awesome-threat-detection
Threat detection toolkit
A curated collection of threat detection and hunting resources, tools, and frameworks for security professionals.
✨ A curated list of awesome threat detection and hunting resources 🕵️♂️
4k stars
194 watching
660 forks
last commit: 4 months ago
Linked from 4 awesome lists
awesomeawesome-listdetectionincident-responsesecuritythreat-detectionthreat-hunting
Awesome Threat Detection and Hunting / Tools | |||
| MITRE ATT&CK Navigator | ( ) - The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel | ||
| HELK | 3,768 | 6 months ago | A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities |
| DetectionLab | 4,647 | 5 months ago | Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices |
| Revoke-Obfuscation | 725 | 12 months ago | PowerShell Obfuscation Detection Framework |
| Invoke-ATTACKAPI | 367 | almost 6 years ago | A PowerShell script to interact with the MITRE ATT&CK Framework via its own API |
| Unfetter | 177 | over 5 years ago | A reference implementation provides a framework for collecting events (process creation, network connections, Window Event Logs, etc.) from a client machine and performing CAR analytics to detect potential adversary activity |
| Flare | 449 | almost 2 years ago | An analytical framework for network traffic and behavioral analytics |
| RedHunt-OS | 1,247 | over 4 years ago | A Virtual Machine for Adversary Emulation and Threat Hunting. RedHunt aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment |
| Oriana | 177 | over 3 years ago | Lateral movement and threat hunting tool for Windows environments built on Django comes Docker ready |
| Bro-Osquery | 15 | over 1 year ago | Bro integration with osquery |
| Brosquery | 28 | over 9 years ago | A module for osquery to load Bro logs into tables |
| DeepBlueCLI | 2,188 | about 1 year ago | A PowerShell Module for Hunt Teaming via Windows Event Logs |
| Uncoder | An online translator for SIEM saved searches, filters, queries, API requests, correlation and Sigma rules | ||
| CimSweep | 649 | over 5 years ago | A suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows |
| Dispatch | 5,112 | 7 days ago | An open-source crisis management orchestration framework |
| EQL | 219 | about 1 year ago | Event Query Language |
Awesome Threat Detection and Hunting / Tools / EQL | |||
| EQLLib | 158 | almost 4 years ago | The Event Query Language Analytics Library (eqllib) is a library of event based analytics, written in EQL to detect adversary behaviors identified in MITRE ATT&CK™ |
Awesome Threat Detection and Hunting / Tools | |||
| BZAR | 565 | 5 months ago | (Bro/Zeek ATT&CK-based Analytics and Reporting) - A set of Zeek scripts to detect ATT&CK techniques |
| Security Onion | 3,074 | over 3 years ago | An open-source Linux distribution for threat hunting, security monitoring, and log management. It includes ELK, Snort, Suricata, Zeek, Wazuh, Sguil, and many other security tools |
| Varna | 51 | almost 2 years ago | A quick & cheap AWS CloudTrail Monitoring with Event Query Language (EQL) |
| BinaryAlert | 1,409 | 11 months ago | Serverless, real-time & retroactive malware detection |
| hollows_hunter | 2,032 | 16 days ago | Scans all running processes, recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches) |
| ThreatHunting | 1,138 | over 1 year ago | A Splunk app mapped to MITRE ATT&CK to guide your threat hunts |
| Sentinel Attack | 1,061 | about 1 year ago | A repository of Azure Sentinel alerts and hunting queries leveraging sysmon and the MITRE ATT&CK framework |
| Brim | 1,803 | 7 days ago | A desktop application to efficiently search large packet captures and Zeek logs |
| YARA | 8,300 | about 2 months ago | The pattern matching swiss knife |
| Intel Owl | 3,842 | 8 days ago | An Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale |
| Capa | 4,873 | 6 days ago | An open-source tool to identify capabilities in executable files |
| Splunk Security Content | 1,295 | 3 days ago | Splunk-curated detection content that can easily be used accross many SIEMs (see Uncoder Rule Converter.) |
| Threat Bus | 258 | over 1 year ago | Threat intelligence dissemination layer to connect security tools through a distributed publish/subscribe message broker |
