GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → FalconForceTeam → Falconfriday

FalconForceTeam / Falconfriday

Licence: bsd-3-clause
Bi-weekly hunting queries

Labels

blueteam

Projects that are alternatives of or similar to Falconfriday

Wadcoms.github.io
WADComs is an interactive cheat sheet, containing a curated list of Unix/Windows offensive tools and their respective commands.
Stars: ✭ 431 (+244.8%)
Mutual labels:  blueteam
Snoop
Snoop — инструмент разведки на основе открытых данных (OSINT world)
Stars: ✭ 886 (+608.8%)
Mutual labels:  blueteam
Information Security Tasks
This repository is created only for infosec professionals whom work day to day basis to equip ourself with uptodate skillset, We can daily contribute daily one hour for day to day tasks and work on problem statements daily, Please contribute by providing problem statements and solutions
Stars: ✭ 108 (-13.6%)
Mutual labels:  blueteam
Gtfobins.github.io
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems
Stars: ✭ 6,030 (+4724%)
Mutual labels:  blueteam
Awesome Security Hardening
A collection of awesome security hardening guides, tools and other resources
Stars: ✭ 630 (+404%)
Mutual labels:  blueteam
Ultimateapplockerbypasslist
The goal of this repository is to document the most common techniques to bypass AppLocker.
Stars: ✭ 1,186 (+848.8%)
Mutual labels:  blueteam
Infosec reference
An Information Security Reference That Doesn't Suck; https://rmusser.net/git/admin-2/Infosec_Reference for non-MS Git hosted version.
Stars: ✭ 4,162 (+3229.6%)
Mutual labels:  blueteam
Macos Attack Dataset
JSON DataSet for macOS mapped to MITRE ATT&CK Tactics.
Stars: ✭ 116 (-7.2%)
Mutual labels:  blueteam
1earn
个人维护的安全知识框架,内容包括不仅限于 web安全、工控安全、取证、应急、蓝队设施部署、后渗透、Linux安全、各类靶机writup
Stars: ✭ 776 (+520.8%)
Mutual labels:  blueteam
Malwarepersistencescripts
A collection of scripts I've written to help red and blue teams with malware persistence techniques.
Stars: ✭ 103 (-17.6%)
Mutual labels:  blueteam
Repo Supervisor
Scan your code for security misconfiguration, search for passwords and secrets. 🔍
Stars: ✭ 482 (+285.6%)
Mutual labels:  blueteam
Theharvester
E-mails, subdomains and names Harvester - OSINT
Stars: ✭ 6,175 (+4840%)
Mutual labels:  blueteam
Threathunt
ThreatHunt is a PowerShell repository that allows you to train your threat hunting skills.
Stars: ✭ 92 (-26.4%)
Mutual labels:  blueteam
Plumhound
Bloodhound for Blue and Purple Teams
Stars: ✭ 452 (+261.6%)
Mutual labels:  blueteam
Deploy Deception
A PowerShell module to deploy active directory decoy objects.
Stars: ✭ 109 (-12.8%)
Mutual labels:  blueteam
Blueshell
红蓝对抗跨平台远控工具
Stars: ✭ 379 (+203.2%)
Mutual labels:  blueteam
Hacker ezines
A collection of electronic hacker magazines carefully curated over the years from multiple sources
Stars: ✭ 72 (-42.4%)
Mutual labels:  blueteam
Defaultcreds Cheat Sheet
One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️
Stars: ✭ 1,949 (+1459.2%)
Mutual labels:  blueteam
Lolbas
Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
Stars: ✭ 1,506 (+1104.8%)
Mutual labels:  blueteam
Rita
Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
Stars: ✭ 1,352 (+981.6%)
Mutual labels:  blueteam
View All Similar Projects ➔

FalconFriday

TL;DR: We believe there isn't enough content available to detect advanced adversary techniques. That's why every two weeks on "Falcon Friday", we will release (DATP) hunting queries to detect offensive techniques.

To give you an idea, we're going to release hunts for attacks such as:

  • DLL Injection
  • Process Injection
  • COM Hijacking
  • .NET-to-JScript
  • Aborted MFA requests
  • Abuse of LOLBins
  • Misbehaving Office Applications
  • Process Hollowing
  • Unmanaged binaries running managed code
  • Anomalies in LDAP traffic
  • Command execution using WMI
  • SMB NULL session attempts
  • etc

Stay tuned and let us know if there is any specific attack technique you want to detect.

Background

Our current plan is to release 1 or 2 hunting DATP queries every other week. The queries will be released on GitHub, accompanied by a short blog post on Medium detailing background, working of the query, the accuracy we expect, any possible variations or improvements, any catches and really anything else we deem relevant. Initially, we'll be working based on the excellent library of @spotheplanet's https://www.ired.team/ and release the queries specifically for DATP. Since @olafhartong is involved, we might release Sysmon hunts as well….we'll see how it goes.

We will publish the KQL queries on GitHub. Each query will be aimed at detecting some specific technique as precisely as possible and linked to MITRE ATT&CK. We anticipate that some queries will have more than 1 variant, aimed at detecting the same attack in different ways with varying trade-offs. Similarly, we will document trade-offs for various options in a single query to give you the flexibility to gear towards more false positives or more false negatives. 

Having said that, don't expect to copy-paste the queries in your environment and be done with it. We will provide a foundation query which can detect a certain technique. However, you will still need to fine-tune/extend the query to your organization's specifics to make it work in your environment and integrate into your monitoring solution. 

The queries will be free to use in any way you like, although we appreciate a reference back to @falconforceteam Twitter / FalconForce GitHub.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].