<p align='center'> <a href="https://twitter.com/Ch33r10"><img height="30" src="https://github.com/ch33r10/BlackHatAsia2020/blob/master/img/twitter%20blue%20logo.png"></a> <a href="https://www.linkedin.com/in/xena-olsen/"><img height="30" src="https://github.com/ch33r10/BlackHatAsia2020/blob/master/img/linkedin%20logo.png"></a> </p> <h3 align="center">PAINT IT, BLUE Slides - <a href="https://github.com/ch33r10/BlueSpace2021/blob/main/rock/Talk_2021_Paint_it_Blue.pdf">Link</a></h3> <p align="center">Pro Tips on transitioning from CTI to Hunt</p> <hr></hr> <p><h1 align="center">🎸<b>RESEARCH</b></h1></p> <p></p> <h3 align="left">🥁<b>GOAL = ASK BETTER QUESTIONS</b></h3>

SOCIAL MEDIA & MORE|SANS|WORKSHOPS / TALKS|DISCORDS / SLACKS ---|---|---|--- #HuntingTipOfTheDay, Follow Threat Hunting Accounts EVERYWHERE - <a href="https://twitter.com/i/lists/1445402146434867206">Link</a>|Reading Room - <a href="https://www.sans.org/white-papers/">Link</a>, Webcasts - <a href="https://www.sans.org/webcasts/">Link</a> & Threat Hunting Summit|Prioritize Threat Hunting Talks/Workshops & take a look at YouTube|Join Slack/Discord related to infosec (BlueSpace has a Discord Channel - <a href="invite.gg/bluespace">Link</a>)

<p></p> <h3 align="left">📝<b>CH33R10'S TALK NOTES EXAMPLE</b></h3> _{I have a folder where I create a document for each conference. I list the name of the talk or workshop and while watching I will take screenshots, if it is allowed, of the slides and make notes that I can reference later. Any words in the slides that I want to makes sure are searchable, I will type the keywords below the slides. I grab whatever links the speaker(s) share that I can. I make sure to highlight my personal takeaways or takeaways that I feel could be valuable for someone else. I make a point to include things I am curious about regardless of how weird/off-the-wall/impractical my questions/thoughts may be.} <p></p> TEXAS CYBER SUMMIT 2021 <ul> <li>Becoming a Threat Hunter: This Is One Way by Jason Wood - <a href="https://youtu.be/na1PBrWvJjY">Link</a></li> <ul><li><B>LINKS</B></li></ul> <ul><ul><li>Crowdstrike Global Threat Report 2021 - <a href="https://www.crowdstrike.com/resources/reports/global-threat-report/">Link</a></li></ul></ul> <ul><ul><li>Crowdstrike Threat Hunting Report 2021 - <a href="https://www.crowdstrike.com/resources/reports/threat-hunting-report-2021/">Link</a></li></ul></ul> <ul><ul><li>Detection Lab by Chris Long - <a href="https://github.com/clong/DetectionLab">Link</a></ul></ul></li> <p></p> <ul><li><B>TALK TAKEAWAYS</B></ul></li> _{I took a screenshot of Jason Wood's slide for my personal notes that I retyped below. These are his words on the slide that I duplicated. All credit for the words on the slide goes to Jason Wood. This duplication is for educational purposes.}<p></p> <ul><ul><li>Document your Practice</ul></ul></li> <ul><ul><ul><li>Record videos and publish them</ul></ul></ul></li> <ul><ul><ul><li>Write up your learning experience</ul></ul></ul></li> <ul><ul><ul><li>Give a conference presentation</ul></ul></ul></li> <ul><ul><ul><li>Document how you hunt at work</ul></ul></ul></li> <ul><ul><ul><ul><li>Don't publish external. Keep it inside your employer</ul></ul></ul></ul></li> <ul><ul><ul><li>Benefits of documenting</ul></ul></ul></li> <ul><ul><ul><ul><li>Helps you talk about it in interviews</ul></ul></ul></ul></li> <ul><ul><ul><ul><li>Can talk about how you've applied it at work</ul></ul></ul></ul></li> <p></p> <ul><li><B>Ch33r10's RANDOM THOUGHTS & QUESTIONS</B></ul></li> <ul><ul><li>I wonder if it is possible to use Chris Long's Detection Lab with the tools shared in the Busting the Ghost in the Logs talk by Randy Pargman & Jean-Francois Maes during Texas Cyber Summit 2021 - <a href="https://youtu.be/bTU5xTIXoI4">Link</a></ul></ul></li> <ul><ul><li>I wonder how Chris Long's Detection Lab compares with Splunk's Attack Range</ul></ul></li> <ul><ul><li>I wonder how I can take my threat hunting practice to the next level and make my practice more organization relevant, such as tooling, telemetry, honeypots? etc</ul></ul></li> <ul><ul><ul><li>I wonder if it is possible to obtain a researcher/academic license for [your organization's EDR solution/a popular EDR solution] and build a custom tailored threat hunting lab</ul></ul></ul></li> <ul><ul><li>For organizations that do not use Sysmon/Windows Events, how can I build threat hunting experience?</ul></ul></li> <ul><ul><li>ETC</ul</ul></li> </ul> <p></p> <p><h1 align="center">🎤<b>PRACTICE</b></h1></p> <p></p> <h3 align="left">🎵<b>GOAL = PREPARATION</b></h3>

