Heimdal Security Blog – Gabriella Antal
While traditional defense methods generally investigate threats after they have occurred, the threat-hunting strategy involves: Searching through networks; Detecting and isolating threats; Eradicating them before traditional warning systems have even sounded the alarm. AIEngine includes next-generation interactive/programmable NIDS (Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics, and many other features.
Using AIEngine, you can detect spam and collect networks without needing human interaction for learning and network forensics. This tool is an example of a situational awareness-driven tool.
Ahmed Khlief designed APT-Hunter, a threat-hunting tool for Windows event logs that can detect suspicious activity and track APT movements. Free and open-source, APT-Hunter can identify APT movements within the system based on previously discovered APT attacks. Its quicker attack detection will shorten the time it takes to react, enabling swift containment and eradication of attacks. As a threat-hunting solution, Attacker KB provides adversaries and their hunters with everything they need to comprehend exploits. This includes information disclosure, technical evaluation, results, exploitability, usability, and more.
A threat-hunting tool from TekDefense, Automater, analyzes URLs, hashes, and URLs to simplify intrusion analysis. Using Automater, you can select a target and gather relevant information from well-known sources.
BotScout is a threat-hunting tool that prevents automated web scripts, also known as âbotsâ from filling out forms on websites, spamming, and registering on forums.
It does this by tracking botsâ names, IP addresses, and email addresses and storing them as unique signatures for future use. You can use the signature data provided by BotScout via an easy-to-use API to evaluate forms as they are submitted on your website.
By utilizing the Private API architecture, CrowdFMS provides a framework for automating the collecting and processing of samples from VirusTotal. The userâs YARA notification feed was alerted when the framework downloaded recent examples. YARA IDs can also specify a specific command to run these samples.
The Cuckoo Sandbox is an open-source tool for analyzing malware. Itâs free to download, but itâs challenging to install due to the numerous dependencies it needs. Once you have it fixed, though, itâs advantageous.
DeepBlueCLI is an open-source tool that analyzes Windows event logs automatically on Linux/Unix systems running ELK (Elasticsearch, Logstash, and Kibana) or Windows (PowerShell version) (Python version). Eric Conrad created it, and it is available on GitHub.
CyberChef is a web application developed by GCHQ, also known as the âCyber Swiss Army Knife.â There is no need for technical and non-technical analysts to deal with complicated tools or methods. They will be able to modify data in complex ways with the programâs help. Using their 10% innovation time, an analyst created, designed, implemented, and incrementally refined it over several years.
Phishing Catcher uses a YAML configuration file to assign a numeric score for strings that can be found in a TLS certificateâs common name or SAN field. This tool enables you to discover potential phishing domains by checking for suspicious TLS certificate issuances submitted to the Certificate Transparency Log (CTL).
Link: https://heimdalsecurity.com/blog/10-free-open-source-threat-hunting-tools/