Home

Awesome

hunt-detect-prevent

Lists of sources and utilities to hunt, detect and prevent evildoers.

Hunt, Detect & Prevent -- Resources

AD Security

https://jimshaver.net/2016/02/14/defending-against-mimikatz/

https://adsecurity.org/?p=559

Microsoft EMET

https://support.microsoft.com/en-us/kb/2458544

Microsoft ATA

https://blogs.technet.microsoft.com/enterprisemobility/2016/12/12/will-advanced-threat-analytics-help-me-with-non-windows-oss/

Microsoft File Screening

http://olivermarshall.net/using-file-screening-to-help-block-cryptolocker/

http://blog.netwrix.com/2016/04/11/ransomware-protection-using-fsrm-and-powershell/

Threat Hunting

https://github.com/ThreatHuntingProject/ThreatHunting

Powershell

Log hunting with powershell

http://909research.com/windows-log-hunting-with-powershell/

https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf

https://isc.sans.edu/diary/21829

POSH to read event logs

https://files.sans.org/summit/DFIR_Summit_Prague_2016/PDFs/PowerShell-obFUsk8tion-Techniques-David-Bohannon.pdf

https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

Windows event forwarding

https://blogs.technet.microsoft.com/russellt/2017/05/09/project-sauron-introduction/

https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/

http://909research.com/sysmon-the-best-free-windows-monitoring-tool-you-arent-using/

https://blogs.technet.microsoft.com/wincat/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows/

EDR

CarbonBlack

limacharlie

OSQuery

Logging

Logging debrief--

https://www.malwarearchaeology.com/logging/

ELK

Graylog

Splunk

alienvault

SCCM

https://www.fireeye.com/blog/threat-research/2016/12/do_you_see_what_icc.html

https://github.com/PowerShellMafia/PowerSCCM

Recommended reading:

https://github.com/subTee

https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

http://seclist.us/powermemory-v1-4-exploit-the-credentials-present-in-files-and-memory.html