AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response


Adrian ColyerAdrian ColyerWhen CSI meets public wifi: Inferring your mobile phone password via wifi signalsHunt, Mobile, WiFi, Password2016
Amir.H ShahinAmir.H ShahinMobile Application Penetration Testing Cheat SheetHunt, CheatSheet2015
Andrei MiroshnikovMicrosoftWindows 10 and Windows Server 2016 Security Auditing and Monitoring ReferenceHunt, Windows Event Logs Win10/Server20162016
Ankit AnubhavFireEyeThe Journey of Behavioral EvasionThreat Intel2016
Anthony RussSANSDetecting Security Incidents Using Windows Event LogsHunt, Windows Event Logs2013
Anton ChuvakinGartnerOn Comparing Threat Intelligence FeedsThreat Intel2014
Anubis LabsAnubis LabsMalware Analysis Sample ReportReport Writing2014
Anuj SoniSANSClosing the Door on Web ShellsHunt, Web Shells2014
Balaji N.GBHackersHow to Build and Run a SOCCERT, CSIRT, SOC2017
Basil Alawi S.TaherSANSWindows Events log for IR/Forensics ,Part 1Hunt2016
Basil Alawi S.TaherSANS ISCNetWitness TutorialNetWitness, Tutorial2014
BenjaminBenjamin99 Best Intelligence ResourcesThreat Intel, Links2017
Brad GarnettSANSIntro to Report Writing for Digital Forensics Part 1Report Writing2010
Brad GarnettSANSIntro to Report Writing for Digital Forensics Part 2Report Writing2013
Brian BaskinBrian BaskinMalware AnalysisMalware Analysis2013
Brian GirardiNetWitnessNetWitness TutorialNetWitness, Tutorial2010
Chris BingCyberScoopHackable Hospital Washing MachineIoT2017
Claus Cramon HoumannPeerLystHow To Build And Run A SOC for Incident ResponseThreat Intel2016
CrowdStrikeCrowdStrikeCrowdStrike Putter Panda ReportReport Writing2014
CrowdStrikeCrowdStrikeCrowdStrike Deep Panda ReportReport Writing2012
Dallas HaselhorstSANSUncovering IoCs Using PowerShell, Event Logs and a Traditional Monitoring ToolsHunt, TTPs, Windows Event Logs, PowerShell2015
David BiancoDavid BiancoA Simple Hunting Maturity ModelHunt2015
David BiancoDavid BiancoHunting for Malware Critical Process ImpersonationHunt2016
David BiancoDavid BiancoCyber Hunting: 5 Tips To Bag Your PreyHunt2015
David BiancoDavid BiancoThe ThreatHunting ProjectHunt2017
David BiancoDavid BiancoThe ThreatHunting Project (GitHub)Hunt
enigma0x3enigma0x3Lateral Movement Using MMC20 Part 1Lateral Movement2017
enigma0x3enigma0x3Lateral Movement Using MMC20 Part 2Lateral Movement2017
fl0x2208That SecurityThreat Hunting and Pyramid of PainHunt2016
Fred House, Claudiu Teodorescu, Andrew DavisFireEyeShim Shady: Live Investigations of the Application Compatibility CacheHunt2015
Gerard LayguiGerard LayguiForensic Artifacts From A Pass The Hash (PtH) AttackHunt, Pass The Hash2015
Gregory WeberToffler AssociatesAre You Certain You’re Prepared for Unpredictable Threat?Threat Intel2016
gwerngwernBlackMarket RisksHunt, Threat Intel2016
Harmj0y (Will)Harmj0y (Will)PowerSCCMHunt, SCCM2016
Harmj0y (Will)Harmj0y (Will)PowerSploit CheatsheetHunt, PowerSploit2015
Hossein Rouhani Zeidanloo, Azizah Bt Abdul Manaf(IJCSIS) International Journal of Computer Science and Information SecurityBotnet Detection by Monitoring Similar Communication PatternsThreat Intel2010
Ian Barton, boingomwIan Barton, boingomwDeloitte Feed Links HuntHunt2016
Jack CrookJack CrookHunting Lateral MovementHunt, Lateral Movement2016
Jack CrookJack CrookThe Hunting Cycle and Measuring SuccessHunt, Metrics2016
Jack CrookJack CrookMy Thoughts on Threat HuntingHunt2016
Jack CrookJack CrookCategories of AbnormalHunt, TTPs2016
Jack CrookJack CrookWhat Does Hunting Look Like?Hunt2017
Jake WilliamsSANSReport Writing Part 1Report Writing2013
Jake WilliamsSANSReport Writing Part 2Report Writing2013
Jake WilliamsSANSReport Writing Part 3Report Writing2013
Jeff John RobertsFortuneWhat Companies Get Wrong About Machine LearningHunt, Threat Intel2016
Jeremiah GrossmanJeremiah GrossmanJeremiah GrossmanSlide PresentationsVarious
Jeremy Leighton JohnDigital Preservation CoalitionDigital Forensics and PreservationReport Writing2012
Josh LiburdiJosh LiburdiHunting for PowerShell Using HeatMapsHunt, PowerShell2017
JPCERTJPCERTLogonTracer ToolTool, Windows Event Logs2017
JPCERT-CCJPCERT-CCDetecting Lateral Movement through Tracking Event LogsHunt, Lateral Movement2017
Julio CesarfortJulio CesarfortPublic PenTesting Report RepositoryReport Writing2016
Ken ThompsonACMReflections on Trusting TrustTrust, Attribution1984
Koen Van ImpeNetwork WorldComparing Different Tools for Threat SharingThreat Intel2015
