DuckIntel / Security Tools
20+ threat hunt playbooks with step-by-step instructions, Splunk SPL, KQL, and Elastic queries. PowerShell, lateral movement, Kerberoasting, DNS tunneling, and more.
Threat Hunt Playbooks is a library of 20+ hypothesis-driven hunting guides for SOC analysts and threat hunters. Each playbook defines a specific hunt hypothesis (for example: "An attacker is using PowerShell to establish a reverse shell"), lists the data sources and log types you need, provides step-by-step hunt instructions, and includes ready-to-run detection queries for Splunk SPL, Microsoft Sentinel KQL, and Elasticsearch.
Proactive threat hunting is the practice of searching your environment for attacker activity that has not triggered any alerts. It is based on the hypothesis that advanced adversaries are already in your environment but have not yet been detected by your signature-based controls. Threat hunters use knowledge of attacker TTPs to craft targeted searches that look for behavioral anomalies rather than known-bad signatures.
The playbooks cover the most common hunting scenarios encountered in enterprise environments: PowerShell abuse and obfuscation, lateral movement via PsExec and WMI, Kerberoasting and credential access, DNS tunneling for C2 communication, living-off-the-land binary abuse (LOLBins), scheduled task persistence, data staging before exfiltration, and cloud account compromise. Each is mapped to MITRE ATT&CK techniques.
Related tools
MITRE ATT&CK NavigatorSIEM Query BuilderAnalyst SimulationsSOC Tabletops
Part of DuckIntel.io — 59 free browser-based security tools for SOC analysts. No login. No tracking. 100% client-side.