TRAININGS / HANDS-ON|GIVE A TALK|HUNT HYPOTHESIS DEV|WORK PROJECTS ---|---|---|--- Boss of the SOC (BOTS) - <a href="https://live.splunk.com/splunk-security-dataset-project">BOTS v1</a>, <a href="https://events.splunk.com/BOTS_2_0_datasets">BOTS v2</a>, <a href="https://www.splunk.com/en_us/blog/security/botsv3-dataset-released.html">BOTS v3</a>, ATTACK Range - <a href="https://github.com/splunk/attack_range">Link</a>, SPLUNK, <a href="https://conf.splunk.com/">.conf</a> Talks, SPLUNK <a href="https://www.splunk.com/en_us/about-us/events.html">Workshops</a>|Talk about something HUNT adjacent|Read Threat Reports & Think about how YOU would HUNT it, Understand the Technical Attack Chain|Volunteer to work SOC tickets, Volunteer to prep CTI reports for HUNT/PURPLE

<p></p> <h3 align="left">⚔️<b>CH33R10'S HUNT HYPOTHESIS DEV</b></h3> <ol> <li><b>WHAT WOULD THIS BADNESS LOOK LIKE?</b></li> <li><b>WHERE WOULD I FIND IT?</b></li> <li><b>HOW DO I DO THE NEEDFUL?</b> (What's that search gonna look like?)</li></ol> <p></p> <p><h1 align="center">📻<b>APPLY</b></h1></p> <h3 align="left">🎹<b>GOAL = APPLICATION</b></h3>

MITRE ATT&CK TECHNIQUES|CISA / PUBLIC THREAT REPORTS|INFOSEC CURRENT EVENTS ---|---|--- Pick a few and be able to explain them in DETAIL - <a href="https://attack.mitre.org/">MITRE ATT&CK</a>|Develop Hunt Hypotheses with a minimum of 1 hour of content to discuss|Develop hunt scenarios & understand the technical attack chain