| VAST | 645 | 6 days ago | A network telemetry engine for data-driven security investigations |
| zeek2es | 35 | over 2 years ago | An open source tool to convert Zeek logs to Elastic/OpenSearch. You can also output pure JSON from Zeek's TSV logs! |
| LogSlash | 188 | over 1 year ago | : A standard for reducing log volume without sacrificing analytical capability |
| SOC-Multitool | 338 | 3 months ago | : A powerful and user-friendly browser extension that streamlines investigations for security professionals |
| Zeek Analysis Tools (ZAT) | 423 | 10 months ago | : Processing and analysis of Zeek network data with Pandas, scikit-learn, Kafka and Spark |
| ProcMon for Linux | 4,030 | 7 days ago | |
| Synthetic Adversarial Log Objects (SALO) | 77 | 10 months ago | A framework for the generation of log events without the need for infrastructure or actions to initiate the event that causes a log event |
Awesome Threat Detection and Hunting / Tools / Detection, Alerting and Automation Platforms | |||
| ElastAlert | 7,997 | 4 months ago | A framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch |
| StreamAlert | 2,861 | about 1 year ago | A serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define |
| Matano | 1,470 | 4 months ago | : An open source security lake platform (SIEM alternative) for threat hunting, detection and response on AWS. Matano lets you write advanced detections as code (using python) to correlate and alert on threats in realtime |
| Shuffle | 1,741 | 4 days ago | : A general purpose security automation platform |
| Sublime | 166 | 22 days ago | : An open platform for detection, response, and threat hunting in email environments. Sublime lets you write advanced detections as code to alert and remediate threats like phishing in real-time |
| Substation | 329 | 7 days ago | A cloud native data pipeline and transformation toolkit for security teams |
Awesome Threat Detection and Hunting / Tools / Endpoint Monitoring | |||
| osquery | ( ) - SQL powered operating system instrumentation, monitoring, and analytics | ||
| Kolide Fleet | 1,103 | almost 4 years ago | A flexible control server for osquery fleets |
| Zeek Agent | 124 | about 4 years ago | An endpoint monitoring agent that provides host activity to Zeek |
| Velociraptor | 2,975 | 7 days ago | Endpoint visibility and collection tool |
| Sysdig | 7,781 | about 1 month ago | A tool for deep Linux system visibility, with native support for containers. Think about sysdig as strace + tcpdump + htop + iftop + lsof + ...awesome sauce |
| go-audit | 1,576 | 3 months ago | An alternative to the Linux auditd daemon |
| Sysmon | A Windows system service and device driver that monitors and logs system activity to the Windows event log | ||
| Sysmon for Linux | 1,746 | 14 days ago | |
| OSSEC | 4,502 | 6 months ago | An open-source Host-based Intrusion Detection System (HIDS) |
| WAZUH | 10,995 | 6 days ago | An open-source security platform |
| sysmon-DFIR | 899 | 11 months ago | Sources, configuration and how to detect evil things utilizing Microsoft Sysmon |
| sysmon-config | 4,803 | 5 months ago | Sysmon configuration file template with default high-quality event tracing |
| sysmon-modular | 2,661 | 3 months ago | A repository of sysmon configuration modules. It also includes a of Sysmon configurations to MITRE ATT&CK techniques |
| auditd configuration | 1,497 | about 1 month ago | |
| osquery-configuration | 828 | over 2 years ago | A repository for using osquery for incident detection and response |
Awesome Threat Detection and Hunting / Tools / Network Monitoring | |||
| Zeek | 6,459 | 6 days ago | (formerly Bro) - A network security monitoring tool |
| ntopng | 6,277 | 6 days ago | A web-based network traffic monitoring tool |
| Suricata | A network threat detection engine | ||
| Snort | ( ) - A network intrusion detection tool | ||
| Joy | 1,308 | 8 months ago | A package for capturing and analyzing network flow data and intraflow data, for network research, forensics, and security monitoring |
| Netcap | 1,735 | about 1 year ago | A framework for secure and scalable network traffic analysis |
