The ThreatHunting Project

Hunting for adversaries in your IT environment

View project on GitHub

Threat hunting is a popular topic these days, and there are a lot of people who want to get started but don’t know how. What should they hunt for? How should they perform the hunts? What data will they need to collect?

On the other hand, there are a lot of individuals out there who have written blog posts, conference presentations or whatever that detail some of their favorite hunting procedures. The problem is that these procedures are scattered all over the Internet, and are sometimes hard to find.

That’s why the ThreatHunting Project exists. Here you will find links to a number of different published hunting procedures. It my hope that this will give you some concrete starting points, or if you are an experienced hunter, help you find additional techniques to add to your repertoire.

Getting Started

First, if you are new to the idea of threat hunting, you may find the annotated reading list a useful source of links to help you understand what hunting is, how it’s done and what successful organizations do to help their hunters.

The core of this repository is the list of published hunting procedures, which you will find on the sidebar. You can either browse the full list, or if you have a specific hunting objective in mind, you can view that list indexed by goals. Likewise, if you don’t know what to hunt for but you have some data, consult the data index to see what you might be able to find with it.

In general, the expectation is that you may use the procedures in this collection to identify specific hunting techniques that are of interest to you, then follow the included references to read more and actually learn how to perform those hunts.

License

Here’s the deal, in plain English:

This repo is here for the community. You are free to use it for personal or commercial use provided you attribute it in some visible manner. We suggest Data provided by The ThreatHunting Project, http://threathunting.net or something substantially similar. Please do include the URL, though, to help more people find us.

Contributing

Fork the repo, edit the appropriate technique (or use the TECHNIQUE TEMPLATE.md file to create a new one), add it to the list in the appropriate topic and data categories, then send us a pull request. This is the preferrred method.

Special Thanks

Like many community projects, this wouldn’t be possible without the work of a lot of other people.

First and foremost, I’d like to thank all those brave hunters who share their techniques with the world. The ThreatHunting Project is only a catalog; the hunters who developed and published their procedures did the hard work and we thank them for it.

Second, I’d like to personally thank everyone who has contributed to this repo. Your contributions make it a little better every time, and you are much appreciated.