threathunterplaybook.com
Open in
urlscan Pro
185.199.110.153
Public Scan
URL:
https://threathunterplaybook.com/intro.html
Submission: On January 10 via manual from GB — Scanned from GB
Submission: On January 10 via manual from GB — Scanned from GB
Form analysis 1 forms found in the DOM
GET search.html
<form class="bd-search d-flex align-items-center" action="search.html" method="get">
<i class="icon fas fa-search"></i>
<input type="search" class="form-control" name="q" id="search-input" placeholder="Search this book..." aria-label="Search this book..." autocomplete="off">
</form>Text Content
Toggle navigation sidebar
Toggle in-page Table of Contents
THREAT HUNTER PLAYBOOK
Knowledge Library
* Windows
* Active Directory Replication
* Active Directory Federation Services (ADFS) Distributed Key Manager (DKM)
Keys
* Data Protection API
* Logon Session
* LSA Policy Objects
* Mimikatz OpenProcess Modules
* Process Security and Access Rights
* Security Account Manager (SAM) Database
* Security Account Manager Remote Protocol (SAMRP)
* Security Assertion Markup Language (SAML)
* Service Control Manager
* SysKey
* Task Scheduler Service
Pre-Hunt Activities
* Data Management
* Data Documentation
* Data Standardization
* Data Modeling
* Data Quality
Guided Hunts
* Windows
* LSASS Memory Read Access
* DLL Process Injection via CreateRemoteThread and LoadLibrary
* Active Directory Object Access via Replication Services
* Active Directory Root Domain Modification for Replication Services
* Registry Modification to Enable Remote Desktop Conections
* Local PowerShell Execution
* WDigest Downgrade
* PowerShell Remote Session
* Alternate PowerShell Hosts
* Domain DPAPI Backup Key Extraction
* SysKey Registry Keys Access
* SAM Registry Hive Handle Request
* WMI Win32_Process Class and Create Method for Remote Execution
* WMI Eventing
* WMI Module Load
* Local Service Installation
* Remote Service creation
* Remote Service Control Manager Handle
* Remote Interactive Task Manager LSASS Dump
* Registry Modification for Extended NetNTLM Downgrade
* Access to Microphone Device
* Remote WMI ActiveScriptEventConsumers
* Remote DCOM IErtUtil DLL Hijack
* Remote WMI Wbemcomn DLL Hijack
* SMB Create Remote File
* Wuauclt CreateRemoteThread Execution
Tutorials
* Jupyter Notebooks
* Jupyter Server Installation
* Introduction to Python
* Introduction to Python NumPy Arrays
* Introduction to Pandas
Powered by Jupyter Book
* Binder
* Colab
* Live Code
* repository
* open issue
* suggest edit
* .ipynb
* .md
* .pdf
Contents
* Goals
* Author
* Official Committers
* Acknowledgements
INTRODUCTION
CONTENTS
* Goals
* Author
* Official Committers
* Acknowledgements
INTRODUCTION#
The Threat Hunter Playbook is a community-driven, open source project to share
detection logic, adversary tradecraft and resources to make detection
development more efficient. All the detection documents in this project follow
the structure of MITRE ATT&CK categorizing post-compromise adversary behavior in
tactical groups and are available in the form of interactive notebooks. The use
of notebooks not only allow us to share text, queries and expected output, but
also code to help others run detection logic against pre-recorded security
datasets locally or remotely through BinderHub cloud computing environments.
GOALS#
* Expedite the development of techniques an hypothesis for hunting campaigns.
* Help security researchers understand patterns of behavior observed during
post-exploitation.
* Share resources to validate analytics locally or remotely through cloud
computing environments for free.
* Map pre-recorded datasets to adversarial techniques.
* Accelerate infosec learning through open source resources.
AUTHOR#
Roberto Rodriguez @Cyb3rWard0g
OFFICIAL COMMITTERS#
* Jose Luis Rodriguez @Cyb3rPandaH is adding his expertise in data science to
it.
ACKNOWLEDGEMENTS#
* We document and share our content via a Jupyter Book which was created by Sam
Lau and Chris Holdgraf with support of the UC Berkeley Data Science Education
Program and the Berkeley Institute for Data Science
next
Windows
By Roberto Rodriguez @Cyb3rWard0g
© Copyright 2022.