| Moloch | 6,334 | 7 days ago | A large scale and open source full packet capture and search tool |
| Stenographer | 1,789 | over 3 years ago | A full-packet-capture tool |
| JA3 | 2,768 | about 1 year ago | A method for profiling SSL/TLS Clients and Servers |
| HASSH | 532 | 8 months ago | Profiling Method for SSH Clients and Servers |
| RDFP | 37 | over 1 year ago | Zeek Remote desktop fingerprinting script based on (Fingerprint All The Things) |
| FATT | 656 | about 1 year ago | A pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic |
| FingerprinTLS | 377 | about 4 years ago | A TLS fingerprinting method |
| Mercury | 444 | 13 days ago | Network fingerprinting and packet metadata capture |
| GQUIC Protocol Analyzer for Zeek | 76 | about 1 year ago | |
| Recog | 671 | about 2 months ago | A framework for identifying products, services, operating systems, and hardware by matching fingerprints against data returned from various network probes |
| Hfinger | 132 | over 1 year ago | Fingerprinting HTTP requests |
| JARM | 1,170 | over 1 year ago | An active Transport Layer Security (TLS) server fingerprinting tool |
Awesome Threat Detection and Hunting / Tools / Email Monitoring | |||
| Sublime Platform | 166 | 22 days ago | An email threat detection engine |
Awesome Threat Detection and Hunting / Detection Rules | |||
| Sigma | 8,371 | 6 days ago | Generic Signature Format for SIEM Systems |
| Splunk Detections | and | ||
| Elastic Detection Rules | 1,966 | 6 days ago | |
| MITRE CAR | The Cyber Analytics Repository is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) adversary model | ||
| Awesome YARA Rules | 3,566 | 6 days ago | |
| Chronicle Detection Rules | 316 | about 1 month ago | Collection of YARA-L 2.0 sample rules for the Chronicle Detection API |
| GCP Security Analytics | 325 | 5 months ago | Community Security Analytics provides a set of community-driven audit & threat queries for Google Cloud |
| ThreatHunter-Playbook | 4,025 | 9 months ago | A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient |
| Sublime Detection Rules | 256 | 7 days ago | Email attack detection, response, and hunting rules |
Awesome Threat Detection and Hunting / Dataset | |||
| Mordor | 1,603 | 8 months ago | Pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files. The data is categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework |
| SecRepo.com | ( ) - Samples of security related data | ||
| Boss of the SOC (BOTS) Dataset Version 1 | 364 | 3 months ago | |
| Boss of the SOC (BOTS) Dataset Version 2 | 358 | about 2 years ago | |
| Boss of the SOC (BOTS) Dataset Version 3 | 290 | over 4 years ago | |
| EMBER | 946 | 4 months ago | ( ) - The EMBER dataset is a collection of features from PE files that serve as a benchmark dataset for researchers |
| theZoo | 11,317 | 6 months ago | A repository of LIVE malwares |
| CIC Datasets | Canadian Institute for Cybersecurity datasets | ||
| Netresec's PCAP repo list | A list of public packet capture repositories, which are freely available on the Internet | ||
| PCAP-ATTACK | 344 | over 3 years ago | A repo of PCAP samples for different ATT&CK techniques |
| EVTX-ATTACK-SAMPLES | 2,248 | almost 2 years ago | A repo of Windows event samples (EVTX) associated with ATT&CK techniques ( ) |
| Public Security Log Sharing Site | |||
| attack_data | 588 | 6 days ago | A repository of curated datasets from various attacks |
Awesome Threat Detection and Hunting / Resources | |||
| Huntpedia | Your Threat Hunting Knowledge Compendium | ||
| Hunt Evil | Your Practical Guide to Threat Hunting | ||
| The Hunter's Handbook | Endgame's guide to adversary hunting | ||
| ThreatHunter-Playbook | 4,025 | 9 months ago | A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns |
| The ThreatHunting Project | 1,722 | about 3 years ago | A great and threat hunting resources |
| CyberThreatHunting | 855 | about 1 month ago | A collection of resources for threat hunters |
| Hunt-Detect-Prevent | 162 | almost 6 years ago | Lists of sources and utilities to hunt, detect and prevent evildoers |
| Alerting and Detection Strategy Framework | |||
| Generating Hypotheses for Successful Threat Hunting | |||
