├── .gitignore ├── Command and Control ├── RITA Beacon Analyzer - Palo Alto FW.md ├── RITA Beacon Analyzer - Windows Firewall.md ├── RITA Beacon Analyzer.md ├── Suspicious Network Beacons - MDE Aggregated Reports.md ├── Suspicious Network Beacons - Microsoft Defender.md ├── Suspicious Network Beacons - Palo Alto.md ├── Suspicious Network Beacons - Sysmon.md └── Suspicious Network Connections - Supply Chain Attack.md ├── Credential Access ├── Password Spray.md ├── Potential Cloud Account Takeover.md ├── Potential Cloud Acount Takeover - Window.md ├── Potential Kerberos Relaying Activity - MDE.md ├── Potential NTLM Relay Attack to Domain Controller.md ├── Potentially Relayed Kerberos Authentication - MS Sentinel.md ├── Potentially Relayed NTLM Authentication - MDE.md ├── Potentially Relayed NTLM Authentication - MS Sentinel.md ├── Suspicious TGT Request with a DC Account.md └── T1558.003 - Kerberoasting.md ├── Defense Evasion ├── ASR Rare and Untrusted Executables.md ├── DLL Hijacking - HijackLibs.md ├── HijackLibs.csv ├── Microsoft Recommended Driver Block List.md └── Suspicious Driver Load.md ├── Initial Access ├── Rouge RDP - Suspicious File Creation.md ├── Spearphishing Attachment - ISO Images(Azure Sentinel).md ├── Spearphishing Attachment - ISO Images(Microsoft Defender).md └── Spearphishing Link - Rare URL Clicks.md ├── LICENSE ├── Lateral Movement └── TA0008 - Potential Lateral Movement via MSI ODBC Driver Install over DCOM.md ├── Persistence ├── Scheduled Task - Suspicious Network Connection.md ├── T1547.001 - Suspicious Registry Run Keys.md └── T1574 - DLL Hijacking: Loading from an Unusual Directory.md ├── Privilege Escalation └── Potential Actor Token Abuse in Entra ID.md ├── README.md ├── Talks ├── .DS_Store ├── Jupyterthon22 │ ├── dashboard_app.ipynb │ ├── hvPlot-Panel.ipynb │ └── sampledata.pkl └── README.md └── Uncategorized ├── NPM debug and chalk compromise 09-2025.md ├── Process Tree Analysis.md └── Server Network Connection Anomaly.md /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store -------------------------------------------------------------------------------- /Command and Control/RITA Beacon Analyzer - Palo Alto FW.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Command and Control/RITA Beacon Analyzer - Palo Alto FW.md -------------------------------------------------------------------------------- /Command and Control/RITA Beacon Analyzer - Windows Firewall.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Command and Control/RITA Beacon Analyzer - Windows Firewall.md -------------------------------------------------------------------------------- /Command and Control/RITA Beacon Analyzer.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Command and Control/RITA Beacon Analyzer.md -------------------------------------------------------------------------------- /Command and Control/Suspicious Network Beacons - MDE Aggregated Reports.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Command and Control/Suspicious Network Beacons - MDE Aggregated Reports.md -------------------------------------------------------------------------------- /Command and Control/Suspicious Network Beacons - Microsoft Defender.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Command and Control/Suspicious Network Beacons - Microsoft Defender.md -------------------------------------------------------------------------------- /Command and Control/Suspicious Network Beacons - Palo Alto.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Command and Control/Suspicious Network Beacons - Palo Alto.md -------------------------------------------------------------------------------- /Command and Control/Suspicious Network Beacons - Sysmon.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Command and Control/Suspicious Network Beacons - Sysmon.md -------------------------------------------------------------------------------- /Command and Control/Suspicious Network Connections - Supply Chain Attack.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Command and Control/Suspicious Network Connections - Supply Chain Attack.md -------------------------------------------------------------------------------- /Credential Access/Password Spray.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Credential Access/Password Spray.md -------------------------------------------------------------------------------- /Credential Access/Potential Cloud Account Takeover.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Credential Access/Potential Cloud Account Takeover.md -------------------------------------------------------------------------------- /Credential Access/Potential Cloud Acount Takeover - Window.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Credential Access/Potential Cloud Acount Takeover - Window.md -------------------------------------------------------------------------------- /Credential Access/Potential Kerberos Relaying Activity - MDE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Credential Access/Potential Kerberos Relaying Activity - MDE.md -------------------------------------------------------------------------------- /Credential Access/Potential NTLM Relay Attack to Domain Controller.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Credential Access/Potential NTLM Relay Attack to Domain Controller.md -------------------------------------------------------------------------------- /Credential Access/Potentially Relayed Kerberos Authentication - MS Sentinel.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Credential Access/Potentially Relayed Kerberos Authentication - MS Sentinel.md -------------------------------------------------------------------------------- /Credential Access/Potentially Relayed NTLM Authentication - MDE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Credential Access/Potentially Relayed NTLM Authentication - MDE.md -------------------------------------------------------------------------------- /Credential Access/Potentially Relayed NTLM Authentication - MS Sentinel.