Displaying 1 to 20 from 26 results

ThreatHunter-Playbook - A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns

  •    

A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns by leveraging Sysmon and Windows Events logs. This project will provide specific chains of events exclusively at the host level so that you can take them and develop logic to deploy queries or alerts in your preferred tool or format such as Splunk, ELK, Sigma, GrayLog etc. This repo will follow the structure of the MITRE ATT&CK framework which categorizes post-compromise adversary behavior in tactical groups. In addition, it will provide information about hunting tools/platforms developed by the infosec community for testing and enterprise-wide hunting.Can't wait to see other hunters' pull requests with awesome ideas to detect advanced patterns of behavior. The more chains of events you contribute the better this playbook will be for the community.

sysmon-config - Sysmon configuration file template with default high-quality event tracing

  •    

This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing. The file provided should function as a great starting point for system change monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon. Note that this does not track things like authentication and other Windows events that are also vital for incident investigation.

MISP - MISP (core software) - Open Source Threat Intelligence Platform (formely known as Malware Information Sharing Platform)

  •    PHP

MISP, is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threat about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reverser to support their day-to-day operations to share structured informations efficiently. The objective of MISP is to foster the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of the information by Network Intrusion Detection System (NIDS), LIDS but also log analysis tools, SIEMs.

atomic-red-team - Small and highly portable detection tests.

  •    PowerShell

Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.Our Atomic Red Team tests are small, highly portable detection tests mapped to the MITRE ATT&CK Framework. Each test is designed to map back to a particular tactic. We hope that this gives defenders a highly actionable way to immediately start testing their defenses against a broad spectrum of attacks.




signature-base - Signature base for my scanner tools

  •    Python

The signature-base repository is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This signature-base is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICLAR PURPOSE. See the GNU General Public License for more details.

yeti - Your Everyday Threat Intelligence

  •    Python

Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don't have to. Yeti provides an interface for humans (shiny Bootstrap-based UI) and one for machines (web API) so that your other tools can talk nicely to it. Yeti was born out of frustration of having to answer the question "where have I seen this artifact before?" or Googling shady domains to tie them to a malware family.

DetectionLab - Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices

  •    HTML

This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.NOTE: This lab has not been hardened in any way and runs with default vagrant credentials. Please do not connect or bridge it to any networks you care about. This lab is deliberately designed to be insecure; the primary purpose of it is to provide visibility and introspection into each host.

awesome-threat-detection - A curated list of awesome threat detection and hunting resources

  •    

Contributions welcome! Read the contribution guidelines first. To the extent possible under law, Adel "0x4D31" Karimi has waived all copyright and related or neighboring rights to this work.


HELK - The Incredible HELK

  •    Shell

A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.At the end of the HELK installation, you will have a similar output with the information you need to access the primary HELK components. Remember that the default username and password for the HELK are helk:hunting.

awesome-yara - A curated list of awesome YARA rules, tools, and people.

  •    

A curated list of awesome YARA rules, tools, and resources. Inspired by awesome-python and awesome-php. YARA is an ancronym for: YARA: Another Recursive Ancronym, or Yet Another Ridiculous Acronym. Pick your choice.

sysmon-modular - A repository of sysmon configuration modules

  •    PowerShell

This is a Microsoft Sysinternals Sysmon configuration repository, set up modular for easier maintenance and generation of specific configs. Note: I do recommend using a minimal number of configurations within your environment for multiple obvious reasons, like; maintenance, output equality, manageability and so on.

NOAH - PowerShell No Agent Hunting

  •    PowerShell

NOAH is an agentless open source Incident Response framework based on PowerShell, called "No Agent Hunting" (NOAH), to help security investigation responders to gather a vast number of key artifacts without installing any agent on the endpoints saving precious time.

PSHunt - Powershell Threat Hunting Module

  •    PowerShell

PSHunt is a Powershell Threat Hunting Module designed to scan remote endpoints* for indicators of compromise or survey them for more comprehensive information related to state of those systems (active processes, autostarts, configurations, and/or logs).PSHunt began as the precurser to Infocyte's commercial product, Infocyte HUNT, and is now being open sourced for the benefit of the DFIR community.

yara-rules - A collection of Yara rules we wish to share with the world, most probably referenced from http://blog

  •    

A collection of Yara rules we wish to share with the world, most probably referenced from http://blog.inquest.net.

PowerGRR - PowerGRR provides an easy way for using the GRR API from PowerShell running on Windows, macOS and Linux

  •    PowerShell

PowerGRR is a PowerShell module for working with the GRR API working on Windows, macOS and Linux. Please see Command Documentation, Wiki and CHANGELOG.

THRecon - Threat Hunting Reconnaissance Toolkit

  •    PowerShell

Collect endpoint information for use in incident response, threat hunting, live forensics, baseline monitoring, etc. * Info pulled from current running processes or their executables on disk.

TA-Sysmon-deploy - Deploy and maintain Symon through the Splunk Deployment Sever

  •    Batchfile

Deploy and maintain Sysmon through the Splunk Deployment Server. This will enable you to have all systems running the same version of Sysmon and the same up-to-date configuration. No more logging in to all servers and installing it manually or having to negotiate a GPO change.

BeSafe - BeSafe is robust threat analyzer which help to protect your desktop environment and know what's happening around you

  •    CSharp

BeSafe is a robust threat analyzer which helps securing your desktop environment and be aware of what's happening around you. By using VirusTotal public API, BeSafe got power of more than 56 antivirus products without need to install any client engines in light and robust solution. Except VirusTotal's power, BeSafe uses other techniques and tricks to protect your environments from known and unknown threats. ❗️ Dependencies automatically handled by NuGet package manager of VisualStudio.

mail_to_misp - Connect your mail client/infrastructure to MISP in order to create events based on the information contained within mails

  •    Python

Connect your mail infrastructure to MISP in order to create events based on the information contained within mails. You should now be able to send your IoC-containing mails to misp_handler@YOURDOMAIN.