atomic-red-team - Small and highly portable detection tests.

  •        6

Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.Our Atomic Red Team tests are small, highly portable detection tests mapped to the MITRE ATT&CK Framework. Each test is designed to map back to a particular tactic. We hope that this gives defenders a highly actionable way to immediately start testing their defenses against a broad spectrum of attacks.

https://github.com/redcanaryco/atomic-red-team

Tags
Implementation
License
Platform

   




Related Projects

ThreatHunter-Playbook - A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns


A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns by leveraging Sysmon and Windows Events logs. This project will provide specific chains of events exclusively at the host level so that you can take them and develop logic to deploy queries or alerts in your preferred tool or format such as Splunk, ELK, Sigma, GrayLog etc. This repo will follow the structure of the MITRE ATT&CK framework which categorizes post-compromise adversary behavior in tactical groups. In addition, it will provide information about hunting tools/platforms developed by the infosec community for testing and enterprise-wide hunting.Can't wait to see other hunters' pull requests with awesome ideas to detect advanced patterns of behavior. The more chains of events you contribute the better this playbook will be for the community.

awesome-threat-detection - A curated list of awesome threat detection and hunting resources


Contributions welcome! Read the contribution guidelines first. To the extent possible under law, Adel "0x4D31" Karimi has waived all copyright and related or neighboring rights to this work.

HELK - The Incredible HELK


A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.At the end of the HELK installation, you will have a similar output with the information you need to access the primary HELK components. Remember that the default username and password for the HELK are helk:hunting.

DetectionLab - Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices


This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.

Proactive Investigator: advanced analytics for threat detection


Proactive Investigator is a solution created for information security threat detection. It is an end-to-end solution, currently built on SQL Server 2008



Apache Metron - Real-time Big Data Security


Metron integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis. Metron provides capabilities for log aggregation, full packet capture indexing, storage, advanced behavioral analytics and data enrichment, while applying the most current threat intelligence information to security telemetry within a single platform.

binaryalert - BinaryAlert: Serverless, Real-time & Retroactive Malware Detection


BinaryAlert is an open-source serverless AWS pipeline where any file uploaded to an S3 bucket is immediately scanned with a configurable set of YARA rules. An alert will fire as soon as any match is found, giving an incident response team the ability to quickly contain the threat before it spreads.

Suricata IDS - Network threat detection engine


The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing. Suricata inspects the network traffic using a powerful and extensive rules and signature language, and has powerful Lua scripting support for detection of complex threats.

ThreatExchange - Share threat information with vetted partners


ThreatExchange is a set of RESTful APIs on the Facebook Platform for querying, publishing, and sharing security threat information. It's a light-weight way for exchanging details on malware, phishing pages, and other threats with either specific members of the community or the ThreatExchange community at large.This repository contains example code for using the API.

PeerTAB: P2P Threat Analysis Bus


A Lightweight P2P Threat Analysis Bus

DCEPT - A tool for deploying and detecting use of Active Directory honeytokens


DCEPT (Domain Controller Enticing Password Tripwire) is a honeytoken-based tripwire for Microsoft Active Directory. Honeytokens are pieces of information intentionally littered on system so they can be discovered by an intruder. The honeytokens are credentials that would only be known by a someone extracting them from memory. A logon attempt using these faux credentials would mean someone was inside the network and is attempting privilege escalation to domain administrator.

Nayatel IDS


Nayatel Intrusion Detection System is a windows based system written in C#. It Automatically detects any hosts attempting to intrude into your network. It shows the IP address and a level reading to show the level of threat it is posing.

Midiki, the MITRE Dialogue Toolkit


Midiki, The MITRE Dialogue Toolkit, is a portable toolkit for building dialogue managers in Java. It implements the information-state model of dialogue as pioneered in Trindikit: a rule-based, theory-neutral, platform agnostic model.

Avanor


A relatively easy to win but feature rich fantasy roguelike game with a highly interactive world. Avanor was once a great land, but now it is an isolated valley kingdom under serious threat. You, as the hero must save Avanor, or dominate it.

Yara - The pattern matching swiss knife for malware researchers


YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.

Zentyal - Linux Small Business Server


Zentyal is a Linux Small Business Server, good alternative Windows Business Server. Zentyal can act as a Gateway, Infrastructure Manager, Unified Threat Manager, Office Server, Unified Communication Server or a combination of them. It is built on Ubuntu Linux distribution. This package includes LDAP server, Mail server, Firewall, Network infrastructure, VPN support, Web server, File server, Print server, FTP server, Groupware, VoIP server, Virtual Machines management and lot more.

AuthMatrix - AuthMatrix is a Burp Suite extension that provides a simple way to test authorization in web applications and web services


AuthMatrix is an extension to Burp Suite that provides a simple way to test authorization in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are structured in a similar format to that of an access control matrix common in various threat modeling methodologies. Once the tables have been assembled, testers can use the simple click-to-run interface to kick off all combinations of roles and requests. The results can be confirmed with an easy to read, color-coded interface indicating any authorization vulnerabilities detected in the system. Additionally, the extension provides the ability to save and load target configurations for simple regression testing.

threatman


ThreatMan is an IDMEF compliant threat manager application which makes use of a multi-tier architecture. It aims in event and vulnerability correlation from alerts sent by IDSs, firewalls and other IDMEF compliant applications.

InsecureWebApp


InsecureWebApp is a web app that includes common web application vulnerabilities including SQLamp;Html Injection- see owasp.org. It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling.

Whonix


Whonix is an anonymous operating system.