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Credential Access/Potentially Relayed NTLM Authentication - MS Sentinel.md -------------------------------------------------------------------------------- /Credential Access/Suspicious TGT Request with a DC Account.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Credential Access/Suspicious TGT Request with a DC Account.md -------------------------------------------------------------------------------- /Credential Access/T1558.003 - Kerberoasting.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Credential Access/T1558.003 - Kerberoasting.md -------------------------------------------------------------------------------- /Defense Evasion/ASR Rare and Untrusted Executables.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Defense Evasion/ASR Rare and Untrusted Executables.md -------------------------------------------------------------------------------- /Defense Evasion/DLL Hijacking - HijackLibs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Defense Evasion/DLL Hijacking - HijackLibs.md -------------------------------------------------------------------------------- /Defense Evasion/HijackLibs.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Defense Evasion/HijackLibs.csv -------------------------------------------------------------------------------- /Defense Evasion/Microsoft Recommended Driver Block List.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Defense Evasion/Microsoft Recommended Driver Block List.md -------------------------------------------------------------------------------- /Defense Evasion/Suspicious Driver Load.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Defense Evasion/Suspicious Driver Load.md -------------------------------------------------------------------------------- /Initial Access/Rouge RDP - Suspicious File Creation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Initial Access/Rouge RDP - Suspicious File Creation.md -------------------------------------------------------------------------------- /Initial Access/Spearphishing Attachment - ISO Images(Azure Sentinel).md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Initial Access/Spearphishing Attachment - ISO Images(Azure Sentinel).md -------------------------------------------------------------------------------- /Initial Access/Spearphishing Attachment - ISO Images(Microsoft Defender).md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Initial Access/Spearphishing Attachment - ISO Images(Microsoft Defender).md -------------------------------------------------------------------------------- /Initial Access/Spearphishing Link - Rare URL Clicks.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Initial Access/Spearphishing Link - Rare URL Clicks.md -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/LICENSE -------------------------------------------------------------------------------- /Lateral Movement/TA0008 - Potential Lateral Movement via MSI ODBC Driver Install over DCOM.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Lateral Movement/TA0008 - Potential Lateral Movement via MSI ODBC Driver Install over DCOM.md -------------------------------------------------------------------------------- /Persistence/Scheduled Task - Suspicious Network Connection.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Persistence/Scheduled Task - Suspicious Network Connection.md -------------------------------------------------------------------------------- /Persistence/T1547.001 - Suspicious Registry Run Keys.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Persistence/T1547.001 - Suspicious Registry Run Keys.md -------------------------------------------------------------------------------- /Persistence/T1574 - DLL Hijacking: Loading from an Unusual Directory.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Persistence/T1574 - DLL Hijacking: Loading from an Unusual Directory.md -------------------------------------------------------------------------------- /Privilege Escalation/Potential Actor Token Abuse in Entra ID.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Privilege Escalation/Potential Actor Token Abuse in Entra ID.md -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/README.md -------------------------------------------------------------------------------- /Talks/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Talks/.DS_Store -------------------------------------------------------------------------------- /Talks/Jupyterthon22/dashboard_app.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Talks/Jupyterthon22/dashboard_app.ipynb -------------------------------------------------------------------------------- /Talks/Jupyterthon22/hvPlot-Panel.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Talks/Jupyterthon22/hvPlot-Panel.ipynb -------------------------------------------------------------------------------- /Talks/Jupyterthon22/sampledata.pkl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Talks/Jupyterthon22/sampledata.pkl -------------------------------------------------------------------------------- /Talks/README.md: -------------------------------------------------------------------------------- 1 | # Talks and Demos -------------------------------------------------------------------------------- /Uncategorized/NPM debug and chalk compromise 09-2025.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Uncategorized/NPM debug and chalk compromise 09-2025.md -------------------------------------------------------------------------------- /Uncategorized/Process Tree Analysis.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Uncategorized/Process Tree Analysis.md -------------------------------------------------------------------------------- /Uncategorized/Server Network Connection Anomaly.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Cyb3r-Monk/Threat-Hunting-and-Detection/HEAD/Uncategorized/Server Network Connection Anomaly.md --------------------------------------------------------------------------------