A collection of organised hunts based of yaml files to create markdown pages for analyst use.
Link to the Threat Hunt Library
Link to Medium Article
An important part of Threat Hunting sustainably is to create clear and concise documentation, in case someone needs to repeat your work, or take over from where you left off.
A hunt should be drive by a tangible question or catalyst:
- Intelligence-driven
- Situational awareness
- Domain expertise
From the these categories, you can generate a hypothesis that can start your hunt.
Based off the term coined by MITRE, an analytic describes observed behavior for a tactic, technique or procedure (TTP). Each analytic has a logic
field which can be used to generate your own searching or queries given your organisations tools.
Note: A TTP can have multiple analytics.
During your hunts, you may want to generate events or traffic based off the TTPs you are investigation to:
- Assess the data sets you are hunting with are providing the visibility you require
- Assessing existing controls and detections to provide feedback loop during hunting.
Each hunt will automatically map to the relevant Atomic Red Team test for the given techniques/subtechniques.
The output of each hunt can vary immensely. It may include one or more of the examples below:
- New detection rule in SIEM based off analytics created in hunts
- Update to Group policy to harden identified gap
- Identified gaps in visibility that affected the hunt during
- Incident Response - identified legitimate incident
- Lessons learnt - Revisiting initial hypothesis
Heavily based of scripts and resources from:
-
MITRE Cyber Analytics Repository by MITRE
-
ThreatHunter-Playbook by Cyb3rWard0g
-
Atomic Red Team by Red Canary
Each one of these projects are awesome in their own right!
The yaml files are located in /hunts/*
The script generate-md.py
will create markdown pages in /docs/hunts/
for each yaml file.
To add your own hunts:
- Create a new .yaml file in
/hunts/*
- Run
generate-md.py
to generate the documentation
Note: Running generate-md.py
will re-create all documentation including updating any MITRE ATT&CK techniques/subtechniques or new Atomic Red Team tests. It will also re-create /docs/index.md
containing a list of all hunts.