cowrie - Cowrie SSH/Telnet Honeypot

•    Python

This is the official repository for the Cowrie SSH and Telnet Honeypot effort. Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.

sysmon-config - Sysmon configuration file template with default high-quality event tracing

This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing. The file provided should function as a great starting point for system change monitoring in a self-contained package. This configuration and results should give you a good idea of what's possible for Sysmon. Note that this does not track things like authentication and other Windows events that are also vital for incident investigation.

awesome-malware-analysis - A curated list of awesome malware analysis tools and resources.

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php. View Chinese translation: 恶意软件分析大合集.md.

MISP - MISP (core software) - Open Source Threat Intelligence Platform (formely known as Malware Information Sharing Platform)

•    PHP

MISP, is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threat about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reverser to support their day-to-day operations to share structured informations efficiently. The objective of MISP is to foster the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of the information by Network Intrusion Detection System (NIDS), LIDS but also log analysis tools, SIEMs.

dnstwist - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage

•    Python

See what sort of trouble users can get in trying to type your domain name. Find similar-looking domains that adversaries can use to attack you. Can detect typosquatters, phishing attacks, fraud and corporate espionage. Useful as an additional source of targeted threat intelligence. The idea is quite straightforward: dnstwist takes in your domain name as a seed, generates a list of potential phishing domains and then checks to see if they are registered. Additionally it can test if the mail server from MX record can be used to intercept misdirected corporate e-mails and it can generate fuzzy hashes of the web pages to see if they are live phishing sites.

phishing_catcher - Phishing catcher using Certstream

•    Python

Catching malicious phishing domain names using certstream SSL certificates live stream. The script should work fine using Python2 or Python3.

yeti - Your Everyday Threat Intelligence

•    Python

Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don't have to. Yeti provides an interface for humans (shiny Bootstrap-based UI) and one for machines (web API) so that your other tools can talk nicely to it. Yeti was born out of frustration of having to answer the question "where have I seen this artifact before?" or Googling shady domains to tie them to a malware family.

Powerful-Plugins - Powerful plugins and add-ons for hackers

Powerful plugins and add-ons for hackers

FireMISP - FireEye Alert json files to MISP Malware information sharing plattform (Alpha)

•    Python

And edit the config.cfg according to your needs.

graylog-plugin-threatintel - Graylog Processing Pipeline functions to enrich log messages with IoC information from threat intelligence databases

•    Java

This plugin adds Processing Pipeline functions to enrich log messages with threat intelligence data. Please read the usage instructions below for more information and specific guides.

sqhunter - A simple threat hunting tool based on osquery, Salt Open and Cymon API

•    Python

You need to run sqhunter on your salt-master server.

bro-otx - Integrate Bro with Alienvault OTX

•    Python

Add your api key to the bro-otx.conf configuration file. Add the bro-otx.py script into the crontab of a user with the ability to write to your bro scripts directories.

IntRec-Pack - Intelligence and Reconnaissance Package/Bundle installer.

•    Shell

Intelligence and Reconnaissance Package/Bundle installer. IntRec-Pack is a Bash script designed to download, install and deploy several quality OSINT, Recon and Threat Intelligence tools. Due to the fact it manages the installation of the various dependencies related to these programs as well it aims to be a comprehensive assistant in setting up your intelligence gathering environment. Below is an overview of the tools and utilities it will help you set up.

Mimir - OSINT Threat Intel Interface

•    Python

OSINT Threat Intel Interface - Named after the old Norse God of knowledge. Mimir functions as a CLI to HoneyDB which in short is an OSINT aggregative threat intel pool. Starting the program brings you to a menu the options for which are as follows.

python-iocextract - Advanced Indicator of Compromise (IOC) extractor.

•    Python

Advanced Indicator of Compromise (IOC) extractor. This library extracts URLs, IP addresses, MD5/SHA hashes, email addresses, and YARA rules from text corpora. It includes obfuscated and "defanged" IOCs in the output, and optionally deobfuscates them.

Hippocampe - Threat Feed Aggregation, Made Easy

•    Python

Hippocampe is a threat feed aggregator. It gives your organisation a threat feed 'memory' and lets you query it easily through a REST API or from a Web UI. If you have a Cortex server, there's already an analyzer to query Hippocampe. And if you use TheHive as a security incident response platform, you can customize the JSON output produced by the analyzer to your taste or use the report template that we kindly provide. Hippocampe aggregates feeds from the Internet in an Elasticsearch cluster. It has a REST API which allows to search into its 'memory'. It is based on a Python script which fetchs URLs corresponding to feeds, parses and indexes them.

delator - Golang-based subdomain miner leveraging certificate transparency logs

•    Go

DELATOR (lat. informer) is a tool to perform subdomain enumeration and initial reconnaissance through the abusing of certificate transparency (CT) logs. It expands on the original work done by Sheila A. Berta with her CTFR tool and leverages the speed and power of Go. To run DELATOR a domain (-d) and search source (-s) must always be specified.

dnsmorph - Domain name permutation engine written in Go

•    Go

DNSMORPH is a domain name permutation engine, inspired by dnstwist. It is written in Go making for a compact and very fast tool. It robustly handles any domain or subdomain supplied and provides a number of configuration options to tune permutation runs. Downloading the pre-compiled binaries for your platform from the latest release page and extracting in a directory of your choosing.

Vulnerability-Data-Archive - With the hope that someone finds the data useful, we're publishing an archive of almost all of the non-sensitive vulnerability information in our vulnerability reports database

2018-01-30 Updated data. 2017-11-08 Updated data. Sorted JSON keys so future updates should diff more cleanly in git commit logs.

mail_to_misp - Connect your mail client/infrastructure to MISP in order to create events based on the information contained within mails

•    Python

Connect your mail infrastructure to MISP in order to create events based on the information contained within mails. You should now be able to send your IoC-containing mails to misp_handler@YOURDOMAIN.