List: Threat Hunting | Curated by mthcht

Jul 22, 2024

22 stories

6 saves

Threat Hunting
In
Detect FYI
by
mthcht
Threat Hunting - Suspicious Named pipes
Jul 22, 2024
187
Jul 22, 2024
187
In
Detect FYI
by
mthcht
Threat Hunting — Suspicious Windows Service NamesSimulation and Detection
Jan 8, 2024
306
2
Jan 8, 2024
306
2
In
Detect FYI
by
mthcht
Event Log Manipulations - Time slippingAfter reading Alex’s latest article, I’m inspired to start a detection serie dedicated to Event Log manipulation techniques, with our first…
Jan 13, 2024
148
Jan 13, 2024
148
In
Detect FYI
by
mthcht
Threat Hunting - Suspicious User AgentsHunting for Suspicious User Agents with Splunk
Jan 1, 2024
257
2
Jan 1, 2024
257
2
In
Detect FYI
by
mthcht
Detecting DNS over HTTPSDetecting DNS over HTTPS - DoH with a SIEM - logs analysis
Nov 7, 2023
142
1
Nov 7, 2023
142
1
In
Detect FYI
by
mthcht
Threat Hunting - Suspicious TLDs
Nov 3, 2023
29
1
Nov 3, 2023
29
1
In
Detect FYI
by
mthcht
Detect DLL Hijacking techniques from HijackLibs with SplunkSplunk detections searches
Oct 1, 2023
24
Oct 1, 2023
24
In
Detect FYI
by
mthcht
How Threat Actors use PastebinWhy is it important to monitor paste sites? detection tips
Aug 24, 2023
16
Aug 24, 2023
16
mthcht
LOLBAS Detection Serie [2] — Mspub.exe + ProtocolHandler.exe + MsoHtmEd.exeThe LOLBAS serie : https://medium.com/@mthcht/list/lolbas-843ba9de6810
Aug 23, 2023
3
Aug 23, 2023
3
In
Detect FYI
by
mthcht
LOLBAS Detection Serie [1] - AppInstaller.exeTesting and Detecting LOLBAS techinques
Aug 21, 2023
10
Aug 21, 2023
10
In
Detect FYI
by
mthcht
Detecting Phishing attempts with DNSTWISTDNSTWIST for SOC & CTI
Aug 15, 2023
7
Aug 15, 2023
7
In
Detect FYI
by
mthcht
File Integrity Monitoring with AuditdFIM ? PCI DSS ?
Aug 11, 2023
19
Aug 11, 2023
19
In
Detect FYI
by
mthcht
How Threat Actors Use GitHubIntroduction
Aug 8, 2023
39
Aug 8, 2023
39
 This story is no longer available
mthcht
Threat Hunting - HTTP Requests Without Domain NamesIntroduction
Aug 7, 2023
5
Aug 7, 2023
5
mthcht
Canary Tokens and Callback URLs: A Double-Edged SwordIntroduction
Aug 7, 2023
Aug 7, 2023
mthcht
Hunting for suspicious ports activitiesUsing the list of suspicious ports: https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_ports_list.csv (updated regularly)
Aug 7, 2023
10
Aug 7, 2023
10
In
Detect FYI
by
mthcht
Detecting PSEXEC and similar toolsDetect PSEXEC
Aug 7, 2023
82
Aug 7, 2023
82
In
Detect FYI
by
mthcht
Detecting HTML smuggling phishing attemptsExample from a real phishing attempt (BASE64 + AES):
Aug 7, 2023
4
Aug 7, 2023
4
mthcht
C2 Hiding in plain sightUnderstanding your environment with the applications used and allowed will enhances the effectiveness of your hunt here.
Aug 7, 2023
29
Aug 7, 2023
29

Threat Hunting

Threat Hunting - Suspicious Named pipes

Threat Hunting — Suspicious Windows Service Names

Simulation and Detection

Event Log Manipulations - Time slipping

After reading Alex’s latest article, I’m inspired to start a detection serie dedicated to Event Log manipulation techniques, with our first…

Threat Hunting - Suspicious User Agents

Hunting for Suspicious User Agents with Splunk

Detecting DNS over HTTPS

Detecting DNS over HTTPS - DoH with a SIEM - logs analysis

Threat Hunting - Suspicious TLDs

Detect DLL Hijacking techniques from HijackLibs with Splunk

Splunk detections searches

How Threat Actors use Pastebin

Why is it important to monitor paste sites? detection tips

LOLBAS Detection Serie [2] — Mspub.exe + ProtocolHandler.exe + MsoHtmEd.exe

The LOLBAS serie : https://medium.com/@mthcht/list/lolbas-843ba9de6810

LOLBAS Detection Serie [1] - AppInstaller.exe

Testing and Detecting LOLBAS techinques

Detecting Phishing attempts with DNSTWIST

DNSTWIST for SOC & CTI

File Integrity Monitoring with Auditd

FIM ? PCI DSS ?

How Threat Actors Use GitHub

Introduction

Threat Hunting - HTTP Requests Without Domain Names

Introduction

Canary Tokens and Callback URLs: A Double-Edged Sword

Introduction

Hunting for suspicious ports activities

Using the list of suspicious ports: https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_ports_list.csv (updated regularly)

Detecting PSEXEC and similar tools

Detect PSEXEC

Detecting HTML smuggling phishing attempts

Example from a real phishing attempt (BASE64 + AES):

C2 Hiding in plain sight

Understanding your environment with the applications used and allowed will enhances the effectiveness of your hunt here.

mthcht

log analysis

Threat Intelligence

Threat Hunting