<p></p> <p></p> <h3 align="left">🔗<b>CH33R10'S THREAT HUNTING CYCLE</b></h3> <ol> <li><b>RESEARCH</b> - Hypothesis generation and understanding the technical details.</li> <li><b>ANALYSIS</b> - Collect the necessary data, create searches, run the searches, and analyze the results.</li> <li><b>CONCLUSIONS</b> - Findings, mitigations, documentation, lessons learned.</li> <li><b>DETECTIONS</b> - Automate the Hunts you can.</li> <li><b>RINSE & REPEAT</b></li> </ol> <p></p> <h3 align="left">🗡️<b>CH33R10'S THREAT HUNTING TIPS</b></h3> <ol> <li><b>THREAT HUNT TYPE</b> <ul><li><b>STRUCTURED:</b> Known TTPs, IOCs, Artifacts</ul></li> <ul><li><b>UNSTRUCTURED:</b> Unknown</ul></li> <li><b>INTERNAL vs. EXTERNAL</b> <ul><li>Example: Cobalt Strike Beacon Hunting in Network vs. ITW (In the Wild)</ul></li> <p></p> <p><h1 align="center">📚<b>LEARNING RESOURCES</b></h1></p> <p>😎<b>CHEATSHEETS</b></p> <ul> <li>Malware Archaeology Cheatsheets - Windows - <a href="https://www.malwarearchaeology.com/cheat-sheets">Link 1</a>, <a href="https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/5d5588b51fd81f0001471db4/1565886646582/Windows+Sysmon+Logging+Cheat+Sheet_Aug_2019.pdf">Link 2</a>, Back up copy for Link 2 - <a href="https://github.com/ch33r10/BlueSpace2021/blob/main/rock/Windows%2BSysmon%2BLogging%2BCheat%2BSheet_Aug_2019.pdf">Link 3</a></li> <li>Olaf Hartong. Sysmon Cheatsheet - <a href="https://github.com/olafhartong/sysmon-cheatsheet/blob/master/Sysmon-Cheatsheet-dark.pdf">Link</a></li> <li>SANS Hunt Evil Poster - <a href="https://www.sans.org/posters/hunt-evil/">Link</a></li> <li>SANS Intrusion Discovery for Windows Cheatsheet - <a href="https://www.sans.org/posters/intrusion-discovery-cheat-sheet-for-windows/">Link</a></li> </ul> <p></p> <p>🌎<b>DETECTIONS/HUNTS</b></p> <ul> <li>BlueTeamLabs - Azure Sentinel Hunting Resource - <a href="https://github.com/BlueTeamLabs/sentinel-attack/tree/master/detections">Link</a></li> <li>David J. Bianco. Threat Hunting Project - Threat Hunts - <a href="https://github.com/ThreatHuntingProject/ThreatHunting/tree/master/hunts">Link</a></li> <li>Detection Ideas Repo by Vadim Khrykov @BlackMatter23 - <a href="https://github.com/vadim-hunter/Detection-Ideas-Rules/">Link</a></li> <li>Hurricane Labs - Threat Hunting with Splunk: Part 2, Process Creation Log Analysis - <a href="https://hurricanelabs.com/splunk-tutorials/threat-hunting-with-splunk-part-2-process-creation-log-analysis/">Link</a></li> <li>Roberto Rodriquez. ThreatHunter Playbook - <a href="https://github.com/OTRF/ThreatHunter-Playbook">Link</a></li> <li>Sigma Rules - <a href="https://github.com/SigmaHQ/sigma">Link</a></li> <li>Splunk - Advanced Threat Detection and Response - <a href="https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf">Link</a></li> <li>YARA Rules Resource - <a href="https://github.com/InQuest/awesome-yara">Link</a></li> </ul> <p></p> <p>🏹<b>GENERAL INFO</b></p> <ul> <li>BLOG: BC Security Offensive Security Tools - <a href="https://www.bc-security.org/post/category/offensive-security-tools/">Link</a></li> <li>BLOG: Red Canary - <a href="https://redcanary.com/blog/">Link</a></li> <li>BLOG: SCYTHE Threat Thursday - <a href="https://www.scythe.io/library/threat-thursday-evading-defenses-with-iso-files-like-nobelium">Link</a></li> <li>BLOG: SpecterOps - <a href="https://posts.specterops.io/">Link</a></li> <li>Ch33r10's PURPLE TEAM EXERCISE IDEA QUEUE W/ THREAT HUNTING SUGGESTIONS - <a href="https://docs.google.com/spreadsheets/d/1wHRrqwb1chTWP8kQqJjA2Chl7bUtCxRlobiyT3V2thE/edit?usp=sharing">Link</a></li> <li>Ch33r10's Twitt