Kurt Thomas, Rony Amira, Adi Ben-Yoash, Ori Folger, Amir Hardon, Ari Berger, Elie bursztein, Michael BaileyGoogle, Inc.The Abuse Sharing Economy: Understanding the Limits of Threat ExchangesThreat Intel2015
Levi GundertRecordedFutureShell No! (Part 1) Adversary Web Shell Trends and MitigationsHunt2016
Levi GundertRecordedFutureShell No! (Part 2) Introducing Cknife, China Chopper’s SiblingHunt2016
Luis RochaLuis RochaCountUponSecurity SOC MetricsCERT, CSIRT, SOC2015
Maarten de Frankrijker, Christian Reina, Steve WarnockMaarten de Frankrijker, Christian Reina, Steve WarnockCISSP CheatSheetCISSP, CheatSheet2017
Mansour A. AlharbiSANSWriting a PenTest ReportReport Writing2010
Marc Rivero LópezMarc Rivero LópezHunting .NET MalwareHunt, Malware2017
Mark RussinovichMark RussinovichMark Russinovich Hunting With SysInternals SysMonHunt, SysInternals, RSA2017
Matt GraeberMatt GraeberPowerShell is Not SpecialHunt, PowerShell2017
Matthew DunwoodyFireEyeGreater Visibility Through PowerShell LoggingHunt2016
Melia KelleyMelia KelleyReport Writing CheatSheetReport Writing2012
Michael GoughMichael GoughMalwarearchaeology CheatSheetsHunt, CheatSheets2016
Michael GoughSplunkFinding Advanced Attacks and Malware With Only 6 Windows EventID’sHunt, Windows Event Logs2016
MicrosoftMicrosoftWindows 8, Server 2012 Security Event DescriptionsHunt, Windows Event Logs Win8/Server2012
MicrosoftMicrosoftWindows 7, Server 2008R2 Security Event DescriptionsHunt, Windows Event Logs Win7/Server2008R2
MicrosoftMicrosoftVista, 2008 Security Event DescriptionsHunt, Windows Event Logs WinVista/Server2008
Mike MurrSANSWriting Malware ReportsReport Writing2012
Mike RothmanSecurosisBuilding a Threat Intelligence ProgramThreat Intel2016
Mike RothmanSecurosisApplied Threat IntelligenceThreat Intel2015
Monnappa KAMonnappa KAProcess Hollowing and HollowFindHunt, HollowFind, Volatility2016
N/AN/ASecurity Assessment Maintenance ChecklistReport Writing2008
Network WorldNetwork World12 managed security-services providers you should knowThreat Intel, MSSP2008
Nicholas PopovichOptivMSSQL Agent Jobs for Command ExecutionHunt2016
Nick CaldwellHackerNoonWorst Career Advice I Ever Received2019
Offensive SecurityOffensive SecurityPenTesting Report SampleReport Writing2013
PagerDutyPagerDutyPagerDuty Incident Response TemplatesIncident Response2017
Paul Poputa-CleanSANSAutomated Defense Using Threat IntelligenceThreat Intel2015
Rafeeq RehmanRafeeq RehmanBuilding a Successful SOCCERT, CSIRT, SOC2017
RedTeamBlueTeamRedTeamBlueTeamSpotting the Adversary with Windows Event Log Monitoring, Part IHunt2015
RedTeamBlueTeamRedTeamBlueTeamSpotting the Adversary with Windows Event Log Monitoring, Part IIHunt2015
Richard ChirgwinRegister UKDishwasher Directory Traversal BugIoT2017
Robert M. LeeSANSThe Problems with Seeking and Avoiding True Attribution to Cyber AttacksAdvanced Persistent Threat, Cyber Threat, Incident Response, Hunt2016
Robert M. LeeRobert M. LeeCommon Analyst Mistakes and Claims of Energy Company Targeting MalwareThreat Intel2016
Ronnie FlathersRonnie FlathersPayload CheatSheetPayload, CheatSheet, Exfil2016
Ryan FyffeCrowdStrikeOpen Source ReconHunt2016
Samuel AlonsoSamuel AlonsoCyber Threat Hunting (1): IntroCyber kill chain, Incident Detection, incident response, Hunt2016
Sean MetcalfActiveDirectory SecurityBeyond the MCSE: Red Teaming Active DirectoryHunt2014
Sergio CaltagironeActiveResponseHunt2016
Sergio CaltagironeActiveResponseUnofficial Microsoft Threat IntelligenceThreat Intel2016
Sergio CaltagironeActiveResponse15 Things Wrong with Today’s Threat Intelligence ReportingThreat Intel2014
Sergio Caltagirone, Andrew Pendergast, Christopher BetzMalaysia UniversityThe Diamond Model of Intrusion AnalysisThreat Intel2013
Shusei TomonagaJPCERT-CCWindows Commands Abused by AttackersHunt2016
Shusei TomonagaJPCERTVisualise Event Logs to Identify Compromised Accounts - LogonTracerHunt, Windows Event Logs2017
Team CymruTeam CymruTHE DARKNET PROJECTHunt2004
ThreatConnectThreatConnectTHREAT INTELLIGENCE PLATFORMS Everything Youve Ever Wanted toKnow But Didn’t Know to AskThreat Intel2015
Toffler AssociatesToffler AssociatesOdays: How Hacking Really WorksHunt, Threat Intel2005
Ton SagerSANSKilling Advanced Threats in Their TracksHunt, TTPs2014
VariousUniversity of Wisconson-MadisonFuzz Testing of Application ReliabilityHunt, ToolVarious
VariousSANSCyber Threat Intelligence SummitThreat Intel2017
Wayne PiekarskiWayne PiekarskiGoogle Android Internet of Things platformGoogle, Android, IoT2016
William HartRSANetWitness TutorialNetWitness, Tutorial2016
Y.M. Wara, D. SinghIEEECSIRT SuccessCERT, CSIRT, SOC2015