There are a variety of threat detection and hunting tools available, each with its own strengths and weaknesses. Some of the most popular tools include:
1. MITRE ATT&CK Navigator (source code) – The ATT&CK Navigator is made to enable simple navigation and annotation of ATT&CK matrices, which can already be done with the help of programs like Excel.
Users can explore and visualize the MITRE ATT&CK framework using the web-based MITRE ATT&CK Navigator application. The adversary tactics, methods, and common knowledge (TTPs) employed in cyberattacks are listed in the ATT&CK framework. Anyone can use the MITRE ATT&CK Navigator, which is a free resource. The MITRE ATT&CK website provides access to the tool.
https://attack.mitre.org/
2. HELK – Elasticsearch, Logstash, and Kibana is referred to as HELK. It is a group of free software programs that can be used to gather, examine, and display logs from many sources. Since it may be used to identify and look into security threats, HELK is a well-liked tool for security teams.
After being gathered by HELK, logs can then be evaluated in a number of ways. Security teams can utilize HELK, for instance, to spot dangerous behavior patterns like a string of unsuccessful login attempts or the use of a recognized malware signature.
https://thehelk.com/
3. DetectionLab – A lab environment is provided by the free and open-source project DetectionLab for testing and learning about security detection and incident response. There are many different tools and resources in it.
Security professionals of all expertise levels, from novices to seasoned pros, can use DetectionLab. Anyone who wants to learn more about security detection and incident response should use it as a great resource.
https://detectionlab.network/
4. Revoke-Obfuscation – A PowerShell script called Revoke-Obfuscation looks for obfuscated PowerShell programs. Lee Holmes and Daniel Bohannon created it in 2017. A machine learning algorithm called Revoke-Obfuscation is based on a dataset of known obfuscated and non-obfuscated PowerShell scripts.
A PowerShell script’s characteristics are extracted by Revoke-Obfuscation, which uses a machine learning algorithm to determine whether the script is obfuscated or not.
5. Invoke-ATTACKAPI – A PowerShell function called Invoke-ATTACKAPI enables users to communicate with the MITRE ATT&CK framework via its own API. It can be used to gather data about the methods, strategies, teams, applications, and references offered by the MITRE ATT&CK Team.
6. Unfetter – A reference implementation offers a framework for gathering events from a client machine (process creation, network connections, Window Event Logs, etc.) and running CAR analytics to find probable attacker behavior.
7. Flare – A framework for behavioral analytics and network traffic analysis.
8. RedHunt-OS – a virtual machine for threat hunting and adversary emulation. By combining the tools of both the attacker and the defense to actively identify the risks in your environment, RedHunt promises to be your one-stop shop for all your threat simulation and threat hunting requirements.
9. Oriana – A Django-based solution for Windows installations that allows for lateral movement and threat hunting is Docker ready.
10. Bro-Osquery – The Bro-Osquery utility combines the Osquery endpoint security tool with the Bro network security monitor. As a result, security teams can gather and examine data from both Bro and Osquery in one location.
11. Brosquery – A Bro log table loading module for osquery.
Brosquery is a tool that integrates the Bro network security monitor with the Osquery endpoint security tool. It is a free and open-source project that is developed by Jonathan Andres.
12. DeepBlueCLI – A Hunt Teaming PowerShell Module for Windows Event Logs.
Eric Conrad created the open-source threat-hunting program known as DeepBlueCLI. It is an effective instrument that can be used to find various dangers on Windows computers. Windows event logs are analyzed by DeepBlueCLI to find suspicious activities.
13. Uncoder – Uncoder is a free and open-source program that may be used to convert between several SIEM and XDR formats for detection rules.
14. CimSweep – a collection of CIM/WMI-based tools that enable remote incident response and hunting operations on all Windows versions
15. Dispatch – A framework for open-source crisis management
16. EQL – Event Query Language is referred to as EQL. It is a query language for time series data that is based on events, such logs, metrics, and traces. EQL is similar to other well-known query languages, like SQL, and is meant to be simple to use and understand.
17. EQLLib – To find adversary behaviors noted in MITRE ATT&CKTM, the Event Query Language Analytics Library (eqllib) is a library of event-based analytics written in EQL.
18. Security Onion – a Linux distribution that is open-source for threat analysis, security monitoring, and log management. ELK, Snort, Suricata, Zeek, Wazuh, Sguil, and numerous additional security tools are included.
19. Varna – A quick & cheap AWS CloudTrail Monitoring with Event Query Language (EQL). Varna is a free and open-source threat hunting platform that is developed by the Center for Threat Intelligence at Carnegie Mellon University.
20. BinaryAlert – Numerous types of malware, including viruses, trojans, and worms, can be found using BinaryAlert. Additionally, it can be used to find malware programs that have been encrypted or obfuscated.
21. hollows_hunter – Identifies and removes a variety of potentially harmful implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches) by scanning all active processes.
22. ThreatHunting – To direct your threat searches, use a Splunk app that is mapped to MITRE ATT&CK.
23. Sentinel Attack – a database of hunting queries and Azure Sentinel alarms using sysmon and the MITRE ATT&CK framework
24. Brim – a desktop program for speedy packet capturing and Zeek log searches.
25. YARA – Swiss knife with same pattern.
26. Intel Owl – To obtain threat intelligence information about a particular file, IP address, or domain via a single API at scale, use an open source intelligence, or OSINT, solution.
27. Capa – a free program that can be used to find capabilities in executable files.
28. Threat Bus – Distributed publish/subscribe message broker used to connect security tools via threat intelligence dissemination layer.
29. zeek2es – a free software program that transforms Zeek logs into Elastic/OpenSearch. From Zeek’s TSV logs, you can also get pure JSON as an output.
30. Zeek Analysis Tools (ZAT) – Zeek network data processing and analysis using Pandas, Scikit-Learn, Kafka, and Spark.