HomeSecurity & Ops › Awesome Threat Detection

Awesome Threat Detection

by 0x4D31 · 0x4D31/awesome-threat-detection

A curated list of awesome threat detection and hunting resources.

★ 4.5k stars295 projects ⑂ 0 forks0 open issues
295 projects
Alexandre Teixeiraateixei.medium.com
Anton Chuvakinmedium.com
Chris Sanders' Blogchrissanders.org

(old)

David Bianco's Blogdetect-respond.blogspot.com
DFIR and Threat Hunting Blogfindingbad.blogspot.com
Kolide Blogblog.kolide.com

A repository for using osquery for incident detection and response.

sysmon-configgithub.com

Sysmon configuration file template with default high-quality event tracing.

sysmon-DFIRgithub.com

Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.

sysmon-modulargithub.com

A repository of sysmon configuration modules. It also includes a mapping of Sysmon configurations to MITRE ATT&CK techniques.

Blue Team Tactics

Using DNS to Expose and Thwart Attacks

datahackinggithub.com

Examples of using IPython, Pandas, and Scikit Learn to get the most out of your security data.

msticpygithub.com

A library for InfoSec investigation and hunting in Jupyter Notebooks.

attackdatagithub.com

A repository of curated datasets from various attacks.

Canadian Institute for Cybersecurity datasets

EMBERgithub.com

(paper) - The EMBER dataset is a collection of features from PE files that serve as a benchmark dataset for researchers

A repo of Windows event samples (EVTX) associated with ATT&CK techniques (EVTX-ATT&CK Sheet).

Mordorgithub.com

Pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files. The data is categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework.

A list of public packet capture repositories, which are freely available on the Internet.

PCAP-ATTACKgithub.com

A repo of PCAP samples for different ATT&CK techniques.

Public Security Log Sharing Sitelog-sharing.dreamhosters.com
SecRepo.comsecrepo.com

(github repo) - Samples of security related data.

theZoogithub.com

A repository of LIVE malwares

Collection of YARA-L 2.0 sample rules for the Chronicle Detection API.

Community Security Analytics provides a set of community-driven audit & threat queries for Google Cloud.

MITRE CARcar.mitre.org

The Cyber Analytics Repository is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) adversary model.

Sigmagithub.com

Generic Signature Format for SIEM Systems

Splunk Detectionsresearch.splunk.com

and Analytic stories

Email attack detection, response, and hunting rules.

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

ElastAlertgithub.com

A framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch

Matanogithub.com

An open source security lake platform (SIEM alternative) for threat hunting, detection and response on AWS. Matano lets you write advanced detections as code (using python) to correlate and alert on threats in realtime.

Shufflegithub.com

A general purpose security automation platform.

StreamAlertgithub.com

A serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define

Sublimegithub.com

An open platform for detection, response, and threat hunting in email environments. Sublime lets you write advanced detections as code to alert and remediate threats like phishing in real-time.

Substationgithub.com

A cloud native data pipeline and transformation toolkit for security teams.

An email threat detection engine

go-auditgithub.com

An alternative to the Linux auditd daemon

Kolide Fleetgithub.com

A flexible control server for osquery fleets

osqueryosquery.io

(github) - SQL powered operating system instrumentation, monitoring, and analytics

OSSECgithub.com

An open-source Host-based Intrusion Detection System (HIDS)

Sysdiggithub.com

A tool for deep Linux system visibility, with native support for containers. Think about sysdig as strace + tcpdump + htop + iftop + lsof + ...awesome sauce

Sysmondocs.microsoft.com

A Windows system service and device driver that monitors and logs system activity to the Windows event log

Velociraptorgithub.com

Endpoint visibility and collection tool

WAZUHgithub.com

An open-source security platform

Zeek Agentgithub.com

An endpoint monitoring agent that provides host activity to Zeek

JA3erja3er.com

a DB of JA3 fingerprints

TLS Fingerprinting with JA3 and JA3Sengineering.salesforce.com
TLS Fingerprintstlsfingerprint.io

collected from the University of Colorado Boulder campus network

FATTgithub.com

A pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic

FingerprinTLSgithub.com

A TLS fingerprinting method

HASSHgithub.com

Profiling Method for SSH Clients and Servers

Hfingergithub.com

Fingerprinting HTTP requests

JA3github.com

A method for profiling SSL/TLS Clients and Servers

JARMgithub.com

An active Transport Layer Security (TLS) server fingerprinting tool.

Mercurygithub.com

Network fingerprinting and packet metadata capture

RDFPgithub.com

Zeek Remote desktop fingerprinting script based on FATT (Fingerprint All The Things)

Recoggithub.com

A framework for identifying products, services, operating systems, and hardware by matching fingerprints against data returned from various network probes

A Simple Hunting Maturity Modeldetect-respond.blogspot.com.au

The Hunting Maturity Model describes five levels of organizational hunting capability, ranging from HMM0 (the least capability) to HMM4 (the most).

