo
At Elastic, we believe in the power of open source and understand the importance of community. By putting the community first, we ensure that we create the best possible product for our users. With Elastic Security, two of our core objectives are to stop threats at scale and arm every analyst.
Generic Signature Format for SIEM Systems Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file.
Useful Windows Event Logs during an investigation
THREAT HUNTING WITH WINDOWS SECURITY EVENT LOGS - Blue Team Blog
Threat hunting can be a long, difficult process. Due to this, many companies simply don't bother threat hunting whatsoever. Many guides out there also use Sysmon for threat hunting. Sysmon is great, but for various reasons many people simply don't have this set up, or lack the knowledge to use it properly.
Finding Forensic Goodness In Obscure Windows Event Logs
If you've been doing some digital forensics or threat hunting for some time. You'll know that one of the key sources of information are the Windows event logs. Most of the talks around the windows event logs only mention the "main" sources of logs such as "System" or "Application", even though windows provide many sources.
Configuring AWS logs
Detection based on Windows artefacts and tools used by the attacker
Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk) Tom Ueltschi, Swiss Post CERT.
Attack Defense & Detection
This page is meant to be a resource for Detecting & Defending against attacks. I provide references for the attacks and a number of defense & detection techniques. Active Directory & Windows Security ATTACK AD Recon Active Directory Recon Without Admin Rights SPN Scanning - Service Discovery without Network Port Scanning Beyond Domain Admins - ...
Sysinternals is my go to Windows toolkit for malware analysis, incident response, and troubleshooting. Sysinternals contain tools that enable the user to analyze the inner workings of a Windows system. In this blog post, I will be covering how to use Sysinternals in Red vs.Blue competitions to detect Red team activity.
Defending Against PowerShell Attacks | PowerShell
Updated Feb 20th, 2020 with latest guidance] The security industry is ablaze with news about how PowerShell is being used by both commodity malware and attackers alike. Surely there's got to be a way to defend yourself against these attacks! There absolutely is.
Hunting on Azure
Microsoft Threat Protection advanced hunting cheat sheet
Cheat sheets can be handy for penetration testers, security analysts, and for many other technical roles. They provide best practices, shortcuts, and other ideas that save defenders a lot of time. They are especially helpful when working with tools that require special knowledge like advanced huntin...
Enhancing your detection capabilities
Introducing the Funnel of Fidelity
The Funnel of Fidelity depicts the process of applying different analytical procedures to manage millions of contextual events and apply limited investigative resources to the events or situations that are most likely to be malicious. The funnel consists of 5 stages: collection, detection, triage, investigation, and remediation.
Host-based Threat Modeling & Indicator Design
Last week, my colleague Brian Reitz (@brian_psu) wrote a brilliant post about leveraging PSReflect to model malware techniques. This post builds upon his thought process and explicitly lays out SpecterOps' methodology surrounding threat modeling and design of defensive indicators. Ultimately, this process is designed to facilitate researching a technique from the underlying technology all the way to specific implementations.
Stateful detection engineering
Detection engineering at Elastic is both a set of reliable principles - or methodologies - and a collection of effective tools. In this series, we'll share some of the foundational concepts that we've discovered over time to deliver resilient detection logic.