跳转到主要内容

标签(标签)

资源精选(342) Go开发(108) Go语言(103) Go(99) angular(82) LLM(75) 大语言模型(63) 人工智能(53) 前端开发(50) LangChain(43) golang(43) 机器学习(39) Go工程师(38) Go程序员(38) Go开发者(36) React(33) Go基础(29) Python(24) Vue(22) Web开发(20) Web技术(19) 精选资源(19) 深度学习(19) Java(18) ChatGTP(17) Cookie(16) android(16) 前端框架(13) JavaScript(13) Next.js(12) 安卓(11) 聊天机器人(10) typescript(10) 资料精选(10) NLP(10) 第三方Cookie(9) Redwoodjs(9) LLMOps(9) Go语言中级开发(9) 自然语言处理(9) PostgreSQL(9) 区块链(9) mlops(9) 安全(9) 全栈开发(8) ChatGPT(8) OpenAI(8) Linux(8) AI(8) GraphQL(8) iOS(8) 软件架构(7) Go语言高级开发(7) AWS(7) C++(7) 数据科学(7) whisper(6) Prisma(6) 隐私保护(6) RAG(6) JSON(6) DevOps(6) 数据可视化(6) wasm(6) 计算机视觉(6) 算法(6) Rust(6) 微服务(6) 隐私沙盒(5) FedCM(5) 语音识别(5) Angular开发(5) 快速应用开发(5) 提示工程(5) Agent(5) LLaMA(5) 低代码开发(5) Go测试(5) gorm(5) REST API(5) 推荐系统(5) WebAssembly(5) GameDev(5) CMS(5) CSS(5) machine-learning(5) 机器人(5) 游戏开发(5) Blockchain(5) Web安全(5) Kotlin(5) 低代码平台(5) 机器学习资源(5) Go资源(5) Nodejs(5) PHP(5) Swift(5) 智能体(4) devin(4) Blitz(4) javascript框架(4) Redwood(4) GDPR(4) 生成式人工智能(4) Angular16(4) Alpaca(4) 编程语言(4) SAML(4) JWT(4) JSON处理(4) Go并发(4) kafka(4) 移动开发(4) 移动应用(4) security(4) 隐私(4) spring-boot(4) 物联网(4) nextjs(4) 网络安全(4) API(4) Ruby(4) 信息安全(4) flutter(4) 专家智能体(3) Chrome(3) CHIPS(3) 3PC(3) SSE(3) 人工智能软件工程师(3) LLM Agent(3) Remix(3) Ubuntu(3) GPT4All(3) 软件开发(3) 问答系统(3) 开发工具(3) 最佳实践(3) RxJS(3) SSR(3) Node.js(3) Dolly(3) 移动应用开发(3) 低代码(3) IAM(3) Web框架(3) CORS(3) 基准测试(3) Go语言数据库开发(3) Oauth2(3) 并发(3) 主题(3) Theme(3) earth(3) nginx(3) 软件工程(3) azure(3) keycloak(3) 生产力工具(3) gpt3(3) 工作流(3) C(3) jupyter(3) 认证(3) prometheus(3) GAN(3) Spring(3) 逆向工程(3) 应用安全(3) Docker(3) Django(3) R(3) .NET(3) 大数据(3) Hacking(3) 渗透测试(3) C++资源(3) Mac(3) 微信小程序(3) Python资源(3) JHipster(3) 大型语言模型(2) 语言模型(2) 可穿戴设备(2) JDK(2) SQL(2) Apache(2) Hashicorp Vault(2) Spring Cloud Vault(2) Go语言Web开发(2) Go测试工程师(2) WebSocket(2) 容器化(2) AES(2) 加密(2) 输入验证(2) ORM(2) Fiber(2) Postgres(2) Gorilla Mux(2) Go数据库开发(2) 模块(2) 泛型(2) 指针(2) HTTP(2) PostgreSQL开发(2) Vault(2) K8s(2) Spring boot(2) R语言(2) 深度学习资源(2) 半监督学习(2) semi-supervised-learning(2) architecture(2) 普罗米修斯(2) 嵌入模型(2) productivity(2) 编码(2) Qt(2) 前端(2) Rust语言(2) NeRF(2) 神经辐射场(2) 元宇宙(2) CPP(2) 数据分析(2) spark(2) 流处理(2) Ionic(2) 人体姿势估计(2) human-pose-estimation(2) 视频处理(2) deep-learning(2) kotlin语言(2) kotlin开发(2) burp(2) Chatbot(2) npm(2) quantum(2) OCR(2) 游戏(2) game(2) 内容管理系统(2) MySQL(2) python-books(2) pentest(2) opengl(2) IDE(2) 漏洞赏金(2) Web(2) 知识图谱(2) PyTorch(2) 数据库(2) reverse-engineering(2) 数据工程(2) swift开发(2) rest(2) robotics(2) ios-animation(2) 知识蒸馏(2) 安卓开发(2) nestjs(2) solidity(2) 爬虫(2) 面试(2) 容器(2) C++精选(2) 人工智能资源(2) Machine Learning(2) 备忘单(2) 编程书籍(2) angular资源(2) 速查表(2) cheatsheets(2) SecOps(2) mlops资源(2) R资源(2) DDD(2) 架构设计模式(2) 量化(2) Hacking资源(2) 强化学习(2) flask(2) 设计(2) 性能(2) Sysadmin(2) 系统管理员(2) Java资源(2) 机器学习精选(2) android资源(2) android-UI(2) Mac资源(2) iOS资源(2) Vue资源(2) flutter资源(2) JavaScript精选(2) JavaScript资源(2) Rust开发(2) deeplearning(2) RAD(2)

