A comprehensive defensive security knowledge base β detection, forensics, threat hunting, and incident response.
A curated encyclopedia of blue team tradecraft covering the full defensive lifecycle: Detect β Investigate β Respond β Hunt. Spanning Digital Forensics (DFIR), SIEM detection engineering, threat hunting, malware analysis, and incident response, with practical playbooks, SIEM queries, and tool references.
π‘ Purple Team Note: This repo is the defensive counterpart to offensive techniques β many sections map directly to real-world attacks, making it ideal for detection engineering and purple team exercises.
- Building detections? Head to
Methodology/SIEM Search Queries(Splunk & Elastic) andThreat Hunting(Sigma, YARA, Sysmon). - Running an investigation? Start with
Methodology/Digital Forensicsfor OS-specific artifact guides. - Responding to an incident? See
Incident Responsefor lifecycle, frameworks, and playbooks. - Learning the fundamentals? Begin with
Cyber Security FrameworksandTheory. - Analyzing AD attacks?
Methodology/Active Directory/Attack Scenarioscovers detection for common AD attacks.
| Section | What's Inside |
|---|---|
| π§± Frameworks | Kill chains, MITRE ATT&CK, Diamond Model, Pyramid of Pain |
| π΅οΈ Threat Intelligence | CTI methodology, IOC & file analysis |
| π¬ Digital Forensics | DFIR theory + per-platform artifact extraction |
| π¨ Incident Response | Lifecycle, frameworks, and playbooks |
| π¦ Malware Analysis | Analysis stages and Windows API behavior |
| πΊοΈ Methodology | The core detection & investigation playbooks |
| π― Threat Hunting | Sigma, YARA, Sysmon, detection indicators |
| π Theory | SIEM concepts, threat modelling, rootkits |
| π οΈ Tools | Forensics, SIEM, and detection tooling |
Foundational models that underpin defensive operations:
CTI fundamentals and analysis methodology:
- Definition & concepts
- Methodology: File Analysis Β· IP & Domain Analysis
In-depth DFIR reference material covering theory and platform-specific artifacts.
π See also the deeper, OS-by-OS breakdowns under
Methodology/Digital Forensics.
The operational core of the repo β detailed, hands-on playbooks for detection and investigation.
Monitoring, baselining, and attack detection:
- AD Visibility Β· Authentication Events Β· Logon Events Β· Kerberos
- Attack Scenarios β detecting Kerberoasting, DCSync, AS-REP Roasting, LSASS dumping, NTDS extraction, lateral movement, ransomware, and more
Comprehensive per-platform forensic methodology:
- Windows Β· Linux Β· MacOS Β· Mobile
- Memory β acquisition + Windows/Linux analysis
- File System β NTFS, FAT, EXT, MBR, GPT
- Browsers Β· Microsoft Office (OneDrive, Outlook, Teams)
- Tools β Volatility, KAPE, FTK Imager, Osquery
- Windows: Sysmon playbooks (malware persistence, phishing, USB attacks) Β· Event Viewer playbooks
- Linux: Auditd & log types
- Firewall Β· IDS Β· VPN Β· Web Servers
Ready-to-use detection queries:
- Splunk β C2, credential dumping, lateral movement, persistence, ransomware, DNS tunneling, and an experimental queries lab
- Elastic β command execution, account activity, web app detections
- Wireshark β ARP/DNS spoofing, tunneling, exfiltration, Kerberos, SSL stripping
- Tshark β CLI usage & use cases
Cloud detection & investigation:
- AWS β CloudTrail, GuardDuty, IAM/EC2/S3/Lambda investigations
- Azure β Entra ID, Sentinel, Defender XDR, M365, KQL queries
- Containers β Falco runtime detection
- Artificial Intelligence β LLM hardening, RAG systems, supply chain
- Investigations β Linux triage + YARA threat hunting
Proactive detection tradecraft:
- Core Windows Processes Β· Detection Indicators Β· Windows Event IDs
- Sigma Β· YARA Β· Sysmon Β· Event Viewer
- SIEM Β· SIEM Alerts Β· Threat Modelling Β· Rootkits
Usage references for the defensive toolkit:
- Forensic Tools β Volatility Framework, Binwalk
- SIEM / Splunk β adding data, navigation, apps, queries
- Palo Alto Networks β Data Lake
Contributions, corrections, and additions are welcome! Feel free to open an issue or submit a pull request.
See LICENSE.md for details.
β If you find this useful, consider starring the repo! β
Built and maintained by H3llKa1ser
For educational and defensive security purposes.