Convert Figma logo to code with AI

OTRF logoThreatHunter-Playbook

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

4,001
807
4,001
8

Top Related Projects

1,731

Cyber Threat Intelligence Repository expressed in STIX 2.0

Small and highly portable detection tests based on MITRE's ATT&CK.

1,236

Open Source Security Events Metadata (OSSEM)

8,252

Main Sigma Rule Repository

Quick Overview

The OTRF/ThreatHunter-Playbook is a comprehensive resource for cybersecurity professionals, focusing on threat hunting techniques and methodologies. It provides a collection of hunting queries, data analysis procedures, and detection strategies to help security teams proactively identify and mitigate potential threats in their environments.

Pros

  • Extensive collection of threat hunting techniques and queries
  • Well-organized and categorized content for easy navigation
  • Regular updates and contributions from the cybersecurity community
  • Includes both general and platform-specific hunting strategies

Cons

  • May require advanced knowledge of security concepts and tools
  • Some queries might need adaptation for specific environments
  • Limited coverage of certain niche or emerging threat vectors
  • Requires ongoing maintenance to keep up with evolving threats

Getting Started

To get started with the ThreatHunter-Playbook:

  1. Visit the GitHub repository: https://github.com/OTRF/ThreatHunter-Playbook
  2. Browse the docs folder for detailed documentation and guides
  3. Explore the notebooks directory for Jupyter notebooks with practical examples
  4. Review the resources section for additional tools and references
  5. Join the community discussions in the Issues and Pull Requests sections to contribute or ask questions

Note: This project is not a code library, but rather a collection of resources and documentation for threat hunting. Therefore, code examples and a quick start guide are not applicable in this context.

Competitor Comparisons

1,731

Cyber Threat Intelligence Repository expressed in STIX 2.0

Pros of cti

  • Comprehensive MITRE ATT&CK framework data in STIX format
  • Regular updates with the latest threat intelligence
  • Widely adopted and integrated into many security tools

Cons of cti

  • Focuses primarily on data, lacking specific detection and response guidance
  • May require additional processing to extract actionable insights
  • Less emphasis on practical implementation for threat hunting

Code Comparison

ThreatHunter-Playbook (YAML):

name: Suspicious PowerShell Download Cradle
description: Detects suspicious PowerShell download cradles
detection:
  selection:
    EventID: 4104
    ScriptBlockText|contains:
      - 'Net.WebClient'
      - 'DownloadString'

cti (STIX JSON):

{
  "type": "attack-pattern",
  "id": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
  "name": "PowerShell",
  "description": "Adversaries may use PowerShell to execute various commands...",
  "kill_chain_phases": [
    {
      "kill_chain_name": "mitre-attack",
      "phase_name": "execution"
    }
  ]
}

While ThreatHunter-Playbook provides specific detection rules, cti offers structured threat intelligence data that can be used to develop comprehensive detection strategies.

Small and highly portable detection tests based on MITRE's ATT&CK.

Pros of Atomic Red Team

  • Extensive library of pre-built tests for various attack techniques
  • Easy-to-use format with tests organized by MITRE ATT&CK tactics
  • Active community and frequent updates

Cons of Atomic Red Team

  • Focuses primarily on attack simulation, less on detection and response
  • May require additional tools or setup for some tests

Code Comparison

ThreatHunter-Playbook (Jupyter Notebook example):

from openhunt.mordorutils import *
spark = get_spark()

df = spark.read.parquet(path)
df.printSchema()
df.show(10,False)

Atomic Red Team (YAML test definition):

attack_technique: T1003.001
display_name: 'OS Credential Dumping: LSASS Memory'
atomic_tests:
  - name: Dump LSASS.exe Memory using ProcDump
    auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8

ThreatHunter-Playbook provides more comprehensive analytics and detection strategies, while Atomic Red Team excels in providing a wide range of attack simulations. ThreatHunter-Playbook uses Jupyter Notebooks for analysis, whereas Atomic Red Team uses YAML for test definitions. Both repositories complement each other, with ThreatHunter-Playbook focusing on threat hunting and Atomic Red Team on attack simulation.

1,236

Open Source Security Events Metadata (OSSEM)

Pros of OSSEM

  • Provides a comprehensive data model for security events
  • Focuses on standardizing data structures and relationships
  • Offers broader applicability across various security tools and platforms

Cons of OSSEM

  • More complex and requires deeper understanding of data modeling
  • Less immediate practical application for threat hunting
  • May require more effort to implement in existing security workflows

Code Comparison

OSSEM (Data Dictionary):

- Standard_Name: UserName
  Standard_Type: String
  Description: The name of the user account
  Sample_Value: john.doe

ThreatHunter-Playbook (Analytic):

title: Suspicious PowerShell Download
description: Detects PowerShell downloading files from the internet
author: John Doe
detection:
  selection:
    EventID: 4104
    ScriptBlockText: '*Invoke-WebRequest*'

The OSSEM example shows a data dictionary entry, focusing on standardizing data fields. The ThreatHunter-Playbook example demonstrates a practical detection rule, ready for implementation in threat hunting scenarios.

8,252

Main Sigma Rule Repository

Pros of Sigma

  • Generic, vendor-agnostic rule format for easier sharing and portability
  • Extensive collection of pre-written detection rules
  • Supports conversion to various SIEM and data analysis tools

Cons of Sigma

  • Primarily focused on detection rules, less comprehensive for full threat hunting workflows
  • May require additional tools or scripts for implementation in some environments

Code Comparison

Sigma rule example:

title: Suspicious PowerShell Download
detection:
  selection:
    EventID: 4104
    ScriptBlockText|contains:
      - 'Net.WebClient'
      - '.DownloadFile'
  condition: selection

ThreatHunter-Playbook notebook example:

# Query for PowerShell download events
results = spark.sql("""
SELECT ScriptBlockText
FROM powershell_events
WHERE ScriptBlockText LIKE '%Net.WebClient%'
  AND ScriptBlockText LIKE '%.DownloadFile%'
""")

Both repositories provide valuable resources for threat detection and hunting. Sigma offers a standardized approach to writing and sharing detection rules, while ThreatHunter-Playbook provides more comprehensive playbooks and workflows for threat hunting scenarios. The choice between them depends on specific use cases and integration requirements.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

The Threat Hunter Playbook

Binder License: MIT Twitter Open_Threat_Research Community Open Source Love

The Threat Hunter Playbook is a community-driven, open source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. All the detection documents in this project follow the structure of MITRE ATT&CK categorizing post-compromise adversary behavior in tactical groups and are available in the form of interactive notebooks. The use of notebooks not only allow us to share text, queries and expected output, but also code to help others run detection logic against pre-recorded security datasets locally or remotely through BinderHub cloud computing environments.

Docs: https://threathunterplaybook.com/

Goals

  • Expedite the development of techniques an hypothesis for hunting campaigns.
  • Help security researchers understand patterns of behavior observed during post-exploitation.
  • Share resources to validate analytics locally or remotely through cloud computing environments for free.
  • Map pre-recorded datasets to adversarial techniques.
  • Accelerate infosec learning through open source resources.

Author

Roberto Rodriguez @Cyb3rWard0g

Official Committers

  • Jose Luis Rodriguez @Cyb3rPandaH is adding his expertise in data science to it.

Acknowledgements