| Expert Investigation Guide - Threat Hunting | 50 | over 3 years ago | |
| Active Directory Threat Hunting | |||
| Threat Hunting for Fileless Malware | |||
| Windows Commands Abused by Attackers | |||
| Deception-as-Detection | 285 | about 7 years ago | Deception based detection techniques mapped to the MITRE’s ATT&CK framework |
| On TTPs | |||
| Slides | Hunting On The Cheap ( ) | ||
| Threat Hunting Techniques - AV, Proxy, DNS and HTTP Logs | |||
| Detecting Malware Beacons Using Splunk | |||
| Data Science Hunting Funnel | |||
| Use Python & Pandas to Create a D3 Force Directed Network Diagram | |||
| Syscall Auditing at Scale | |||
| Catching attackers with go-audit and a logging pipeline | |||
| The Coventry Conundrum of Threat Intelligence | |||
| Signal the ATT&CK: Part 1 | Building a real-time threat detection capability with Tanium that focuses on documented adversarial techniques | ||
| DFIR | SANS Summit Archives ( , ) - Threat hunting, Blue Team and DFIR summit slides | ||
| Bro-Osquery | Large-Scale Host and Network Monitoring Using Open-Source Software | ||
| Malware Persistence | 164 | 3 months ago | Collection of various information focused on malware persistence: detection (techniques), response, pitfalls and the log collection (tools) |
| Threat Hunting with Jupyter Notebooks | |||
| How Dropbox Security builds tools for threat detection and incident response | |||
| Introducing Event Query Language | |||
| The No Hassle Guide to Event Query Language (EQL) for Threat Hunting | ( ) | ||
| Introducing the Funnel of Fidelity | ( ) | ||
| Detection Spectrum | ( ) | ||
| Capability Abstraction | ( ) | ||
| Awesome YARA | 3,566 | 6 days ago | A curated list of awesome YARA rules, tools, and resources |
| Defining ATT&CK Data Sources | A two-part blog series that outlines a new methodology to extend ATT&CK’s current data sources | ||
| DETT&CT: MAPPING YOUR BLUE TEAM TO MITRE ATT&CK™ | A blog that describes how to align MITRE ATT&CK-based detection content with data sources | ||
| Part 1, | Detection as Code in Splunk - A multipart series describing how detection as code can be successfully deployed in a Splunk environment | ||
| Lessons Learned in Detection Engineering | A well experienced detection engineer describes in detail his observations, challenges, and recommendations for building an effective threat detection program | ||
| A Research-Driven process applied to Threat Detection Engineering Inputs | |||
| Investigation Scenario | tweets by Chris Sanders | ||
| Oh My Malware | A video series focused on malware execution and investigations using Elastic Security | ||
Awesome Threat Detection and Hunting / Resources / Frameworks | |||
| MITRE ATT&CK | A curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target | ||
| Alerting and Detection Strategies Framework | 689 | almost 3 years ago | A framework for developing alerting and detection strategies |
| A Simple Hunting Maturity Model | The Hunting Maturity Model describes five levels of organizational hunting capability, ranging from HMM0 (the least capability) to HMM4 (the most) | ||
| The Pyramic of Pain | The relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them | ||
| A Framework for Cyber Threat Hunting | |||
| The PARIS Model | A model for threat hunting | ||
| Cyber Kill Chain | It is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective | ||
| The DML Model | The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks | ||
| NIST Cybersecurity Framework | |||
| OSSEM | 1,238 | over 1 year ago | (Open Source Security Events Metadata) - A community-led project that focuses on the documentation and standardization of security event logs from diverse data sources and operating systems |
| Open Cybersecurity Schema Framework (OCSF) | 631 | 7 days ago | A framework for creating schemas and it also delivers a cybersecurity event schema built with the framework ( ) |
| MITRE Engage | A framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals | ||
| MaGMa Use Case Defintion Model | A business-centric approach for planning and defining threat detection use cases | ||
Awesome Threat Detection and Hunting / Resources / Windows | |||