A curated list of awesome threat detection and hunting resources

Contents

Threat Detection and Hunting

Tools

  • MITRE ATT&CK Navigator(source code) - The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel.
  • HELK - A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.
  • osquery-configuration - A repository for using osquery for incident detection and response.
  • DetectionLab - Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices.
  • Sysmon-DFIR - Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
  • sysmon-config - Sysmon configuration file template with default high-quality event tracing.
  • sysmon-modular - A repository of sysmon configuration modules. It also includes a mapping of Sysmon configurations to MITRE ATT&CK techniques.
  • Revoke-Obfuscation - PowerShell Obfuscation Detection Framework.
  • Invoke-ATTACKAPI - A PowerShell script to interact with the MITRE ATT&CK Framework via its own API.
  • Unfetter - A reference implementation provides a framework for collecting events (process creation, network connections, Window Event Logs, etc.) from a client machine and performing CAR analytics to detect potential adversary activity.
  • Flare - An analytical framework for network traffic and behavioral analytics.
  • RedHunt-OS - A Virtual Machine for Adversary Emulation and Threat Hunting. RedHunt aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment.
  • Oriana - Lateral movement and threat hunting tool for Windows environments built on Django comes Docker ready.
  • Bro-Osquery - Bro integration with osquery
  • Brosquery - A module for osquery to load Bro logs into tables
  • DeepBlueCLI - A PowerShell Module for Hunt Teaming via Windows Event Logs
  • Uncoder - An online translator for SIEM saved searches, filters, queries, API requests, correlation and Sigma rules
  • Sigma - Generic Signature Format for SIEM Systems
  • CimSweep - A suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows
  • Dispatch - An open-source crisis management orchestration framework
  • EQL - Event Query Language
    • EQLLib - The Event Query Language Analytics Library (eqllib) is a library of event based analytics, written in EQL to detect adversary behaviors identified in MITRE ATT&CK™.
  • BZAR (Bro/Zeek ATT&CK-based Analytics and Reporting) - A set of Zeek scripts to detect ATT&CK techniques
  • Security Onion - An open-source Linux distribution for threat hunting, security monitoring, and log management. It includes ELK, Snort, Suricata, Zeek, Wazuh, Sguil, and many other security tools
  • Varna - A quick & cheap AWS CloudTrail Monitoring with Event Query Language (EQL)
  • BinaryAlert - Serverless, real-time & retroactive malware detection
  • hollows_hunter - Scans all running processes, recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
  • ThreatHunting - A Splunk app mapped to MITRE ATT&CK to guide your threat hunts
  • Sentinel Attack - A repository of Azure Sentinel alerts and hunting queries leveraging sysmon and the MITRE ATT&CK framework
  • Brim - A desktop application to efficiently search large packet captures and Zeek logs
  • YARA - The pattern matching swiss knife
  • Intel Owl - An Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale.
  • Capa - An open-source tool to identify capabilities in executable files.
  • Splunk Security Content Splunk-curated detection content that can easily be used accross many SIEMs (see Uncoder Rule Converter.)
  • Threat Bus - Threat intelligence dissemination layer to connect security tools through a distributed publish/subscribe message broker.
  • VAST - A network telemetry engine for data-driven security investigations.
  • zeek2es - An open source tool to convert Zeek logs to Elastic/OpenSearch. You can also output pure JSON from Zeek's TSV logs!

