Alert for ransomware that bypassed endpoint protection

This page summarizes the projects mentioned and recommended in the original post on /r/blueteamsec

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • Raccine

    A Simple Ransomware Vaccine

    Back to your original question, assuming a conventional AD-centric Windows environment, I would recommend starting with AppLocker to whitelist approved apps and host-based firewall to whitelist approved connections, enable detailed powershell logging, monitor for east-west wmic/SMB/RDP connections (monitor at host level and at network level), and use a tool like RITA to detect beaconing activity. Also consider blocking DOH, retaining DNS logs, and if you don't have a well-tuned EDR/XDR and SIEM, deploy sysmon and use WEF/WEC to centralize logs (SwiftOnSecurity and Olaf Hartong on github have very good starting points for sysmon configs and Microsoft's MSLab github repo has a good scenario for testing sysmon/WEF/WEC with alert recommendations from NSA and Palantir). If you have no centralized logging/analysis/alerting in place AND a managed solution like SecureWorks or a guided deployment of Defender are not realistic, consider starting with Security Onion. If your organization is in a critical infrastructure sector, you should definitely look into the risk and vulnerability assessment and no-cost cyber hygiene services offered by CISA (see https://www.cisa.gov/cyber-resource-hub). Also, have you considered testing/deploying Raccine? https://github.com/Neo23x0/Raccine

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo
  • awesome-threat-detection

    ✨ A curated list of awesome threat detection and hunting resources 🕵️‍♂️

    Some additional resources can be found at https://github.com/0x4D31/awesome-threat-detection

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • 0x4D31/awesome-threat-detection: A curated list of awesome threat detection and hunting resources

    1 project | /r/ThreatHunterHQ | 6 Jun 2022
  • GitHub - 0x4D31/awesome-threat-detection: A curated list of awesome threat detection and hunting resources

    1 project | /r/SecOpsDaily | 28 Apr 2022
  • Threat Hunting resources for query based hunting? Open source query libraries?

    1 project | /r/cybersecurity | 10 Apr 2022
  • New startup sells coffee through SSH and exclusively through SSH

    3 projects | news.ycombinator.com | 1 May 2024
  • Why do we have GitHub curated lists?

    2 projects | news.ycombinator.com | 20 May 2024

Did you konow that C++ is
the 6th most popular programming language
based on number of metions?