MHaggis/hunt-detect-prevent MHaggis/hunt-detect-prevent

  • Stars
    star
    150
  • Rank 247,323 (Top 5 %)
  • Language
    PowerShell
  • License
    GNU General Publi...
  • Created almost 8 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
MHaggis/hunt-detect-prevent
github

MHaggis

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Lists of sources and utilities utilized to hunt, detect and prevent evildoers.

hunt-detect-prevent

Lists of sources and utilities to hunt, detect and prevent evildoers.

Hunt, Detect & Prevent -- Resources

AD Security

https://jimshaver.net/2016/02/14/defending-against-mimikatz/

https://adsecurity.org/?p=559

Microsoft EMET

https://support.microsoft.com/en-us/kb/2458544

Microsoft ATA

https://blogs.technet.microsoft.com/enterprisemobility/2016/12/12/will-advanced-threat-analytics-help-me-with-non-windows-oss/

Microsoft File Screening

http://olivermarshall.net/using-file-screening-to-help-block-cryptolocker/

http://blog.netwrix.com/2016/04/11/ransomware-protection-using-fsrm-and-powershell/

Threat Hunting

https://github.com/ThreatHuntingProject/ThreatHunting

Powershell

Log hunting with powershell

http://909research.com/windows-log-hunting-with-powershell/

https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf

https://isc.sans.edu/diary/21829

  • powershell blocked via windows firewall (same for cscript/wscript)

POSH to read event logs

https://files.sans.org/summit/DFIR_Summit_Prague_2016/PDFs/PowerShell-obFUsk8tion-Techniques-David-Bohannon.pdf

https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

Windows event forwarding

https://blogs.technet.microsoft.com/russellt/2017/05/09/project-sauron-introduction/

https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/

http://909research.com/sysmon-the-best-free-windows-monitoring-tool-you-arent-using/

https://blogs.technet.microsoft.com/wincat/2008/08/11/quick-and-dirty-large-scale-eventing-for-windows/

EDR

CarbonBlack

limacharlie

OSQuery

Logging

Logging debrief--

https://www.malwarearchaeology.com/logging/

ELK

Graylog

Splunk

alienvault

SCCM

https://www.fireeye.com/blog/threat-research/2016/12/do_you_see_what_icc.html

https://github.com/PowerShellMafia/PowerSCCM

Recommended reading:

https://github.com/subTee

https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

http://seclist.us/powermemory-v1-4-exploit-the-credentials-present-in-files-and-memory.html

More Repositories

1

sysmon-dfir

Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
831
star
2

CBR-Queries

Collection of useful, up to date, Carbon Black Response Queries
80
star
3

notes

Full of public notes and Utilities
PowerShell
51
star
4

ShellSweep

ShellSweeping the evil.
PowerShell
49
star
5

sysmon-splunk-app

Sysmon Splunk App
44
star
6

app_splunk_sysmon_hunter

Splunk App to assist Sysmon Threat Hunting
37
star
7

bookish-happiness

OG Atomic Red Team
19
star
8

Splunk_CBER_App

Splunk Carbon Black Enterprise Response App
Python
6
star
9

CBResponse-Splunk-Hunting

Analyzing Carbon Black Response endpoint telemetry in Splunk
4
star
10

WinTrace

Run Windows Trace cmdline
Shell
2
star
11

LLM

LLM tools and toys
Python
1
star