ThreatHunter-Playbook

🥇Gold

ThreatHunter-Playbook is an open-source project for sharing detection logic and adversary tradecraft. It helps security teams develop and refine threat detection strategies. The playbook integrates with Python-based security tools and workflows, enhancing threat hunting campaigns and hypothesis testing.

4,4968500Updated 4w ago

Intermediate30min to implementautomation

Saves ~120 min per use

Quick InstallView Source

git clone https://github.com/OTRF/ThreatHunter-Playbook.git

Works with:

Claude

Overview

About This Skill

https://threathunterplaybook.com/

How to Use

["1. **Identify the Threat Type**: Clearly define the type of threat you are dealing with (e.g., ransomware, phishing, DDoS).","2. **Gather Indicators**: Collect relevant indicators of compromise (IOCs) such as file hashes, IP addresses, or command line arguments.","3. **Choose the Security Tool**: Ensure the tool you are using is compatible with ThreatHunter-Playbook (e.g., SIEM, EDR).","4. **Generate the Rule**: Use the prompt template to generate a detection rule tailored to your specific threat and tool.","5. **Implement and Test**: Deploy the rule in your security tool and test it with simulated or real-world data to ensure it works as expected."]

Use Cases

Document and share threat hunting methodologies to improve team collaboration.

Create structured hunt blueprints using Agent Skills for consistent execution.

Utilize pre-recorded security datasets for validation and experimentation in threat hunting.

Integrate AI to enhance decision-making processes during threat hunts.

Setup & Installation

Quick Install

No install command available. Check the GitHub repository for manual installation instructions.

Alternative Install (Git Clone)

git clone https://github.com/OTRF/ThreatHunter-Playbook

Requirements

Claude Code or compatible AI agent
Works with: Claude

Quick Start Guide

Install the Skill

Copy the install command above and run it in your terminal.

Open Your AI Agent

Launch Claude Code, Cursor, or your preferred AI coding agent.

Try It Out

Use the prompt template or examples below to test the skill.

Customize

Adapt the skill to your specific use case and workflow.

Usage Examples

Prompt Template

Generate a ThreatHunter-Playbook detection rule for [THREAT_TYPE] based on the following indicators: [INDICATORS]. Ensure the rule is compatible with [SECURITY_TOOL] and includes specific actions for [TEAM_NAME] to investigate and remediate.

Example Output

Based on the provided indicators of a potential ransomware attack, here is a ThreatHunter-Playbook detection rule for your SIEM tool:

```python
from stix2 import TLP_WHITE
from stix2.v21 import Indicator, Malware

# Define the indicator
indicator = Indicator(
    type='indicator',
    id='example:indicator-01',
    pattern='[file:hashes.MD5 = 	
] AND [process:command_line ILIKE %encrypt%]
    description='Detects ransomware activity based on file hashes and command line arguments',
    valid_from='2023-10-01T00:00:00Z',
    labels=['malicious-activity'],
    pattern_type='stix',
    pattern_version='2.1',
    x_opencti_score=75,
    x_opencti_x_opencti_workflow_id='example-workflow-01',
    x_opencti_detection='example-detection-01',
    x_opencti_description='Detects ransomware activity based on file hashes and command line arguments',
    x_opencti_short_description='Detects ransomware activity',
    x_opencti_ttps=['T1486'],
    x_opencti_base_score=7.5,
    x_opencti_exploitability_score=3.9,
    x_opencti_impact_score=3.6,
    x_opencti_environment='Windows',
    x_opencti_platforms=['Windows'],
    x_opencti_actor='Unknown',
    x_opencti_revoked=False,
    x_opencti_confidence=75,
    x_opencti_source='Internal',
    x_opencti_source_uri='https://example.com',
    x_opencti_tags=['malware', 'ransomware'],
    x_opencti_valid_from='2023-10-01T00:00:00Z',
    x_opencti_valid_until='2024-10-01T00:00:00Z',
    x_opencti_workflow_id='example-workflow-01',
    x_opencti_detection_id='example-detection-01',
    x_opencti_description='Detects ransomware activity based on file hashes and command line arguments',
    x_opencti_short_description='Detects ransomware activity',
    x_opencti_ttps=['T1486'],
    x_opencti_base_score=7.5,
    x_opencti_exploitability_score=3.9,
    x_opencti_impact_score=3.6,
    x_opencti_environment='Windows',
    x_opencti_platforms=['Windows'],
    x_opencti_actor='Unknown',
    x_opencti_revoked=False,
    x_opencti_confidence=75,
    x_opencti_source='Internal',
    x_opencti_source_uri='https://example.com',
    x_opencti_tags=['malware', 'ransomware'],
    x_opencti_valid_from='2023-10-01T00:00:00Z',
    x_opencti_valid_until='2024-10-01T00:00:00Z',
    x_opencti_workflow_id='example-workflow-01',
    x_opencti_detection_id='example-detection-01',
    x_opencti_description='Detects ransomware activity based on file hashes and command line arguments',
    x_opencti_short_description='Detects ransomware activity',
    x_opencti_ttps=['T1486'],
    x_opencti_base_score=7.5,
    x_opencti_exploitability_score=3.9,
    x_opencti_impact_score=3.6,
    x_opencti_environment='Windows',
    x_opencti_platforms=['Windows'],
    x_opencti_actor='Unknown',
    x_opencti_revoked=False,
    x_opencti_confidence=75,
    x_opencti_source='Internal',
    x_opencti_source_uri='https://example.com',
    x_opencti_tags=['malware', 'ransomware'],
    x_opencti_valid_from='2023-10-01T00:00:00Z',
    x_opencti_valid_until='2024-10-01T00:00:00Z'
)

# Save the indicator to a file
with open('indicator.json', 'w') as f:
    f.write(indicator.serialize(indent=4))
```

**Actions for the Security Team:**
1. **Investigate**: Check the affected systems for any unusual processes or files matching the hash.
2. **Contain**: Isolate the affected systems to prevent further spread.
3. **Remediate**: Remove the malicious files and restore from a clean backup.
4. **Report**: Document the incident and update the threat intelligence platform with the new indicator.