Alerting Engine

  • ElastAlert - A framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch
  • StreamAlert - A serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define

Endpoint Monitoring

  • osquery (github) - SQL powered operating system instrumentation, monitoring, and analytics
  • Kolide Fleet - A flexible control server for osquery fleets
  • Zeek Agent - An endpoint monitoring agent that provides host activity to Zeek
  • Velociraptor - Endpoint visibility and collection tool
  • Sysdig - A tool for deep Linux system visibility, with native support for containers. Think about sysdig as strace + tcpdump + htop + iftop + lsof + ...awesome sauce
  • go-audit - An alternative to the Linux auditd daemon
  • Sysmon - A Windows system service and device driver that monitors and logs system activity to the Windows event log
  • OSSEC - An open-source Host-based Intrusion Detection System (HIDS)
  • WAZUH - An open-source security platform

Network Monitoring

  • Zeek (formerly Bro) - A network security monitoring tool
  • ntopng - A web-based network traffic monitoring tool
  • Suricata - A network threat detection engine
  • Snort (github) - A network intrusion detection tool
  • Joy - A package for capturing and analyzing network flow data and intraflow data, for network research, forensics, and security monitoring
  • Netcap - A framework for secure and scalable network traffic analysis
  • Moloch - A large scale and open source full packet capture and search tool
  • Stenographer - A full-packet-capture tool
Fingerprinting Tools
  • JA3 - A method for profiling SSL/TLS Clients and Servers
  • HASSH - Profiling Method for SSH Clients and Servers
  • RDFP - Zeek Remote desktop fingerprinting script based on FATT (Fingerprint All The Things)
  • FATT - A pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic
  • FingerprinTLS - A TLS fingerprinting method
  • Mercury - Network fingerprinting and packet metadata capture
  • GQUIC Protocol Analyzer for Zeek
  • Recog - A framework for identifying products, services, operating systems, and hardware by matching fingerprints against data returned from various network probes
  • Hfinger - Fingerprinting HTTP requests
  • JARM - An active Transport Layer Security (TLS) server fingerprinting tool.

Dataset

Resources

Frameworks

  • MITRE ATT&CK - A curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target.
  • MITRE CAR - The Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) adversary model.
  • Alerting and Detection Strategies Framework - A framework for developing alerting and detection strategies.
  • A Simple Hunting Maturity Model - The Hunting Maturity Model describes five levels of organizational hunting capability, ranging from HMM0 (the least capability) to HMM4 (the most).
  • The Pyramic of Pain - The relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when you are able to deny those indicators to them.
  • A Framework for Cyber Threat Hunting
  • The PARIS Model - A model for threat hunting.
  • Cyber Kill Chain - It is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
  • The DML Model - The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks.
  • NIST Cybersecurity Framework
  • OSSEM (Open Source Security Events Metadata) - A community-led project that focuses on the documentation and standardization of security event logs from diverse data sources and operating systems
  • MITRE Shield - A knowledge base of active defense techniques and tactics (Active Defense Matrix)
  • MaGMa Use Case Defintion Model - A business-centric approach for planning and defining threat detection use cases.

DNS

Command and Control

DoH

Osquery

Windows

Sysmon
PowerShell

Fingerprinting

Research Papers

Blogs

Videos

Trainings

Twitter

Threat Simulation

A curated list of awesome adversary simulation resources

Tools

  • MITRE CALDERA - An automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks.
  • APTSimulator - A Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.
  • Atomic Red Team - Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.
  • Network Flight Simulator - flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility.
  • Metta - A security preparedness tool to do adversarial simulation.
  • Red Team Automation (RTA) - RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
  • SharpShooter - Payload Generation Framework.
  • CACTUSTORCH - Payload Generation for Adversary Simulations.
  • DumpsterFire - A modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events.
  • Empire(website) - A PowerShell and Python post-exploitation agent.
  • PowerSploit - A PowerShell Post-Exploitation Framework.
  • RedHunt-OS - A Virtual Machine for Adversary Emulation and Threat Hunting. RedHunt aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment.
  • Infection Monkey - An open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement.
  • Splunk Attack Range - A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk.

Resources

原文:https://github.com/0x4D31/awesome-threat-detection