Threat Hunting

Hunter’s Tool Chest: Sysmon

The first entry in this series was about a network-focused hunting tool, so it seems fair that the second entry is about an endpoint-focused one. Sysmon is a free tool created by Microsoft that is capable of collecting process level metadata— including command line activity…

Hunting for PowerShell Using Heatmaps

This post is an example of how visualizations can be used in threat hunting; it isn’t an explicit play-by-play guide for finding malicious PowerShell activity in your network, but is written to show how easy it can be to create and use visualizations as a hunting…

Threat Hunting Basics

What is threat hunting?

If you ask a group of information security professionals for the definition of threat hunting, then you’re likely to get multiple (potentially divisive) responses. There seems to be general agreement among threat detection…

PowerShell One-Liner of the Week

Get-EventLog Security -InstanceID 4688 -Message “*whoami*” | fl *

If you are tracking process creation and have command line auditing turned on, the above command will hit anytime whoami is typed on the box. Of course you can search for whatever…

Adventures with MHN

(Modern Honeypot Network) Part 2

Installing the Management Server

Launch Codes Ready — Incoming Bot Missiles

Splunking with Missile Map

Adventures with MHN

(Modern Honeypot Network) Part 1

“Why “threat hunting” makes sense and recently became a buzzword” by Karl M.

Threat hunting becoming the more popular term rather than NSM

Threat hunting ideas, by Guurhart

“A good friend sent this to me, it’s a useful graphical overviews of places you should be looking when you’re doing threat hunting‍” What do you think of this overview of threathunting?

Threat Hunting and PowerShell Remoting

I have been on the PowerShell train for roughly four months and would like to share a couple…