The Threat Hunt Library

Hunt List

Hunt	ATT&CK Techniques	Platform(s)	Creation Date
TH-0001-LSASS Access from Non System Account	T1003-OS Credential Dumping	Windows	2020/06/28
TH-0002-C2 Beaconing and Exfiltration via Standard Protocols	T1071-Application Layer Protocol	Network	2020/06/28
TH-0003-Compromise via external media and devices	T1091-Replication Through Removable Media T1052-Exfiltration Over Physical Medium	Windows	2020/06/28
TH-0004-Suspicious network traffic over DNS	T1568-Dynamic Resolution T1071-Application Layer Protocol T1048-Exfiltration Over Alternative Protocol	Network	2020/06/28
TH-0005-Web Shells	T1505-Server Software Component	Network	2020/06/28
TH-0006-Autoruns Analysis	T1543-Create or Modify System Process T1053-Scheduled Task/Job T1546-Event Triggered Execution T1037-Boot or Logon Initialization Scripts T1547-Boot or Logon Autostart Execution	Windows	2020/06/28
TH-0007-File Share Discovery	T1039-Data from Network Shared Drive	Network	2020/07/04

Hunt List (by technique/sub-technique coverage)

ATT&CK Technique	ATT&CK Sub-technique(s)	Hunt
T1003-OS Credential Dumping	T1003.001-LSASS Memory	TH-0001-LSASS Access from Non System Account
T1071-Application Layer Protocol	(N/A - see below)	(N/A - see below)
...	T1071.001-Web Protocols	TH-0002-C2 Beaconing and Exfiltration via Standard Protocols
...	T1071.002-File Transfer Protocols	TH-0002-C2 Beaconing and Exfiltration via Standard Protocols
...	T1071.003-Mail Protocols	TH-0002-C2 Beaconing and Exfiltration via Standard Protocols
...	T1071.004-DNS	TH-0002-C2 Beaconing and Exfiltration via Standard Protocols TH-0004-Suspicious network traffic over DNS
T1052-Exfiltration Over Physical Medium	T1052.001-Exfiltration over USB	TH-0003-Compromise via external media and devices
T1568-Dynamic Resolution	T1568.002-Domain Generation Algorithms	TH-0004-Suspicious network traffic over DNS
T1048-Exfiltration Over Alternative Protocol	T1048.003-Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	TH-0004-Suspicious network traffic over DNS
T1505-Server Software Component	T1505.003-Web Shell	TH-0005-Web Shells
T1543-Create or Modify System Process	T1543.003-Windows Service	TH-0006-Autoruns Analysis
T1053-Scheduled Task/Job	(N/A - see below)	(N/A - see below)
...	T1053.002-At (Windows)	TH-0006-Autoruns Analysis
...	T1053.005-Scheduled Task	TH-0006-Autoruns Analysis
T1546-Event Triggered Execution	(N/A - see below)	(N/A - see below)
...	T1546.003-Windows Management Instrumentation Event Subscription	TH-0006-Autoruns Analysis
...	T1546.012-Image File Execution Options Injection	TH-0006-Autoruns Analysis
...	T1546.013-PowerShell Profile	TH-0006-Autoruns Analysis
T1037-Boot or Logon Initialization Scripts	(N/A - see below)	(N/A - see below)
...	T1037.001-Logon Script (Windows)	TH-0006-Autoruns Analysis
...	T1037.005-Startup Items	TH-0006-Autoruns Analysis
T1547-Boot or Logon Autostart Execution	T1547.001-Registry Run Keys / Startup Folder	TH-0006-Autoruns Analysis

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

index.md

index.md

The Threat Hunt Library

Hunt List

Hunt List (by technique/sub-technique coverage)

Files

index.md

Latest commit

History

index.md

File metadata and controls

The Threat Hunt Library

Hunt List

Hunt List (by technique/sub-technique coverage)