A framework for developing alerting and detection strategies.

Cyber Kill Chainlockheedmartin.com

It is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.

A business-centric approach for planning and defining threat detection use cases.

MITRE ATT&CKattack.mitre.org

A curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.

MITRE Engageengage.mitre.org

A framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals.

A framework for creating schemas and it also delivers a cybersecurity event schema built with the framework (schema browser).

OSSEMgithub.com

(Open Source Security Events Metadata) - A community-led project that focuses on the documentation and standardization of security event logs from diverse data sources and operating systems.

The DML Modelryanstillions.blogspot.com.au

The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks.

The PARIS Modelthreathunter.guru

A model for threat hunting.

The Pyramic of Paindetect-respond.blogspot.com.au

The relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them.

attackrangegithub.com

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk.

BlueTeam Labgithub.com

A detection lab created with Terraform and Ansible in Azure.

Splunk Boss of the SOCbots.splunk.com

Hands-on workshops and challenges to practice threat hunting using the BOTS and other datasets.

Arkimegithub.com

) - A large scale and open source full packet capture and search tool

Joygithub.com

A package for capturing and analyzing network flow data and intraflow data, for network research, forensics, and security monitoring

Netcapgithub.com

A framework for secure and scalable network traffic analysis

ntopnggithub.com

A web-based network traffic monitoring tool

Snortsnort.org

(github) - A network intrusion detection tool

Stenographergithub.com

A full-packet-capture tool

Suricatasuricata-ids.org

A network threat detection engine

Zeekgithub.com

(formerly Bro) - A network security monitoring tool

Detection Engineering Weeklydetectionengineering.net

by Zack 'techy' Allen

This Week in 4n6thisweekin4n6.com

A weekly roundup of digital forensics and incident response news.

Kolide's Blogblog.kolide.com

Advanced osquery functionality, File integrity monitoring, process auditing, and more.

Cloud Security Podcastcloud.withgoogle.com

by Anton Chuvakin and Timothy Peacock.

Darknet Diariesdarknetdiaries.com

by Andy Greenberg - True stories from the dark side of the Internet.

by SpecterOps

by Patrick Gray

Paperblackhat.com

, Slides)

Papercs.ucsb.edu

, Dissertation)

Awesome YARAgithub.com

A curated list of awesome YARA rules, tools, and resources

Bro-Osquerysvs.informatik.uni-hamburg.de

Large-Scale Host and Network Monitoring Using Open-Source Software

Capability Abstractionposts.specterops.io

(PDF)

A collection of resources for threat hunters.

Deception based detection techniques mapped to the MITRE’s ATT&CK framework.

A two-part blog series that outlines a new methodology to extend ATT&CK’s current data sources.

Detecting Malware Beacons Using Splunkpleasefeedthegeek.wordpress.com
Detection Spectrumposts.specterops.io

(PDF)

A blog that describes how to align MITRE ATT&CK-based detection content with data sources.

DFIRsans.org

, Cyber Defense) - Threat hunting, Blue Team and DFIR summit slides

Lists of sources and utilities to hunt, detect and prevent evildoers.

(PDF)

tweets by Chris Sanders

A well experienced detection engineer describes in detail his observations, challenges, and recommendations for building an effective threat detection program.

Collection of various information focused on malware persistence: detection (techniques), response, pitfalls and the log collection (tools).

Oh My Malwareohmymalware.com

A video series focused on malware execution and investigations using Elastic Security.

On TTPsryanstillions.blogspot.com.au
Part 1,splunk.com

Part 2, and Part 3 - A multipart series describing how detection as code can be successfully deployed in a Splunk environment.

Building a real-time threat detection capability with Tanium that focuses on documented adversarial techniques.

Slidessans.org

)

Syscall Auditing at Scaleslack.engineering

A great collection of hunts and threat hunting resources.

A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns.

, FIRST 2017 Slides)

Part I (Event ID 7)cyberwardog.blogspot.com.au
Part II (Event ID 10)cyberwardog.blogspot.com.au
Advanced Threat Tacticsblog.cobaltstrike.com

A free course on red team operations and adversary simulations.

An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.

A list of awesome red teaming resources

C2 Matrixthec2matrix.com

(Google Sheets)

A collection of open source and commercial tools that aid in red team operations.

Wiki to collect Red Team infrastructure hardening resources.

SpecterOps Blogposts.specterops.io
Threat Huntingposts.specterops.io
APTSimulatorgithub.com

A Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.

Atomic Red Teamgithub.com

Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.

CACTUSTORCHgithub.com

Payload Generation for Adversary Simulations.

DumpsterFiregithub.com

A modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events.

Empiregithub.com

(website) - A PowerShell and Python post-exploitation agent.

An open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement.

