Skip to content

okbobm/ThreatPlays

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
analyze_producer_consumer_ratio.md
analyze_producer_consumer_ratio.md
 
 
antivirus_logs.md
antivirus_logs.md
 
 
beacon_detection_via_intra_request_time_deltas.md
beacon_detection_via_intra_request_time_deltas.md
 
 
checking-how-outsiders-see-you.md
checking-how-outsiders-see-you.md
 
 
comparing_host_images_memory_dumps_to_known_good_baselines.md
comparing_host_images_memory_dumps_to_known_good_baselines.md
 
 
critical_process_impersonation.md
critical_process_impersonation.md
 
 
dynamic_dns_c2.md
dynamic_dns_c2.md
 
 
emet_log_mining.md
emet_log_mining.md
 
 
golden_ticket.md
golden_ticket.md
 
 
http_uri_analysis.md
http_uri_analysis.md
 
 
http_user_agent_analysis.md
http_user_agent_analysis.md
 
 
internet_facing_http_request_analysis.md
internet_facing_http_request_analysis.md
 
 
lateral_movement_detection_via_process_monitoring.md
lateral_movement_detection_via_process_monitoring.md
 
 
lateral_movement_via_explicity_credentials.md
lateral_movement_via_explicity_credentials.md
 
 
lateral_movement_windows_authentication_logs.md
lateral_movement_windows_authentication_logs.md
 
 
net_session_c2.md
net_session_c2.md
 
 
ntfs_extended_attribute_analysis.md
ntfs_extended_attribute_analysis.md
 
 
privileged-group-tracking.md
privileged-group-tracking.md
 
 
psexec-windows-events.md
psexec-windows-events.md
 
 
ram_dumping.md
ram_dumping.md
 
 
rdp_external_access.md
rdp_external_access.md
 
 
renamed-tools.md
renamed-tools.md
 
 
rogue_listeners.md
rogue_listeners.md
 
 
shimcache_amcache.md
shimcache_amcache.md
 
 
suspicious_command_shells.md
suspicious_command_shells.md
 
 
suspicious_process_creation_via_windows_event_logs.md
suspicious_process_creation_via_windows_event_logs.md
 
 
webshell_behavior.md
webshell_behavior.md
 
 
webshells.md
webshells.md
 
 
whaling-detection-via-unusual-sender-domains.md
whaling-detection-via-unusual-sender-domains.md
 
 
windows_autoruns_analysis.md
windows_autoruns_analysis.md
 
 
windows_driver_analysis.md
windows_driver_analysis.md
 
 
windows_prefetch_cache_analysis.md
windows_prefetch_cache_analysis.md
 
 
windows_service_analysis.md
windows_service_analysis.md
 
 

Repository files navigation

Hunting – Playbooks

Threat Hunting is rarely repeatable with predictable outcomes. This is my attempt to enable threat hunters to take a step in that direction.

Getting Started

The playbooks are organized into the following fashion:

Purpose:

What is the reson for this playbook

Data Required:

Which messages / event sources are needed

Collection Considerations:

Notable observations and cares when collecting information

Analysis Techniques:

A simple walkthrough the procedure

Description

Thorough discussion on the playbook's contents.

Other Notes

Miscellanous information in parallel

More Info

Where may one find additional information?

Which tools do the playbooks leverage?

WMIC, Powershell, OSQuery, Kubernetes, Docker, AWS, Aliyun, Azure, GCP, Carbon Black, Anomali, VirusTotal, Fidelis

About

Sharing Threat Hunting runbooks

securesql.info

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published