Top 115 threat-hunting open source projects

DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.

Sysmon configuration file template with default high-quality event tracing

A datasource assessment on an event level to show potential coverage or the MITRE ATT&CK framework

The Hunting ELK

Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation

Documentation and Sharing Repository for ThreatPinch Lookup Chrome & Firefox Extension

StalkPhish - The Phishing kits stalker, harvesting phishing kits for investigations.

Recon Hunt Queries

Repository with Sample KQL Query examples for Threat Hunting

Lightweight File Integrity Monitoring Tool

Python 3 Wrapper for the BinaryEdge API https://www.binaryedge.io/

enpoint detection / live analysis & sandbox host / signatures quality test

My personal experience in Threat Hunting and knowledge gained so far.

Leverage Sophos Central API

Repositório criado com intuito de reunir informações, fontes(websites/portais) e tricks de OSINT dentro do contexto Brasil.

Threat research and reporting from IronNet's Threat Research Teams

YAFRA is a semi-automated framework for analyzing and representing reports about IT Security incidents.

Incident Response - Fast suspicious file finder

incident response scripts

Lookup file hashes, domain names and IP addresses using various vendors to assist with triaging potential threats.

Threat Hunting queries for various attacks

Repository for threat hunting and detection queries, tools, etc.

Python bindings for Yeti's API

Threat Detection & Anomaly Detection rules for popular open-source components

Searches online paste sites for certain search terms which can indicate a possible data breach.

S2AN - Mapper of Sigma/Suricata Rules/Signatures ➡️ MITRE ATT&CK Navigator

Threat hunting Web Windows AD linux ATT&CK TTPs

The Ultimate OSINT and Threat Hunting Framework

Kestrel threat hunting language: building reusable, composable, and shareable huntflows across different data sources and threat intel.

hassh-utils: Nmap NSE Script and Docker image for HASSH - the SSH client/server fingerprinting method (https://github.com/salesforce/hassh)

A simple threat hunting tool based on osquery, Salt Open and Cymon API

Random hunting ordiented yara rules

ETWNetMonv3 is simple C# code for Monitoring TCP Network Connection via ETW & ETWProcessMon/2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detection by VirtualMemAlloc Events (in-memory) etc.

Pushes Sysmon Configs

PowerGRR is an API client library in PowerShell working on Windows, Linux and macOS for GRR automation and scripting.

#ThreatHunting #DFIR #Malware #Detection Mind Maps

Microsoft Sentinel SOC Operations

recon-ng modules for Censys

Set of SIGMA rules (>250) mapped to MITRE Att@k tactic and techniques

Capture passwords of login attempts on non-existent and disabled accounts.

Threat Hunting with ELK Workshop (InfoSecWorld 2017)

Collection of malware persistence and hunting information. Be a persistent persistence hunter!

Malware Sample Sources

PowerShell Script to facilitate the processing of SRUM data for on-the-fly forensics and if needed threat hunting

Tracking APT IOCs

the fastest way to consume threat intelligence.

Small-scale threat emulation and detection range built on Elastic and Atomic Redteam.

Consolidation of various resources related to Microsoft Sysmon & sample data/log

Domain Connectivity Analysis Tools to analyze aggregate connectivity patterns across a set of domains during security investigations

Deploy and maintain Symon through the Splunk Deployment Sever

Owlyshield is an EDR framework designed to safeguard vulnerable applications from potential exploitation (C&C, exfiltration and impact))..

This repository contains tools used by 401trg.

A file system forensics analysis scanner and threat hunting tool. Scans file systems at the MFT and OS level and stores data in SQL, SQLite or CSV. Threats and data can be probed harnessing the power and syntax of SQL.

Connect your mail client/infrastructure to MISP in order to create events based on the information contained within mails.

evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files.