Mettagithub.com

A security preparedness tool to do adversarial simulation.

MITRE CALDERAgithub.com

An automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks.

flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility.

PowerSploitgithub.com

A PowerShell Post-Exploitation Framework.

RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.

SharpShootergithub.com

Payload Generation Framework.

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk.

BinaryAlertgithub.com

Serverless, real-time & retroactive malware detection

Brimgithub.com

A desktop application to efficiently search large packet captures and Zeek logs

Bro-Osquerygithub.com

Bro integration with osquery

Brosquerygithub.com

A module for osquery to load Bro logs into tables

BZARgithub.com

(Bro/Zeek ATT&CK-based Analytics and Reporting) - A set of Zeek scripts to detect ATT&CK techniques

Capagithub.com

An open-source tool to identify capabilities in executable files.

certgrepcertgrep.sh

A fast Certificate Transparency Log regex domain lookup tool.

CimSweepgithub.com

A suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows

DeepBlueCLIgithub.com

A PowerShell Module for Hunt Teaming via Windows Event Logs

DetectionLabgithub.com

Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices.

Dispatchgithub.com

An open-source crisis management orchestration framework

EQLgithub.com

Event Query Language

EQLLibgithub.com

The Event Query Language Analytics Library (eqllib) is a library of event based analytics, written in EQL to detect adversary behaviors identified in MITRE ATT&CK™.

Flaregithub.com

An analytical framework for network traffic and behavioral analytics.

Have I Been Squattedhaveibeensquatted.com

A fast domain typosquatting detection tool.

HELKgithub.com

A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.

hollowshuntergithub.com

Scans all running processes, recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Intel Owlgithub.com

An Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale.

A PowerShell script to interact with the MITRE ATT&CK Framework via its own API.

LogSlashgithub.com

A standard for reducing log volume without sacrificing analytical capability.

MITRE ATT&CK Navigatormitre.github.io

(source code) - The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel.

NRD-dbgithub.com

Automatically fetches and stores newly registered domains in a Redis database.

Orianagithub.com

Lateral movement and threat hunting tool for Windows environments built on Django comes Docker ready.

RedHunt-OSgithub.com

A Virtual Machine for Adversary Emulation and Threat Hunting. RedHunt aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment.

PowerShell Obfuscation Detection Framework.

Security Oniongithub.com

An open-source Linux distribution for threat hunting, security monitoring, and log management. It includes ELK, Snort, Suricata, Zeek, Wazuh, Sguil, and many other security tools

Sentinel Attackgithub.com

A repository of Azure Sentinel alerts and hunting queries leveraging sysmon and the MITRE ATT&CK framework

SOC-Multitoolgithub.com

A powerful and user-friendly browser extension that streamlines investigations for security professionals.

Splunk-curated detection content that can easily be used accross many SIEMs (see Uncoder Rule Converter.)

A framework for the generation of log events without the need for infrastructure or actions to initiate the event that causes a log event.

Threat Busgithub.com

Threat intelligence dissemination layer to connect security tools through a distributed publish/subscribe message broker.

ThreatHuntinggithub.com

A Splunk app mapped to MITRE ATT&CK to guide your threat hunts

Uncoderuncoder.io

An online translator for SIEM saved searches, filters, queries, API requests, correlation and Sigma rules

Unfettergithub.com

A reference implementation provides a framework for collecting events (process creation, network connections, Window Event Logs, etc.) from a client machine and performing CAR analytics to detect potential adversary activity.

Varnagithub.com

A quick & cheap AWS CloudTrail Monitoring with Event Query Language (EQL)

VASTgithub.com

A network telemetry engine for data-driven security investigations.

YARAgithub.com

The pattern matching swiss knife

Processing and analysis of Zeek network data with Pandas, scikit-learn, Kafka and Spark.

zeek2esgithub.com

An open source tool to convert Zeek logs to Elastic/OpenSearch. You can also output pure JSON from Zeek's TSV logs!

Applied Network Defensenetworkdefense.co

courses by Chris Sanders

HackTheBoxacademy.hackthebox.com

While not directly related to threat detection, the website features training modules on general security and offensive topics that can be beneficial for junior SOC analysts.

by Richard Davis

LetsDefendletsdefend.io

Hands-On SOC Analyst Training

Security Blue Teamsecurityblue.team

(BTL1 and BTL2 certificates)

TryHackMetryhackme.com

Hands-on cyber security training through real-world scenarios.

Twitter accounts that tweet about threat detection, hunting and DFIR.

QueryCon 2018youtube.com

An annual conference for the osquery open-source community (querycon.io)

Tool Analysis Result Sheetjpcertcc.github.io
Windows Huntinggithub.com

A collection of Windows hunting queries

Windows Logging Cheat Sheetsmalwarearchaeology.com
↵ to searchesc to close
awesomelist.dev