Awesome Threat Detection and Hunting: Training, Documents, guides, tutorials and Instructions

Documents , Trainings , Instructions

2020

• DeepBlueCLI: Powershell Threat Hunting
• Sysmon Threat Analysis Guide
• Ghost in the shell: Investigating web shell attack
• Detecting Lateral Movement with WinSCP

  2019

• Signal the ATT&CK: Part 2 : Using orchestration and automation to enhance EDR capabilities, and to reduce ‘alert fatigue’
• Rise of Legitimate Services for Backdoor Command and Control
• Everything You Need To Know To Get Started Logging PowerShell
• Command-and-control Malware Traffic Playbook
• Hunting for PowerShell Abuse
• Getting Started With MITRE Attack

2018

• A Practical Model for Conducting Cyber Threat Hunting
• TaHiTI Threat Hunting Methodology
• Hunting Threats in Your Enterprise
• Central-Indiana-ISSA-Threat-Hunting
• Launching Threat Hunting From Almost Nothing
• Signal the ATT&CK: Part 1 : Building a real-time threat detection capability with Tanium that focuses on documented adversarial techniques
• Endpoint Detection of Remote Service Creation and PsExec
• The PARIS Model
• Threat Hunting Maturity Model
• NIST Cybersecurity Framework
• How to Hunt Command & Control Channels Using Bro IDS and RITA
• Actionable Detects
• Threat Hunting via Windows Event Logs
• Threat Hunting via Sysmon
• This Is the Fastest Way to Hunt Windows Endpoints
• Hunting and detecting APTs using Sysmon and PowerShell logging
• Hunting For PowerShell Abuses-Part 1
• Hunting For PowerShell Abuses-Part 2
• Threat Hunting with Bro IDS
• Definitive Guide to SOC-as-a-Service

2017

• Huntpedia
• Threat Hunting For Dummie
• Automating APT Scanning with Loki Scanner and Splunk
• Cyber Threat hunting with Sqrr
• Detecting Lateral Movement through Tracking Event Logs
• Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations
• A Guide toCyber Threat Hunting
• Detecting the ElusiveActive,Active Directory Threat Hunting
• Threat Hunting For Fileless Malware
• Data Science Hunting Funnel
• Tracking Newly Registered Domains
• Suspicious Domains Tracking Dashboard
• Proactive Malicious Domain Search
• Using DNS to Expose and Thwart Attacks
• Detect Beaconing with Flare, Elastic Stack, and Intrusion Detection Systems
• Detecting Lateral Movement through Tracking Event Logs (Version 2)
• Hunting for In-Memory Mimikatz with Sysmon and ELK - Part I
• Hunting for In-Memory Mimikatz with Sysmon and ELK - Part II
• Advanced Incident Detection and Threat Hunting using Sysmon(and Splunk)- 2016
• Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)- 2017
• PowerShell Obfuscation Detection Using Science ( Paper,Slide )
• HellsBells, Let’s Hunt PowerShells!
• Detecting the Elusive: Active Directory Threat Hunting
• Leveraging DNS to Surface Attacker Activity
• How to Hunt for Lateral Movement on Your Network
• Splunking the Endpoint: Threat Hunting with Sysmon
• Hunting for PowerShell Using Heatmaps
• Hunting with Sysmon

2016

• The Hunter’s Handbook
• scalable methods conducting cyber threat hunt operations:
• Threat Hunting: Open Season on the Adversary
• The Who, What, Where, When, Why and How of Effective Threat Hunting
• Hunting for Malware Critical Process Impersonation
• Threat Hunting Techniques - AV, Proxy, DNS and HTTP Logs
• A Guide to Cyber Threat Hunting Operations
• Defending Against Mimikatz
• Generating Hypotheses for Successful Threat Hunting
• Catching attackers with go-audit and a logging pipeline
• Windows Commands Abused by Attackers
• The Need for Investigation Playbooks at the SOC
• Hunting the Known Unknowns (With PowerShell)
• A Threat Hunter Himself
• Hunt Evil

2015 and older

• A Simple Hunting Maturity Model
• Detecting Data Staging & Exfil Using the Producer-Consumer Ratio
• The Pyramid of Pain
• On TTPs
• Detecting malware beacons using Splunk
• Identifying Malware Traffic with Bro and the Collective Intelligence Framework (CIF)
• Finding Algorithmically chosen DNS names (DGA)
• The DML model
• Detecting DNS Tunneling
• Detecting dynamic DNS domains in Splunk
• Random Words on Entropy and DNS
• The Diamond Model of Intrusion Analysis
• Advanced Threats and Lateral Movement Detection
• Cyber Hunting: 5 Tips To Bag Your Prey
• Command & Control:Understanding, Denying and Detecting

OsQuery

• osquery Across the Enterprise
• osquery For Security-Part1,Part2
• Tracking a stolen code-signing certificate with osquery
• Monitoring macOS hosts with osquery

JA3 and HASSH

• JA3: SSL/TLS Client Fingerprinting for Malware Detection
• A profiling method for SSH Clients and Servers,Slide
• TLS Fingerprinting with JA3 and JA3S