├── .binder ├── apt.txt ├── postBuild ├── requirements.txt └── start ├── CHANGELOG.rst ├── LICENSE.md ├── README.md ├── blackhat22 ├── 1. Start Hunt From TTPs.ipynb ├── 2. Cross-Host Campaign Discovery.ipynb ├── 3. Apply Analytics in a Hunt.ipynb └── images │ ├── caldera_lateral_movement_TTPs.png │ ├── caldera_overview_n_T1057.png │ └── spawn_TTP.png ├── config └── stixshifter.yaml ├── huntbooks ├── Lateral Movement via WMI.ipynb ├── Lsass Memory Dump Trace with Outflank-Dumpert.ipynb ├── Lsass Memory Dump via Comsvcs.dll.ipynb ├── Non-Interactive Windows Shells.ipynb ├── Windows Scheduled Tasks Hunting.ipynb └── log4shell Detection.ipynb └── tutorial ├── 0. Hello World Hunt.ipynb ├── 1. Query a Data Source.ipynb ├── 2. Inspect a Variable.ipynb ├── 3. Find Connected Entities.ipynb ├── 4. Group Entities in a Variable.ipynb ├── 5. Apply a Kestrel Analytics.ipynb ├── 6. Fork and Merge Hunt Flows.ipynb ├── 7. Save and Load a Variable.ipynb └── 9. Answers to Questions.ipynb /.binder/apt.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/.binder/apt.txt -------------------------------------------------------------------------------- /.binder/postBuild: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/.binder/postBuild -------------------------------------------------------------------------------- /.binder/requirements.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/.binder/requirements.txt -------------------------------------------------------------------------------- /.binder/start: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/.binder/start -------------------------------------------------------------------------------- /CHANGELOG.rst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/CHANGELOG.rst -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/LICENSE.md -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/README.md -------------------------------------------------------------------------------- /blackhat22/1. Start Hunt From TTPs.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/blackhat22/1. Start Hunt From TTPs.ipynb -------------------------------------------------------------------------------- /blackhat22/2. Cross-Host Campaign Discovery.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/blackhat22/2. Cross-Host Campaign Discovery.ipynb -------------------------------------------------------------------------------- /blackhat22/3. Apply Analytics in a Hunt.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/blackhat22/3. Apply Analytics in a Hunt.ipynb -------------------------------------------------------------------------------- /blackhat22/images/caldera_lateral_movement_TTPs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/blackhat22/images/caldera_lateral_movement_TTPs.png -------------------------------------------------------------------------------- /blackhat22/images/caldera_overview_n_T1057.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/blackhat22/images/caldera_overview_n_T1057.png -------------------------------------------------------------------------------- /blackhat22/images/spawn_TTP.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/blackhat22/images/spawn_TTP.png -------------------------------------------------------------------------------- /config/stixshifter.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/config/stixshifter.yaml -------------------------------------------------------------------------------- /huntbooks/Lateral Movement via WMI.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/huntbooks/Lateral Movement via WMI.ipynb -------------------------------------------------------------------------------- /huntbooks/Lsass Memory Dump Trace with Outflank-Dumpert.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/huntbooks/Lsass Memory Dump Trace with Outflank-Dumpert.ipynb -------------------------------------------------------------------------------- /huntbooks/Lsass Memory Dump via Comsvcs.dll.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/huntbooks/Lsass Memory Dump via Comsvcs.dll.ipynb -------------------------------------------------------------------------------- /huntbooks/Non-Interactive Windows Shells.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/huntbooks/Non-Interactive Windows Shells.ipynb -------------------------------------------------------------------------------- /huntbooks/Windows Scheduled Tasks Hunting.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/huntbooks/Windows Scheduled Tasks Hunting.ipynb -------------------------------------------------------------------------------- /huntbooks/log4shell Detection.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/huntbooks/log4shell Detection.ipynb -------------------------------------------------------------------------------- /tutorial/0. Hello World Hunt.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/tutorial/0. Hello World Hunt.ipynb -------------------------------------------------------------------------------- /tutorial/1. Query a Data Source.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/tutorial/1. Query a Data Source.ipynb -------------------------------------------------------------------------------- /tutorial/2. Inspect a Variable.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/tutorial/2. Inspect a Variable.ipynb -------------------------------------------------------------------------------- /tutorial/3. Find Connected Entities.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/tutorial/3. Find Connected Entities.ipynb -------------------------------------------------------------------------------- /tutorial/4. Group Entities in a Variable.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/tutorial/4. Group Entities in a Variable.ipynb -------------------------------------------------------------------------------- /tutorial/5. Apply a Kestrel Analytics.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/tutorial/5. Apply a Kestrel Analytics.ipynb -------------------------------------------------------------------------------- /tutorial/6. Fork and Merge Hunt Flows.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/tutorial/6. Fork and Merge Hunt Flows.ipynb -------------------------------------------------------------------------------- /tutorial/7. Save and Load a Variable.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/tutorial/7. Save and Load a Variable.ipynb -------------------------------------------------------------------------------- /tutorial/9. Answers to Questions.ipynb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opencybersecurityalliance/kestrel-huntbook/HEAD/tutorial/9. Answers to Questions.ipynb --------------------------------------------------------------------------------