Displaying 1 to 11 from 11 results

ThreatHunter-Playbook - A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns

  •    

A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns by leveraging Sysmon and Windows Events logs. This project will provide specific chains of events exclusively at the host level so that you can take them and develop logic to deploy queries or alerts in your preferred tool or format such as Splunk, ELK, Sigma, GrayLog etc. This repo will follow the structure of the MITRE ATT&CK framework which categorizes post-compromise adversary behavior in tactical groups. In addition, it will provide information about hunting tools/platforms developed by the infosec community for testing and enterprise-wide hunting.Can't wait to see other hunters' pull requests with awesome ideas to detect advanced patterns of behavior. The more chains of events you contribute the better this playbook will be for the community.

security-onion - Linux distro for intrusion detection, enterprise security monitoring, and log management

  •    

For more information about Security Onion, please see our main website, blog, and wiki. This repo contains the ISO image, Wiki, and Roadmap for Security Onion.

atomic-red-team - Small and highly portable detection tests.

  •    PowerShell

Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.Our Atomic Red Team tests are small, highly portable detection tests mapped to the MITRE ATT&CK Framework. Each test is designed to map back to a particular tactic. We hope that this gives defenders a highly actionable way to immediately start testing their defenses against a broad spectrum of attacks.

Security Onion - Linux distro for intrusion detection, network security and log management

  •    Scripts

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. Security Onion seamlessly weaves together three core functions: full packet capture, network-based and host-based intrusion detection systems, powerful analysis tools.




DetectionLab - Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices

  •    HTML

This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.

awesome-threat-detection - A curated list of awesome threat detection and hunting resources

  •    

Contributions welcome! Read the contribution guidelines first. To the extent possible under law, Adel "0x4D31" Karimi has waived all copyright and related or neighboring rights to this work.

HELK - The Incredible HELK

  •    Shell

A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.At the end of the HELK installation, you will have a similar output with the information you need to access the primary HELK components. Remember that the default username and password for the HELK are helk:hunting.

NOAH - PowerShell No Agent Hunting

  •    PowerShell

NOAH is an agentless open source Incident Response framework based on PowerShell, called "No Agent Hunting" (NOAH), to help security investigation responders to gather a vast number of key artifacts without installing any agent on the endpoints saving precious time.


PSHunt - Powershell Threat Hunting Module

  •    PowerShell

PSHunt is a Powershell Threat Hunting Module designed to scan remote endpoints* for indicators of compromise or survey them for more comprehensive information related to state of those systems (active processes, autostarts, configurations, and/or logs).PSHunt began as the precurser to Infocyte's commercial product, Infocyte HUNT, and is now being open sourced for the benefit of the DFIR community.

WindowsDefenderATP-Hunting-Queries - Sample queries for Advanced hunting in Windows Defender ATP

  •    

This repo contains sample queries for Advanced hunting on Windows Defender Advanced Threat Protection. With these sample queries, you can start to experience Advanced hunting, including the types of data that it covers and the query language it supports. You can also explore a variety of attack techniques and how they may be surfaced through Advanced hunting. To get started, simply paste a sample query into the query builder and run the query. If you get syntax errors, try removing empty lines introduced when pasting. If a query returns no results, try expanding the time range.