Displaying 1 to 13 from 13 results

ThreatHunter-Playbook - A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns


A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns by leveraging Sysmon and Windows Events logs. This project will provide specific chains of events exclusively at the host level so that you can take them and develop logic to deploy queries or alerts in your preferred tool or format such as Splunk, ELK, Sigma, GrayLog etc. This repo will follow the structure of the MITRE ATT&CK framework which categorizes post-compromise adversary behavior in tactical groups. In addition, it will provide information about hunting tools/platforms developed by the infosec community for testing and enterprise-wide hunting.Can't wait to see other hunters' pull requests with awesome ideas to detect advanced patterns of behavior. The more chains of events you contribute the better this playbook will be for the community.

sysmon-config - Sysmon configuration file template with default high-quality event tracing


This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing. The file provided should function as a great starting point for system change monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon. Note that this does not track things like authentication and other Windows events that are also vital for incident investigation.

sigma - Generic Signature Format for SIEM Systems

  •    Python

Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others. Sigma is for log files what Snort is for network traffic and YARA is for files.

WindowsSpyBlocker - 🛡 Block spying and tracking on Windows

  •    Go

WindowsSpyBlocker 🛡 is an application written in Go and delivered as a single executable to block spying and tracking on Windows systems ⛔️. The initial approach of this application is to capture and analyze network traffic 🚦 based on a set of tools. It is open for everyone and if you want to contribute or need help, take a look at the Wiki 📖. For more info, take a look at Wiki.

sysmon-dfir - Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.


A curated list of resources for learning about deploying, managing and hunting with Microsoft Sysmon. Contains presentations, deployment methods, configuration file examples, blogs and additional github repositories. Recommended.

sysmon-modular - A repository of sysmon configuration modules

  •    PowerShell

This is a Microsoft Sysinternals Sysmon configuration repository, set up modular for easier maintenance and generation of specific configs. Note: I do recommend using a minimal number of configurations within your environment for multiple obvious reasons, like; maintenance, output equality, manageability and so on.

app_splunk_sysmon_hunter - Splunk App to assist Sysmon Threat Hunting


Download and deploy this app to your Splunk Search Head. A macro is used for all saved searches, you will need to modify it for your environment to ensure the proper Sysmon sourcetype/index is searched.

sysmon-splunk-app - Sysmon Splunk App


This is combined Splunk App effort between @jarrettp and @m_haggis. Download and deploy this app to your Splunk Search Head.

gene - Go Evtx sigNature Engine

  •    Go

The idea behind this project is to provide an efficient and standard way to look into Windows Event Logs (a.k.a EVTX files). For those who are familiar with Yara, it can be seen as a Yara engine but to look for information into Windows Events. This project is quite new and may still have little bugs, so do not hesitate to open issues for those.


  •    Go

Very flexible Host IDS designed for Windows. We are making use of a previously developped rule engine Gene designed to match Windows events according to custom rules. The rules are simple to write and easy to understand so that everyone can identify why a rule has triggered. With the democratisation of Sysmon, this tools is perfect to quickly build hunting rules or simply monitoring rules to screen things of interest happening on your machine(s). With WHIDS you don't have to bother with an over complicated Sysmon configuration which often turns to the nightmare when you want to be very specific.The simplest thing is just to enable all the logging capabilites of Sysmon and let WHIDS do his job, grab a coffee and wait for the juicy stuff to happen. The tool has a low overhead for the system, according to our current benchmarks.

TA-Sysmon-deploy - Deploy and maintain Symon through the Splunk Deployment Sever

  •    Batchfile

Deploy and maintain Sysmon through the Splunk Deployment Server. This will enable you to have all systems running the same version of Sysmon and the same up-to-date configuration. No more logging in to all servers and installing it manually or having to negotiate a GPO change.

MalwLess - Test Blue Team detections without running any attack.

  •    CSharp

MalwLess is an open source tool that allows you to simulate system compromise or attack behaviours without running processes or PoCs. The tool is designed to test Blue Team detections and SIEM correlation rules. It provides a framework based on rules that anyone can write, so when a new technique or attack comes out you can write your own rules and share it a with the community. These rules can simulate Sysmon or PowerShell events. MalwLess can parse the rules and write them directly to the Windows EventLog, then you can foward it to your event collector.

SysmonResources - Consolidation of various resources related to Microsoft Sysmon & sample data/log

  •    Python

Consolidation of various resources related to Microsoft Sysmon. The resources are organised in the various folders above. Much of it is re-organisation of https://github.com/MHaggis/sysmon-dfir kudos to Michael Haag. My opinions/thoughts/contributions are largely within the visualization & sample data folders (sample logs will be gradually added). Github Desktop & Typora apps made it a pleasure to organise these resources.