| Threat Hunting via Windows Event Logs | |||
| Windows Logging Cheat Sheets | |||
| Active Directory Threat Hunting | |||
| Windows Hunting | 347 | over 3 years ago | A collection of Windows hunting queries |
| Windows Commands Abused by Attackers | |||
| JPCERT - Detecting Lateral Movement through Tracking Event Logs | |||
Awesome Threat Detection and Hunting / Resources / Windows / JPCERT - Detecting Lateral Movement through Tracking Event Logs | |||
| Tool Analysis Result Sheet | |||
Awesome Threat Detection and Hunting / Resources / Windows | |||
| Splunking the Endpoint: Threat Hunting with Sysmon | |||
Awesome Threat Detection and Hunting / Resources / Windows / Splunking the Endpoint: Threat Hunting with Sysmon | |||
| Hunting with Sysmon | |||
Awesome Threat Detection and Hunting / Resources / Windows | |||
| Threat Hunting with Sysmon: Word Document with Macro | |||
Awesome Threat Detection and Hunting / Resources / Windows / Chronicles of a Threat Hunter: Hunting for In-Memory Mimikatz with Sysmon and ELK | |||
| Part I (Event ID 7) | |||
| Part II (Event ID 10) | |||
Awesome Threat Detection and Hunting / Resources / Windows | |||
| botconf 2016 Slides | Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk) ( , ) | ||
| The Sysmon and Threat Hunting Mimikatz wiki for the blue team | |||
| Splunkmon — Taking Sysmon to the Next Level | |||
| Sysmon Threat Detection Guide | ( ) | ||
| Paper | Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science ( , ) | ||
| Hunting the Known Unknowns (With PowerShell) | |||
| HellsBells, Let's Hunt PowerShells! | |||
| Hunting for PowerShell Using Heatmaps | |||
Awesome Threat Detection and Hunting / Resources / MacOS | |||
| A Guide to macOS Threat Hunting and Incident Response | |||
Awesome Threat Detection and Hunting / Resources / Osquery | |||
| osquery Across the Enterprise | |||
| osquery for Security — Part 1 | |||
| osquery for Security — Part 2 | Advanced osquery functionality, File integrity monitoring, process auditing, and more | ||
| Tracking a stolen code-signing certificate with osquery | |||
| Monitoring macOS hosts with osquery | |||
| Kolide's Blog | |||
| The osquery Extensions Skunkworks Project | 1,482 | 21 days ago | |
Awesome Threat Detection and Hunting / Resources / DNS | |||
| Detecting DNS Tunneling | |||
| Hunting the Known Unknowns (with DNS) | |||
| Detecting dynamic DNS domains in Splunk | |||
| Random Words on Entropy and DNS | |||
| Tracking Newly Registered Domains | |||
| Suspicious Domains Tracking Dashboard | |||
| Proactive Malicious Domain Search | |||
| DNS is NOT Boring | Using DNS to Expose and Thwart Attacks | ||
| Actionable Detects | Blue Team Tactics | ||
Awesome Threat Detection and Hunting / Resources / Fingerprinting | |||
| JA3: SSL/TLS Client Fingerprinting for Malware Detection | |||
| TLS Fingerprinting with JA3 and JA3S | |||
| HASSH - a profiling method for SSH Clients and Servers | |||
Awesome Threat Detection and Hunting / Resources / Fingerprinting / HASSH - a profiling method for SSH Clients and Servers | |||
| HASSH @BSides Canberra 2019 - Slides | 5 | over 5 years ago | |
Awesome Threat Detection and Hunting / Resources / Fingerprinting | |||
| Finding Evil on the Network Using JA3/S and HASSH | |||
| RDP Fingerprinting - Profiling RDP Clients with JA3 and RDFP | |||
| Effective TLS Fingerprinting Beyond JA3 | |||
| TLS Fingerprinting in the Real World | |||
| HTTP Client Fingerprinting Using SSL Handshake Analysis | (source code: | ||
| TLS fingerprinting - Smarter Defending & Stealthier Attacking | |||
| JA3er | a DB of JA3 fingerprints | ||
| An Introduction to HTTP fingerprinting | |||
| TLS Fingerprints | collected from the University of Colorado Boulder campus network | ||
| The use of TLS in Censorship Circumvention | |||
| TLS Beyond the Browser: Combining End Host and Network Data to Understand Application Behavior | |||
| HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting | |||
| Markov Chain Fingerprinting to Classify Encrypted Traffic | |||
| HeadPrint: Detecting Anomalous Communications through Header-based Application Fingerprinting | |||
