Vulnerability scanners @GitHub

Windows vulnerability scanner
MacOS vulnerability scanner
Linux vulnerability scanner
Android vulnerability scanner
iOS vulnerability scanner

Tools @Testlab

Endpoint Detection and Response tools
Threat hunting tools

macOS EDR techniques

Introduction
- What?
- Why?
- How?
Process monitoring
Memory protection
Behavioural detection
Network hardening

Linux EDR techniques

Introduction
- What?
- Why?
- How?
Kernel-level monitoring
Filesystem integrity
Container security
Threat Hunting with Open Source

Windows EDR techniques

Introduction
- What?
- Why?
- How?
Process & behaviour monitoring
- Kernel Callbacks
- User-Mode hooking
Memory protection
- Credential Guard
- Arbitrary Code Guard (ACG)
Attack Surface Reduction (ASR)
- ASR rules
- WDAC (Windows Defender Application Control)
Network threat detection
- SMB/NetBIOS auditing
- RDP/Suspicious Port Monitoring
Persistence and logging
- WMI Subscription Monitoring
- Windows Event Forwarding (WEF)
Response techniques

EDR shell scripts @GitHub

Windows EDR powershell script
MacOS EDR shell script
Linux EDR shell script

Windows core

Introduction
- What?
- Why?
- How?
smss.exe
- Normal
- Unusual
- Resources
csrss.exe
- Normal
- Unusual
- Resources
wininit.exe
- Normal
- Unusual
services.exe
- Normal
- Unusual
- Resources
svchost.exe
- Normal
- Unusual
- Resources
lsass.exe
- Normal
- Unusual
- Resources
winlogon.exe
- Normal
- Unusual
- Resources
explorer.exe
- Normal
- Unusual

Windows sysinternals

Introduction
- What?
- Why?
- How?
File and disk utilities
- Sigcheck
- Streams
  - Question
- SDelete
Networking utilities
- TCPView
  - Question
Process utilities
Security utilities
- Sysmon
System information
- WinObj
Miscellaneous
- BgInfo
- RegJump
- Strings
  - Question

Windows event logs

Introduction
- What?
- Why?
- How?
Event logs
XPath queries
- Resources
Scenarios

Sysmon

Introduction
- What?
- Why?
- How?
Event IDs
Cutting out the noise
Hunting metasploit
Detecting mimikatz
Hunting malware
Hunting persistence
Detecting evasion techniques
Practical investigations

Osquery basics

Introduction
- What?
- Why?
- How?
Osquery shell
Schema documentation
- Resources
Creating queries

Endpoint detection and response (EDR)

Ty Myrddin Home
Unseen University
Improbability Blog
About
Contact

Container security

Runtime container monitoring:

docker exec <container> ps aux
sudo sysdig -c spy_users

Previous Next

Unseen University, 2025, with a forest garden fostered by /ut7.