threathunterplaybook.com
Open in
urlscan Pro
185.199.110.153
Public Scan
URL:
https://threathunterplaybook.com/intro.html
Submission: On January 10 via manual from GB — Scanned from GB
Submission: On January 10 via manual from GB — Scanned from GB
Form analysis
1 forms found in the DOMGET search.html
<form class="bd-search d-flex align-items-center" action="search.html" method="get">
<i class="icon fas fa-search"></i>
<input type="search" class="form-control" name="q" id="search-input" placeholder="Search this book..." aria-label="Search this book..." autocomplete="off">
</form>
Text Content
Toggle navigation sidebar Toggle in-page Table of Contents THREAT HUNTER PLAYBOOK Knowledge Library * Windows * Active Directory Replication * Active Directory Federation Services (ADFS) Distributed Key Manager (DKM) Keys * Data Protection API * Logon Session * LSA Policy Objects * Mimikatz OpenProcess Modules * Process Security and Access Rights * Security Account Manager (SAM) Database * Security Account Manager Remote Protocol (SAMRP) * Security Assertion Markup Language (SAML) * Service Control Manager * SysKey * Task Scheduler Service Pre-Hunt Activities * Data Management * Data Documentation * Data Standardization * Data Modeling * Data Quality Guided Hunts * Windows * LSASS Memory Read Access * DLL Process Injection via CreateRemoteThread and LoadLibrary * Active Directory Object Access via Replication Services * Active Directory Root Domain Modification for Replication Services * Registry Modification to Enable Remote Desktop Conections * Local PowerShell Execution * WDigest Downgrade * PowerShell Remote Session * Alternate PowerShell Hosts * Domain DPAPI Backup Key Extraction * SysKey Registry Keys Access * SAM Registry Hive Handle Request * WMI Win32_Process Class and Create Method for Remote Execution * WMI Eventing * WMI Module Load * Local Service Installation * Remote Service creation * Remote Service Control Manager Handle * Remote Interactive Task Manager LSASS Dump * Registry Modification for Extended NetNTLM Downgrade * Access to Microphone Device * Remote WMI ActiveScriptEventConsumers * Remote DCOM IErtUtil DLL Hijack * Remote WMI Wbemcomn DLL Hijack * SMB Create Remote File * Wuauclt CreateRemoteThread Execution Tutorials * Jupyter Notebooks * Jupyter Server Installation * Introduction to Python * Introduction to Python NumPy Arrays * Introduction to Pandas Powered by Jupyter Book * Binder * Colab * Live Code * repository * open issue * suggest edit * .ipynb * .md * .pdf Contents * Goals * Author * Official Committers * Acknowledgements INTRODUCTION CONTENTS * Goals * Author * Official Committers * Acknowledgements INTRODUCTION# The Threat Hunter Playbook is a community-driven, open source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. All the detection documents in this project follow the structure of MITRE ATT&CK categorizing post-compromise adversary behavior in tactical groups and are available in the form of interactive notebooks. The use of notebooks not only allow us to share text, queries and expected output, but also code to help others run detection logic against pre-recorded security datasets locally or remotely through BinderHub cloud computing environments. GOALS# * Expedite the development of techniques an hypothesis for hunting campaigns. * Help security researchers understand patterns of behavior observed during post-exploitation. * Share resources to validate analytics locally or remotely through cloud computing environments for free. * Map pre-recorded datasets to adversarial techniques. * Accelerate infosec learning through open source resources. AUTHOR# Roberto Rodriguez @Cyb3rWard0g OFFICIAL COMMITTERS# * Jose Luis Rodriguez @Cyb3rPandaH is adding his expertise in data science to it. ACKNOWLEDGEMENTS# * We document and share our content via a Jupyter Book which was created by Sam Lau and Chris Holdgraf with support of the UC Berkeley Data Science Education Program and the Berkeley Institute for Data Science next Windows By Roberto Rodriguez @Cyb3rWard0g © Copyright 2022.