Awesome Threat Detection and Hunting / Resources / Data Science | |||
| data_hacking | 775 | over 5 years ago | Examples of using IPython, Pandas, and Scikit Learn to get the most out of your security data |
| Reverse engineering the analyst: building machine learning models for the SOC | |||
| msticpy | 1,772 | about 1 month ago | A library for InfoSec investigation and hunting in Jupyter Notebooks |
Awesome Threat Detection and Hunting / Resources / Research Papers | |||
| Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains | |||
| The Diamond Model of Intrusion Analysis | |||
| EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis | |||
| Paper | A Comprehensive Approach to Intrusion Detection Alert Correlation ( , ) | ||
| On Botnets that use DNS for Command and Control | |||
| Intelligent, Automated Red Team Emulation | |||
| Machine Learning for Encrypted Malware Traffic Classification | |||
Awesome Threat Detection and Hunting / Resources / Blogs | |||
| David Bianco's Blog | |||
| DFIR and Threat Hunting Blog | |||
| CyberWardog's Blog | ( ) | ||
| Chris Sanders' Blog | |||
| Kolide Blog | |||
| Anton Chuvakin | |||
| Alexandre Teixeira | |||
Awesome Threat Detection and Hunting / Resources / Related Awesome Lists | |||
| Awesome Kubernetes Threat Detection | 364 | about 1 year ago | |
| Awesome Incident Response | 7,682 | 4 months ago | |
| Awesome Forensics | 4,000 | 11 days ago | |
| Awesome Honeypots | 8,661 | 3 months ago | |
| Awesome Malware Analysis | 11,989 | 6 months ago | |
| Awesome YARA | 3,566 | 6 days ago | |
| Awesome Security | 12,479 | 4 months ago | |
| Awesome Cloud Security | 2,087 | 13 days ago | |
Awesome Threat Detection and Hunting / Podcasts | |||
| Cloud Security Podcast | Google by Anton Chuvakin and Timothy Peacock | ||
| Detection: Challenging Paradigms | by SpecterOps | ||
| Darknet Diaries | by Andy Greenberg - True stories from the dark side of the Internet | ||
| Risky Business | by Patrick Gray | ||
Awesome Threat Detection and Hunting / Newsletters | |||
| Detection Engineering Weekly | by Zack 'techy' Allen | ||
| This Week in 4n6 | A weekly roundup of digital forensics and incident response news | ||
Awesome Threat Detection and Hunting / Videos | |||
| SANS Threat Hunting and IR Summit 2017 | |||
| SANS Threat Hunting and IR Summit 2016 | |||
| BotConf 2016 - Advanced Incident Detection and Threat Hunting using Sysmon and Splunk | |||
| BSidesCharm 2017 - Detecting the Elusive: Active Directory Threat Hunting | |||
| BSidesAugusta 2017 - Machine Learning Fueled Cyber Threat Hunting | |||
| Toppling the Stack: Outlier Detection for Threat Hunters | |||
| BSidesPhilly 2017 - Threat Hunting: Defining the Process While Circumventing Corporate Obstacles | |||
| Black Hat 2017 - Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science | |||
| DefCon 25 - MS Just Gave the Blue Team Tactical Nukes | |||
| BSides London 2017 - Hunt or be Hunted | |||
| SecurityOnion 2017 - Pivoting Effectively to Catch More Bad Guys | |||
| SkyDogCon 2016 - Hunting: Defense Against The Dark Arts | |||
| BSidesAugusta 2017 - Don't Google 'PowerShell Hunting' | |||
| BSidesAugusta 2017 - Hunting Adversaries w Investigation Playbooks & OpenCNA | |||
| Visual Hunting with Linked Data | |||
| RVAs3c - Pyramid of Pain: Intel-Driven Detection/Response to Increase Adversary's Cost | |||
| BSidesLV 2016 - Hunting on the Endpoint w/ Powershell | |||
| Derbycon 2015 - Intrusion Hunting for the Masses A Practical Guide | |||
| BSides DC 2016 - Practical Cyborgism: Getting Start with Machine Learning for Incident Detection | |||
| SANS Webcast 2018 - What Event Logs? Part 1: Attacker Tricks to Remove Event Logs | |||
| Profiling And Detecting All Things SSL With JA3 | |||
| ACoD 2019 - HASSH SSH Client/Server Profiling | |||
| QueryCon 2018 | An annual conference for the osquery open-source community ( ) | ||
| Visual Hunting with Linked Data Graphs | |||
| SecurityOnion Con 2018 - Introduction to Data Analysis | |||
| Insider Threats Detection at Airbus – AI up Against Data Leakage and Industrial Espionage | |||
| Cyber Security Investigations with Jupyter Notebooks | |||
Awesome Threat Detection and Hunting / Trainings | |||
