ThreatHuntersForge
@huntersforge
Data Science, Threat Hunting & Open Source Projects π» Founders: @Cyb3rward0g @Cyb3rPandaH
ID: 1177375313589940224
27-09-2019 00:12:09
21 Tweet
1,1K Followers
2 Following
Feel free to join the ThreatHuntersForge public slack π€π and let's continue building and empowering our community TOGETHER!! #ThreatHunting Roberto Rodriguez π΅πͺ launchpass.com/threathunting πΉβοΈπ»π
Happy to release Part II: Shipping ETW events toΒ THE-HELK from the Threat Hunting with ETW events and HELK series! Also, releasing the Mordor Erebor π²environment to collect ETW events for new datasets! πΏπ #ThreatHunting ThreatHuntersForge @Mordor_Project medium.com/threat-huntersβ¦
Every time I think of something new I need I discover ThreatHuntersForge has it! #ATTACKcon
Jose Rodriguez π΅πͺ & I had so much fun ATT&CK #ATTACKcon sharing our research w/ Project Jupyter notebooks , Binder Team , ThreatHunter-Playbook βοΈ & @Mordor_Project #ThreatHunting Talk: youtube.com/watch?v=L3KxKAβ¦ Slides: speakerdeck.com/cyb3rward0g/reβ¦ BinderHub Demo: youtu.be/mQZFHbnDH4A
I always wondered how I could share #ThreatHunting detections via Project Jupyter notebooks in a more practical and interactive way so that anyone in π can reproduce the research! Thx to Binder Team π ThreatHunter-Playbook @Mordor_Project it is now possible medium.com/threat-huntersβ¦
Interested in learning about what you can do with STIX/TAXII 2.0 APIs and some Python π code? I created a new function for the attackcti Python library to automate the creation of ATT&CK Navigator group layer files ππ»ππ and shared the process medium.com/threat-huntersβ¦
I decided to write a book π ! An online Interactive Book π₯! A book on the top of ThreatHunter-Playbook , Project Jupyter #notebooks and w/ Binder Team BinderHub links all put together w/ the amazing Jupyter Book project! #ThreatHunting Merry Christmas ππ π» medium.com/threat-huntersβ¦
Looking for anything to do while you wait for 2020 π? I just created a Jupyter Book for the @Mordor_Project ! You can now explore mordor datasets w/ Project Jupyter #notebooks via BinderHub π Pre #ThreatHunting activities for 2020 π»π€£! New Site: mordordatasets.com
π¨π₯ Registration for the first community Infosec Jupyterthon is open! Also, check the current talks & speakers that would love share their knowledge with you π π» ποΈ Current Agenda: infosecjupyterthon.com/agenda.html π Registration Form: bit.ly/InfosecJupyterβ¦ See you on Friday 5/8
Trying to revamp a project π₯ & document interesting SACLs (Audit Rules) π π» First attempt: 1) git clone github.com/GhostPack/Seatβ¦ 2) egrep -rhio '(SOFTWARE\\|SYSTEM\\).*\"' Seatbelt/Seatbelt/Commands/* 3) gist.github.com/Cyb3rWard0g/02β¦ 4) github.com/OTRF/Set-Auditβ¦ (work in progress)
Thank you for sharing Adam Chester π΄ββ οΈ π I took some time in the π to read a little bit about it. I'm sure there are + resources out there, but I put together these initial notes from a detection perspective. Maybe a SACL & sigma rules for the reg approach? πgist.github.com/Cyb3rWard0g/a4β¦
WE HAVE PCAPs π a) Suricata IDS/IPS β ET Rules! b) git clone github.com/hunters-forge/β¦ && cd mordor/datasets/large c) find apt29/day*/pcaps -name '*.zip' -execdir unzip -P infected {} \; c) find apt29/day*/pcaps -name '*cap' -execdir suricata -r {} -k none \; TY Jason Trost π
I started to document Win RPC interfaces & their respective methods π& ended up using sigpwn for the 1st time, integrating code from Adam Chester π΄ββ οΈ & @Sektor7Net research π and using Project Jupyter notebooks & #GraphFrames π to analyze the results π» medium.com/threat-huntersβ¦
HOW to contribute a @Mordor_Project dataset in 2 mins β³w/ the help of Red Canary, a Zscaler company ART & then contribute to sigma after exploring the data! Open Threat Research β»οΈ Clear, Exec & Collect: youtu.be/6iteEfbuwU8 π Data: mordordatasets.com/notebooks/smalβ¦ πΉ Rule: github.com/OTRF/sigma/bloβ¦
