Skip to content

noonker/hunting-mode

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Hunting-Mode

🚨🚨🚨 THIS IS A WIP 🚨🚨🚨

If what you’re looking at here looks interesting to you hit me up here or at @[email protected]

Overview

The problem with working with DFIR/Infrastructure Analysis/Threat hunting types of workflows is the different ways of visualizing the data and the need for both structured data but also not-cumbersome workflows. In all things there’s a give and take.

So ideally I want:

  • Freeform notes that have an understanding of IoCs
  • The IoCs should be automatically enriched with configured datasets (is this IoC in VT? If so show some glyph next to it to let me know)
  • A way to pull in external APIs intelligence into my notes and maintain that linkage
  • Automatically maintain the time metadata of an IoC (first seen, last seen, update dates, and changes)
  • Maintain seperate investigations but be able to link the IoCs between investigations
  • Exportable in sharable formats (csv, stix/taxii)
  • Exportable in a roughly human readable form
  • Be able to visualize the IoCs as both a series of relationships between nodes and a timeseries graph and be able to filter on the graph

Using org-roam with some enhanced features focused on IoCs and Pivoting will give me a lot of this.

Installation

(use-package hunting-mode
  :straight (:host github
		   :repo "noonker/hunting-mode")
  :ensure t
  :init
  (add-hook 'org-mode-hook 'hunting-mode)
  (setq hunting-api-key-misp "YOUR_KEY")
  (setq hunting-api-url-misp "YOUR_ENDPOINT")
  (setq hunting-api-key-robtex "YOUR_KEY")
  (setq hunting-api-key-circl-pdns "YOUR_KEY")

;; Add some callback hooks :)
  (add-to-list ' hunting-glyph-hooks
		 `(,hunting-ipv4-regex-wrapped hunting-misp-ioc-in-misp-p "💢" "💤")
		 `(,hunting-md5-regex-wrapped hunting-project-hash-contains-p "" "")
		 `(,hunting-sha1-regex-wrapped hunting-project-hash-contains-p "" "")
		 `(,hunting-sha256-regex-wrapped hunting-project-hash-contains-p "" "")
		 )
  )

Recommended Additional (Rad) Libraries

About

Emacs mode for Threat Hunting and RE

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages