{"id":57365,"url":"https://github.com/mthcht/awesome-lists","name":"awesome-lists","description":"Awesome Security lists for SOC/CERT/CTI","projects_count":737,"last_synced_at":"2026-06-09T06:00:47.014Z","repository":{"id":64607916,"uuid":"576895240","full_name":"mthcht/awesome-lists","owner":"mthcht","description":"Awesome Security lists for SOC/CERT/CTI","archived":false,"fork":false,"pushed_at":"2026-06-02T09:19:32.000Z","size":47028278,"stargazers_count":1476,"open_issues_count":23,"forks_count":177,"subscribers_count":37,"default_branch":"main","last_synced_at":"2026-06-02T09:19:36.646Z","etag":null,"topics":["awesome-list","blueteam","blueteam-tools","cti","detection","detection-engineering","dfir","hacktools","incident-response","ioc","iocs","ir","ransomware","redteam","rmm","security","siem","soc","threat-hunting","threat-intelligence"],"latest_commit_sha":null,"homepage":"","language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mthcht.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"mthcht","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2022-12-11T10:45:11.000Z","updated_at":"2026-06-02T08:10:07.000Z","dependencies_parsed_at":"2025-10-28T07:13:35.853Z","dependency_job_id":"a9a81763-49bb-4361-aa95-8eca4edbe03d","html_url":"https://github.com/mthcht/awesome-lists","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/mthcht/awesome-lists","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mthcht%2Fawesome-lists","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mthcht%2Fawesome-lists/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mthcht%2Fawesome-lists/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mthcht%2Fawesome-lists/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mthcht","download_url":"https://codeload.github.com/mthcht/awesome-lists/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mthcht%2Fawesome-lists/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34093774,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-09T02:00:06.510Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"created_at":"2024-04-02T03:10:44.813Z","updated_at":"2026-06-09T06:00:47.015Z","primary_language":null,"list_of_lists":false,"displayable":true,"categories":["Other Lists","Security News","🐾 Threat Hunting:","Threat Hunting:","📂 My Detection Lists","Investigation","Data manipulation","My Detection Lists"],"sub_categories":["🛡️ DFIR:","Data manipulation","Investigation","🎙️ Podcasts","🕵️‍♂️ Investigation","📺 Youtube/Twitch channels","📦 Others","📊 TI TTP/Framework/Model/Trackers","Books","📚 Knowledge sites","Detection Resources","Training","🧩 Data manipulation","Others","Security News","🌐 Security News","Knowledge sites","📚 Training","Sandbox","🧪 LAB","More TI","🚫 IOC Feeds/Blacklists:","TI","📡 Detection Resources","Formations","IOC Feeds/Blacklists:","LAB","DFIR","🖥️ SIEM/SOC/PurpleTeam related:","TI TTP/Framework/Model/Trackers","Youtube/Twitch channels","🐙 Github","💬 Discord /Slack channels","📚 Books","Content creation"],"readme":"# Security lists for SOC/DFIR detections [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)\n![dt](https://github.com/mthcht/awesome-lists/assets/75267080/059432aa-cfe9-46d1-a611-fbb225bce66e)\n\n\n\n## 🐾 Threat Hunting:\n- [ThreatHunting keywords Site](https://mthcht.github.io/ThreatHunting-Keywords/)\n- [ThreatHunting keywords Lists](https://github.com/mthcht/ThreatHunting-Keywords)\n- [ThreatHunting Yara rules](https://github.com/mthcht/ThreatHunting-Keywords-yara-rules)\n\n[ThreatHunting searches](https://github.com/mthcht/Purpleteam/tree/main/Detection/Threat%20Hunting/generic)\n\u003cdetails\u003e\n   \n  - [Windows Services Searches](https://detect.fyi/threat-hunting-suspicious-windows-service-names-2f0dceea204c)\n  - [User-Agents Searches](https://mthcht.medium.com/threat-hunting-suspicious-user-agents-3dd764470bd0)\n  - [DNS Over HTTPS Searches](https://mthcht.medium.com/detecting-dns-over-https-30fddb55ac78)\n  - [Suspicious TLDs Searches](https://mthcht.medium.com/threat-hunting-suspicious-tlds-a742c2adbf58)\n  - [HijackLibs Searches](https://mthcht.medium.com/detect-dll-hijacking-techniques-from-hijacklibs-with-splunk-c760d2e0656f)\n  - [Phishing \u0026 DNSTWIST Searches](https://detect.fyi/detecting-phishing-attempts-with-dnstwist-37c426b3bbb8)\n  - [Browsers extensions Searches](https://mthcht.medium.com/detecting-browser-extensions-installations-e0ac2b45c46b)\n  - [C2 hiding in plain sigh](https://mthcht.medium.com/c2-hiding-in-plain-sight-7a83963b9344)\n  - [HTML Smuggling artifacts](https://mthcht.medium.com/detecting-html-smuggling-phishing-attempts-15af824e60e4)\n  - [PSEXEC \u0026 similar tools Searches](https://mthcht.medium.com/detecting-psexec-and-similar-tools-c812bf3dca6c)\n  - [Time Slipping detection](https://mthcht.medium.com/event-log-manipulations-1-time-slipping-55bf95631c40)\n  - [Suspicious Named pipes](https://detect.fyi/threat-hunting-suspicious-named-pipes-a4206e8a4bc8)\n \n\u003c/details\u003e\n\n## 📂 My Detection Lists \n- 📋 Lists: https://github.com/mthcht/awesome-lists/tree/main/Lists\n- 🕵️‍♂️ ThreatHunting Guides: https://mthcht.medium.com/list/threat-hunting-708624e9266f\n- 🚰 Suspicious Named pipes: [suspicious_named_pipe_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_named_pipe_list.csv)\n- 🌐 Suspicious TLDs (updated automatically): [[suspicious_TLDs]](https://github.com/mthcht/awesome-lists/tree/main/Lists/TLDs)\n- 🌐 Suspicious ASNs (updated automatically): [[suspicious ASNs]](https://github.com/mthcht/awesome-lists/tree/main/Lists/ASNs)\n- 🌐 FYI Maxmind GeoIP Database (updated automatically): [GeoIP DB](https://github.com/mthcht/awesome-lists/tree/main/Lists/ASNs/correlation_maxmind_geo_db/maxmind_databases/extracted)\n- 🔧 Suspicious Windows Services: [suspicious_windows_services_names_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_services_names_list.csv)\n- ⏲️ Suspicious Windows Tasks: [suspicious_windows_tasks_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_tasks_list.csv)\n- 🚪 Suspicious destination port: [suspicious_ports_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_ports_list.csv)\n- 🛡️ Suspicious Firewall rules: [suspicious_windows_firewall_rules_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_firewall_rules_list.csv)\n- 🆔 Suspicious User-agent: [suspicious_http_user_agents_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv)\n- 🔏 Suspicious CERTs signer: [\\[suspicious CERTS\\]](https://github.com/mthcht/awesome-lists/tree/main/Lists/CERTS)\n- 📇 Suspicious USB Ids: [suspicious_usb_ids_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_usb_ids_list.csv)\n- 🏷️ Suspicious mutex names: [suspicious_mutex_names_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_mutex_names_list.csv)\n- 🔢 Suspicious MAC address: [suspicious_mac_address_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_mac_address_list.csv)\n- 📛 Suspicious Hostname: [suspicious_hostnames_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_hostnames_list.csv)\n- 🌐 Suspicious Browser Extensions: [Browser Extensions](https://github.com/mthcht/awesome-lists/tree/main/Lists/Browser%20Extensions)\n- 📧 Microsoft App IDs List - BEC Detection [microsoft_apps_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/microsoft_apps_list.csv)\n- 🧮 Metadata Executables: [executables_metadata_informations_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/Windows%20Metadata/executables_metadata_informations_list.csv)\n- 🕸️ DNS over HTTPS server list: [dns_over_https_servers_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/dns_over_https_servers_list.csv)\n- 🕸️ Dynamic DNS domains list:  [dyndns_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/DYNDNS/dyndns_list.csv)\n- 🪝 Phishing lists: [Phishing domains and urls](https://github.com/mthcht/awesome-lists/tree/main/Lists/Phishing)\n- 🕸️ Domains : [\\[sinkholed servers\\]](https://github.com/mthcht/awesome-lists/tree/main/Lists/Domains)\n- 🕳️ Sinkholed Domains : [sinkholed_domains.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/Domains/sinkholed_servers/sinkholed_domains.csv)\n- 🕳️ Sinkholed Site: [SINKHOLED](https://github.com/sinkholed/sinkholed.github.io) \n- 📚 Hijacklibs (updated automatically): [hijacklibs_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/Hijacklibs/hijacklibs_list.csv)\n- 🌐 TOR Nodes Lists (updated automatically): [[TOR]](https://github.com/mthcht/awesome-lists/tree/main/Lists/TOR)\n- 🛠️ LOLDriver List (updated automatically): [loldrivers_only_hashes_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/Drivers/loldrivers_only_hashes_list.csv)\n- 🛠️ Malicious Bootloader List (updated automatically): [malicious_bootloaders_only_hashes_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/Drivers/malicious_bootloaders_only_hashes_list.csv)\n- 📜 Malicious SSL Certificates List (updated automatically): [ssl_certificates_malicious_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/SSL%20CERTS/ssl_certificates_malicious_list.csv)\n- 🖥️ RMM detection: [[RMM]](https://github.com/mthcht/awesome-lists/tree/main/Lists/RMM)\n- 👤🔑 Important Roles and groups for AD/EntraID/AWS: [[permissions]](https://github.com/mthcht/awesome-lists/tree/main/Lists/permissions)\n- 💻🔒 Ransomware known file extensions: [ransomware_extensions_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/ransomware_extensions_list.csv)\n- 💻🔒 Ransomware known file name ransom notes: [ransomware_notes_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/ransomware_notes_list.csv)\n- 📝 Windows ASR rules: [windows_asr_rules.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/windows_asr_rules.csv)\n- 🌐 DNSTWIST Lists (updated automatically): [DNSTWIST Default Domains + script](https://github.com/mthcht/awesome-lists/tree/main/Lists/Phishing/DNSTWIST)\n- 🌍 VPN [IP address Lists](https://github.com/mthcht/awesome-lists/tree/main/Lists/VPN) (updated automatically): \n  - 🛡️ NordVPN: [nordvpn_ips_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/VPN/NordVPN/nordvpn_ips_list.csv)\n  - 🛡️ ProtonVPN: [protonvpn_ip_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/VPN/ProtonVPN/protonvpn_ip_list.csv)\n  - 🛡️ SurfShark: [surfshark_vpn_servers_domains_and_ips_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/VPN/SurfSharkVPN/surfshark_vpn_servers_domains_and_ips_list.csv)\n  - 🛡️ MullVad: [mullvad_relay_servers_ips_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/VPN/MullVad/mullvad_relay_servers_ips_list.csv)\n- 🌍 PROXIES [PROXY IP/Port Lists](https://github.com/mthcht/awesome-lists/tree/main/Lists/PROXY)\n- 🏢 Companies IP Range Lists (updated automatically): [Default Lists + script](https://github.com/mthcht/awesome-lists/tree/main/Lists/Ranges_IP_Address_Company_List/bgp.he.net) / [Microsoft](https://github.com/mthcht/awesome-lists/tree/main/Lists/Ranges_IP_Address_Company_List/Microsoft)\n- 📍  GeoIP services Lists: [ip_location_sites_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/GeoIP/ip_location_sites_list.csv)\n- 🧬 Yara rules: [Threat Hunting yara rules](https://github.com/mthcht/ThreatHunting-Keywords-yara-rules)\n- 🧬 Offensive Tools detection patterns: [offensive_tool_keywords.csv](https://raw.githubusercontent.com/mthcht/ThreatHunting-Keywords/main/offensive_tool_keyword.csv)\n- 🧬 Greyware Tools detection patterns: [greyware_tool_keyword.csv](https://raw.githubusercontent.com/mthcht/ThreatHunting-Keywords/main/greyware_tool_keyword.csv)\n- 🧬 AV signatures keywords: [signature_keyword.csv](https://github.com/mthcht/ThreatHunting-Keywords/blob/main/signature_keyword.csv)\n- 🧬 Microsoft Defender AV signatures lists: [[Defender]](https://github.com/mthcht/awesome-lists/tree/main/Lists/AV%20signatures/Defender) + [yara](https://github.com/mthcht/awesome-lists/tree/main/Lists/Others/Defender_yara_rules)\n- 🧬 ClamAV signatures lists: [[ClamAV]](https://github.com/mthcht/awesome-lists/tree/main/Lists/AV%20signatures/ClamAV)  \n- 🔗 Others correlation Lists: [[Others]](https://github.com/mthcht/awesome-lists/tree/main/Lists/Others)\n- 📋 Lists i need to finish: [[todo]](https://github.com/mthcht/awesome-lists/tree/main/Lists/Others/todo)\n\nI regularly update most of these lists after each tool i analyze in my [detection keywords](https://github.com/mthcht/ThreatHunting-Keywords) project\n\n## Other Lists\n\n\n### 🛡️ DFIR:\n\n\u003cdetails\u003e\n\n  - [🔥 EricZimmerman Tools 🔥](https://ericzimmerman.github.io/#!index.md)\n  - [usnjrnl_rewind](https://github.com/CyberCX-DFIR/usnjrnl_rewind)\n  - [dfir-orc](https://github.com/dfir-orc)\n  - [dfir-orc-config](https://github.com/DFIR-ORC/dfir-orc-config)\n  - [Arsenal Recon Forensic tools](https://arsenalrecon.com/downloads)\n  - [Splunk4DFIR](https://github.com/mf1d3l/Splunk4DFIR)\n  - [dfiq](https://github.com/google/dfiq)\n  - [Mind maps](https://github.com/AndrewRathbun/DFIRMindMaps)\n  - [arfifacts List - DFIRArtifactMuseum](https://github.com/AndrewRathbun/DFIRArtifactMuseum)\n  - [arfifacts List - ForensicArtifacts](https://github.com/ForensicArtifacts/artifacts)\n  - [Autopsy](https://www.autopsy.com/download/)\n  - [SleuthKit](https://github.com/sleuthkit/sleuthkit)\n  - [\\[OS\\] SIFT Workstation](https://www.sans.org/tools/sift-workstation/)\n  - [\\[OS\\] Remnux](https://remnux.org/)\n  - [\\[OS\\] sof-elk](https://github.com/philhagen/sof-elk)\n  - [\\[OS\\] tsurugi](https://tsurugi-linux.org/)\n  - [\\[OS\\] DEFT](https://distrowatch.com/table.php?distribution=deft)\n  - [\\[OS\\] Flare VM](https://github.com/mandiant/flare-vm)\n  - [PSBits](https://github.com/gtworek/PSBits/tree/master/DFIR)\n  - [Yara - Threat Hunting](https://github.com/mthcht/ThreatHunting-Keywords-yara-rules) + [TH](https://github.com/mthcht/ThreatHunting-Keywords)\n  - [Yara - Forge](https://github.com/YARAHQ/yara-forge) \n  - [capa](https://github.com/mandiant/capa)\n  - [Malcontent](https://github.com/chainguard-dev/malcontent)\n  - [\\[Event parser\\] evtx](https://github.com/omerbenamram/evtx)\n  - [\\[Event Parser\\] procmon-parser](https://github.com/eronnen/procmon-parser)\n  - [\\[Event Parser\\] Linux - MasterParser](https://github.com/securityjoes/MasterParser)\n  - [\\[EVTX\\] Hayabusa](https://github.com/Yamato-Security/hayabusa)\n  - [\\[EVTX\\] WELA](https://github.com/Yamato-Security/WELA)\n  - [\\[EVTX\\] chainsaw](https://github.com/WithSecureLabs/chainsaw)\n  - [\\[EVTX\\] APTHunter](https://github.com/ahmedkhlief/APT-Hunter/)\n  - [\\[EVTX / Auditd\\] Zircolite](https://github.com/wagga40/Zircolite)\n  - [werejugo](https://github.com/MarkBaggett/werejugo)\n  - [srum-dump](https://github.com/MarkBaggett/srum-dump)\n  - [ADTimeline](https://github.com/ANSSI-FR/ADTimeline)\n  - [PersistenceSniper](https://github.com/last-byte/PersistenceSniper)\n  - [\\[O365\\] Logs - Microsoft-Analyzer-Suite](https://github.com/evild3ad/Microsoft-Analyzer-Suite)\n  - [Logon Tracer](https://github.com/JPCERTCC/LogonTracer)\n  - [Timeline Plaso](https://github.com/log2timeline/plaso)\n  - [Timeline TimeSketch](https://github.com/google/timesketch)\n  - [regripper](https://github.com/warewolf/regripper)\n  - [OneDrive OCR DB artifact collector exe](https://github.com/vxunderground/OCRMe/)\n  - [OneDrive OCR DB artifact collector python ](https://github.com/Beercow/OCRMe)\n  - [hollows hunter](https://github.com/hasherezade/hollows_hunter)\n  - [PE sieve](https://github.com/hasherezade/pe-sieve)\n  - [RdpCacheStitcher](https://github.com/BSI-Bund/RdpCacheStitcher)\n  - [Searching strings - ripgrep](https://github.com/BurntSushi/ripgrep)\n  - [Searching strings - Recoll](https://www.recoll.org/pages/recoll-windows.html)\n  - [Kape](https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape)\n  - [Kape Files](https://github.com/EricZimmerman/KapeFiles)\n  - [More Kape ressources](https://github.com/AndrewRathbun/Awesome-KAPE)\n  - [VolatileDataCollector](https://github.com/gtworek/VolatileDataCollector)\n  - [Velociraptor](https://github.com/Velocidex/velociraptor)\n  - [TZ tools](https://www.tzworks.com/download_links.php)\n  - [Nirsoft tools](https://www.nirsoft.net/)\n  - [\\[memory\\] MemDump](https://nircmd.nirsoft.net/memdump.html)\n  - [\\[memory\\] MemProcFS](https://github.com/ufrisk/MemProcFS)\n  - [\\[memory\\] MemProcFS-Analyzer](https://github.com/LETHAL-FORENSICS/MemProcFS-Analyzer)\n  - [\\[memory\\] avml](https://github.com/microsoft/avml)\n  - [\\[memory\\] WinPmem](https://github.com/Velocidex/WinPmem)\n  - [\\[memory\\] Volatility](https://github.com/volatilityfoundation/volatility3/)\n  - [\\[Image Mount\\] FTK Imager](https://www.exterro.com/ftk-product-downloads)\n  - [\\[Image Mount\\] OSFMount](https://www.osforensics.com/tools/mount-disk-images.html)\n  - [\\[Network\\] Network Miner](https://www.netresec.com/?page=NetworkMiner)\n  - [\\[Network\\] Wireshark](https://www.wireshark.org/)\n  - [\\[Network\\] xplico](https://www.xplico.org/)\n  - [\\[Carving\\] PhotoRec](https://www.cgsecurity.org/wiki/PhotoRec)\n  - [\\[Carving\\] Bulk Extractor](https://github.com/simsong/bulk_extractor)\n  - [Didier Stevens tools](https://blog.didierstevens.com/programs/)\n  - [\\[memory\\] Lime](https://github.com/504ensicsLabs/LiME)\n  - [Windows artifacts](https://github.com/Psmths/windows-forensic-artifacts)\n  - [\\[Linux\\] UAC](https://github.com/tclahr/uac)\n  - [\\[Linux\\] EXT4 / XFS - fjta](https://github.com/mnrkbys/fjta)\n  - [lists - aboutdfir.com](https://aboutdfir.com/)\n  - [Monitoring - Osquery](https://github.com/osquery/osquery)\n  - [\\[IR Guide\\] OpenProject ](https://github.com/DebugPrivilege/OpenProject)\n  - [\\[OSX Tools\\] Knockknock](objective-see.com/products/knockknock.html)\n  - [\\[OSX Tools\\] mac_apt](https://github.com/ydkhatri/mac_apt)\n  - [Browser Chrome Extensions DNS Forensic](https://github.com/arsolutioner/ExtensionHound)\n\n\u003c/details\u003e\n\n### 🚫 IOC Feeds/Blacklists:\n\n\u003cdetails\u003e \n\n- [ABUSE.CH BLACKLISTS](https://sslbl.abuse.ch/blacklist/)\n- [Block Lists](https://github.com/blocklistproject/Lists)\n- [DNS Block List](https://github.com/hagezi/dns-blocklists)\n- [Phishing Block List](https://github.com/jarelllama/Scam-Blocklist)\n- [Binary Defense IP Block List](https://www.binarydefense.com/banlist.txt)\n- [C2IntelFeeds](https://github.com/drb-ra/C2IntelFeeds)\n- [Volexity TI](https://github.com/volexity/threat-intel)\n- [Open Source TI](https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds)\n- [C2 Tracker](https://github.com/montysecurity/C2-Tracker)\n- [Unit42 IOC](https://github.com/mthcht/iocs)\n- [Sekoia IOC](https://github.com/SEKOIA-IO/Community/tree/main/IOCs)\n- [Unit42 Timely IOC](https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel)\n- [Unit42 Articles