Splunk Hunting
- https://conf.splunk.com/files/2016/slides/hunting-the-known-unknowns-the-powershell-edition.pdf
- https://www.splunk.com/blog/2018/01/17/finding-new-evil-detecting-new-domains-with-splunk.html
- https://www.splunk.com/blog/2017/12/11/tall-tales-of-hunting-with-tls-ssl-certificates.html
- https://www.splunk.com/blog/2017/12/06/do-we-calculate-appraise-classify-estimate-yes-but-we-do-it-all-with-evaluate-eval.html
- https://www.splunk.com/blog/2017/11/03/you-can-t-hyde-from-dr-levenshtein-when-you-use-url-toolbox.html
- https://www.splunk.com/blog/2017/08/07/peeping-through-windows-logs.html
- https://www.splunk.com/blog/2017/08/14/i-need-to-do-some-hunting-stat.html
- https://www.splunk.com/blog/2017/08/21/this-is-not-the-data-you-are-looking-for-or-is-it.html
- https://www.splunk.com/blog/2017/08/30/rex-groks-gibberish.html
- https://www.splunk.com/blog/2017/09/21/ut-parsing-domains-like-house-slytherin.html
- https://www.splunk.com/blog/2017/07/31/metadata-metalore.html
- https://www.splunk.com/blog/2017/07/21/work-flow-ing-your-osint.html
- https://www.splunk.com/blog/2017/07/17/finding-islands-in-the-stream-of-data.html
- https://www.splunk.com/blog/2017/07/07/lookup-before-you-go-go-hunting.html
- https://www.splunk.com/blog/2017/07/06/hunting-with-splunk-the-basics.html
- https://docs.splunk.com/Documentation/ES/5.1.0/Usecases/DataExfiltration
- https://conf.splunk.com/files/2016/slides/hunting-the-known-unknowns-the-powershell-edition.pdf
- http://security-research.dyndns.org/pub/slides/BotConf/2016/Botconf-2016_Tom-Ueltschi_Sysmon_notes.pdf
Red Canary Articles
- https://redcanary.com/blog/detection-engineering/
- https://redcanary.com/blog/slaying-evil-cyber-incident-response-team/
- https://redcanary.com/blog/cryptomining-enabled-by-native-windows-tools/
- https://redcanary.com/blog/atomic-red-team-next-chapter/
- https://redcanary.com/blog/spearphishing-documents-with-executables/
- https://redcanary.com/blog/detecting-msxsl-attacks
- https://redcanary.com/blog/attacking-a-mac-threat-detection-392
- https://redcanary.com/blog/carbon-black-response-with-splunk-advanced-data-analysis/
- https://redcanary.com/blog/carbon-black-response-how-tos-surveyor/
Bro
- RDP Access
- Unusual Sender Domains
- Finding C2 in Network Sessions
- Producer-Consumer Ratio for Detecting Data Exfiltration
- Finding the Unknown with HTTP URIs
- C2 via Dynamic DNS
- Hunter’s Tool Chest: Bro
- Using Bro to Hunt Persistent Threats
- Threat Hunting Using Open Source Software Bro Part 1
Other Articles
- https://az4n6.blogspot.com/2018/06/malicious-powershell-in-registry.html
- https://www.cover6solutions.com/event/threat-hunting-soc-analyst-2/
- https://blog.augustschell.com/3-tips-for-threat-hunting-with-splunk
- https://isc.sans.edu/diary/rss/23473
- https://www.demisto.com/automated-threat-hunting-demisto-playbooks/
- https://www.peerlyst.com/posts/the-threathunter-playbook-animesh-shaw
- https://www.sans.org/reading-room/whitepapers/analyst/membership/36282
- https://www.secureworks.com/blog/malware-lingers-with-bits
- https://www.endgame.com/blog/technical-blog/detecting-spectre-and-meltdown-using-hardware-performance-counters
- https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
WMI Articles:
- http://www.exploit-monday.com/2015/12/thoughts-on-exploiting-remote-wmi-query.html
- https://room362.com/post/2014/2014-04-19-executing-code-via-smb-without-psexec/
- https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor.pdf
