This List can be valuable for ThreatHunters, SOC and CERT teams for static analysis on SIEM as it assists in identifying threat actors (or redteamers 😆) using default configurations from renowned exploitation tools in logs.
This article provides a comprehensive overview of the tools and resources available to help readers improve their threat hunting capabilities. It begins by introducing the primary CSV file threathunting-keywords.csv, which is automatically partitioned into four distinct files for optimal navigation and specificity. It then introduces ripgrep as the most efficient solution for rapidly matching an extensive list of regex patterns against each line of a large log file or even multiple files simultaneously. The article then provides a step-by-step guide to using ripgrep and the 'only_keywords_regex.txt' list to hunt for evil in log file(s). It also provides an alternative solution for very large files on Windows, using Powershell and the 'only_keywords.txt' list. Finally, it provides a slower alternative for hunting for evil in files using only Powershell and the 'only_keywords.txt' list.
The article also provides a list of false positives that can be used to avoid incorrect results. This list is designed to help readers identify false positives and can be used to improve the accuracy of the results. Additionally, it provides SIGMA rules that can be used to translate the lookup. This is designed to help readers quickly and accurately translate the lookup into a SIGMA rule. The article encourages readers to contribute to the expected false positives list and to the SIGMA rules. This is designed to help readers improve the accuracy of the results and to help the community as a whole.
Finally, the article provides advice for redteamers on how to evade detection by simple keyword detection. It is recommended to recompile and rename all custom strings, class or function names, variable names, argument names, executable names, default user-agents, certificates, or any other strings that could potentially be associated with the tools being used. It is also suggested to use distinct names when developing public red team tools to aid the blue team in creating a clear signature.
Overall, this article provides a comprehensive overview of the tools and resources available to help readers improve their threat hunting capabilities. It is a valuable resource for anyone looking to gain a better understanding of the threat hunting process and to improve their threat hunting skills.
👉🏽 This List can be valuable for ThreatHunters, SOC and CERT teams for static analysis on SIEM as it assists in identifying threat actors (or redteamers 😆) using default configurations from renowned exploitation tools in logs. 👉🏽 Introduction to the primary CSV file threathunting-keywords.csv for optimal navigation. 👉🏽 Explanation of ripgrep as the most efficient solution for matching regex patterns. 👉🏽 Step-by-step guide to using ripgrep and 'only_keywords_regex.txt' list for threat hunting. 👉🏽 Alternative solution for large files on Windows using Powershell and 'only_keywords.txt' list. 👉🏽 Slower alternative for threat hunting using only Powershell and 'only_keywords.txt' list. 👉🏽 List of false positives to help identify and improve accuracy of results. 👉🏽 SIGMA rules provided to translate the lookup for accurate detection. 👉🏽 Encouragement to contribute to the false positives list and SIGMA rules for community improvement. 👉🏽 Advice for redteamers on evading detection through renaming and distinct naming strategies. 👉🏽 Valuable resource to gain understanding and improve threat hunting skills.
🔗 source link: https://github.com/mthcht/ThreatHunting-Keywords
#ThreatHuntingTools #Ripgrep #FalsePositives #SIGMArules #RedteamTips