| Applied Network Defense | courses by Chris Sanders | ||
| Security Blue Team | (BTL1 and BTL2 certificates) | ||
| LetsDefend | Hands-On SOC Analyst Training | ||
| TryHackMe | Hands-on cyber security training through real-world scenarios | ||
| Investigating Windows Endpoints | 13Cubed, by Richard Davis | ||
| HackTheBox | While not directly related to threat detection, the website features training modules on general security and offensive topics that can be beneficial for junior SOC analysts | ||
Awesome Threat Detection and Hunting / Labs | |||
| DetectionLab | 4,647 | 5 months ago | Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices |
| Splunk Boss of the SOC | Hands-on workshops and challenges to practice threat hunting using the BOTS and other datasets | ||
| HELK | 3,768 | 6 months ago | A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities |
| BlueTeam Lab | 143 | over 1 year ago | A detection lab created with Terraform and Ansible in Azure |
| attack_range | 2,154 | 15 days ago | A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk |
Awesome Threat Detection and Hunting / Twitter | |||
| "Awesome Detection" Twitter List | Twitter accounts that tweet about threat detection, hunting and DFIR | ||
Awesome Threat Detection and Hunting / Threat Simulation Tools | |||
| MITRE CALDERA | 5,653 | 20 days ago | An automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks |
| APTSimulator | 2,470 | over 1 year ago | A Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised |
| Atomic Red Team | 9,782 | 8 days ago | Small and highly portable detection tests mapped to the Mitre ATT&CK Framework |
| Network Flight Simulator | 1,260 | 8 months ago | flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility |
| Metta | 1,101 | over 5 years ago | A security preparedness tool to do adversarial simulation |
| Red Team Automation (RTA) | 1,050 | over 5 years ago | RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK |
| SharpShooter | 1,801 | 3 months ago | Payload Generation Framework |
| CACTUSTORCH | 995 | over 6 years ago | Payload Generation for Adversary Simulations |
| DumpsterFire | 996 | over 4 years ago | A modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events |
| Empire | 7,461 | almost 5 years ago | ( ) - A PowerShell and Python post-exploitation agent |
| PowerSploit | 11,918 | over 4 years ago | A PowerShell Post-Exploitation Framework |
| RedHunt-OS | 1,247 | over 4 years ago | A Virtual Machine for Adversary Emulation and Threat Hunting. RedHunt aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment |
| Infection Monkey | 6,678 | 9 days ago | An open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement |
| Splunk Attack Range | 2,154 | 15 days ago | A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk |
Awesome Threat Detection and Hunting / Threat Simulation Resources | |||
| MITRE's Adversary Emulation Plans | |||
| Awesome Red Teaming | 6,917 | 11 months ago | A list of awesome red teaming resources |
| Red-Team Infrastructure Wiki | 4,149 | 8 months ago | Wiki to collect Red Team infrastructure hardening resources |
| Payload Generation using SharpShooter | |||
| SpecterOps Blog | |||
Awesome Threat Detection and Hunting / Threat Simulation Resources / SpecterOps Blog | |||
| Threat Hunting | |||
Awesome Threat Detection and Hunting / Threat Simulation Resources | |||
| Advanced Threat Tactics | A free course on red team operations and adversary simulations | ||
| Signal the ATT&CK: Part 1 | Modelling APT32 in CALDERA | ||
| Red Teaming/Adversary Simulation Toolkit | 9,098 | 3 months ago | A collection of open source and commercial tools that aid in red team operations |
| C2 Matrix | ( ) | ||
| adversary_emulation_library | 1,723 | 11 months ago | An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs |
sbilly/awesome-security
decalage2/awesome-security-hardening
inquest/awesome-yara
0ex/more-awesome
withsecurelabs/leonidas
netspi/esc
yamato-security/enablewindowslogsettings
mdecrevoisier/evtx-to-mitre-attack
lprat/static_file_analysis
datadog/stratus-red-team
geeksniper/active-directory-pentest
hausec/adape-script
antoniococo/sharpyshell
neo23x0/sysmon-config