IOC](https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information)\n- [ThreatFOX IOC](https://threatfox.abuse.ch/export/)\n- [Zscaler ThreatLabz IOC](https://github.com/threatlabz/iocs)\n- [Zscaler ThreatLabz Ransomware notes](https://github.com/ThreatLabz/ransomware_notes)\n- [experiant.ca](https://fsrm.experiant.ca/api/v1/get])\n- [Sophos lab IOC](https://github.com/sophoslabs/IoCs)\n- [ESET Research IOC](https://github.com/eset/malware-ioc)\n- [ExecuteMalware IOC](https://github.com/executemalware/Malware-IOCs)\n- [Cisco Talos IOC](https://github.com/Cisco-Talos/IOCs)\n- [Elastic Lab IOC](https://github.com/elastic/labs-releases/tree/main/indicators)\n- [Blackorbid APT Report IOC](https://github.com/blackorbird/APT_REPORT)\n- [AVAST IOC](https://github.com/avast/ioc)\n- [Zimperium IOC](https://github.com/Zimperium/IOC)\n- [HarfangLab IOC](https://github.com/HarfangLab/iocs)\n- [DoctorWeb IOC](https://github.com/DoctorWebLtd/malware-iocs)\n- [BlackLotusLab IOC](https://github.com/blacklotuslabs/IOCs)\n- [prodaft IOC](https://github.com/prodaft/malware-ioc)\n- [Pr0xylife DarkGate IOC](https://github.com/pr0xylife/DarkGate)\n- [Pr0xylife Latrodectus IOC](https://github.com/pr0xylife/Latrodectus)\n- [Pr0xylife WikiLoader IOC](https://github.com/pr0xylife/WikiLoader)\n- [Pr0xylife SSLoad IOC](https://github.com/pr0xylife/SSLoad)\n- [Pr0xylife Pikabot IOC](https://github.com/pr0xylife/Pikabot)\n- [Pr0xylife Matanbuchus IOC](https://github.com/pr0xylife/Matanbuchus)\n- [Pr0xylife QakBot IOC](https://github.com/pr0xylife/Qakbot)\n- [Pr0xylife IceID IOC](https://github.com/pr0xylife/IcedID)\n- [Pr0xylife Emotet IOC](https://github.com/pr0xylife/Emotet)\n- [Pr0xylife BumbleBee IOC](https://github.com/pr0xylife/Bumblebee)\n- [Pr0xylife Gozi IOC](https://github.com/pr0xylife/Gozi)\n- [Pr0xylife NanoCore IOC](https://github.com/pr0xylife/Nanocore)\n- [Pr0xylife NetWire IOC](https://github.com/pr0xylife/Netwire)\n- [Pr0xylife AsyncRAT IOC](https://github.com/pr0xylife/AsyncRAT)\n- [Pr0xylife Lokibot IOC](https://github.com/pr0xylife/Lokibot)\n- [Pr0xylife RemcosRAT IOC](https://github.com/pr0xylife/RemcosRAT)\n- [Pr0xylife nworm IOC](https://github.com/pr0xylife/nworm)\n- [Pr0xylife AZORult IOC](https://github.com/pr0xylife/AZORult)\n- [Pr0xylife NetSupportRAT IOC](https://github.com/pr0xylife/NetSupportRAT)\n- [Pr0xylife BitRAT IOC](https://github.com/pr0xylife/BitRAT)\n- [Pr0xylife BazarLoader IOC](https://github.com/pr0xylife/BazarLoader)\n- [Pr0xylife SnakeKeylogger IOC](https://github.com/pr0xylife/SnakeKeylogger)\n- [Pr0xylife njRat IOC](https://github.com/pr0xylife/njRat)\n- [Pr0xylife Vidar IOC](https://github.com/pr0xylife/Vidar)\n- [Pr0xylife Warmcookie IOC](https://github.com/pr0xylife/Warmcookie-Badspace)\n- [Cloud Intel IOC](https://github.com/unknownhad/CloudIntel)\n- [Phihsing urls - last week feed](https://file.jeroengui.be/phishing/last_week.txt)\n- [SpamHaus drop.txt](https://www.spamhaus.org/drop/drop.txt)\n- [SpamHaus drop + ASN](https://www.spamhaus.org/blocklists/do-not-route-or-peer/)\n- [UrlHaus_misp](https://urlhaus.abuse.ch/downloads/misp/)\n- [UrlHaus_misp ASN](https://urlhaus.abuse.ch/feeds/)\n- [UrlHaus](https://urlhaus.abuse.ch/api/#csv)\n- [vx-underground - Great Resource for Samples and Intelligence Reports](https://vx-underground.org/Samples)\n- [Ransomware.live](https://ransomware.live)\n- [rosti.bin public reports feed](https://rosti.bin.re/feeds)\n\n\u003c/details\u003e \n\n### 🐙 Github\n\n\u003cdetails\u003e\n\n- [More github lists](https://github.com/mthcht?tab=stars\u0026user_lists_direction=asc\u0026user_lists_sort=name)\n\n\u003c/details\u003e\n\n### 🖥️ SIEM/SOC/PurpleTeam related:\n\u003cdetails\u003e\n  \n- [EDR Telemetry](https://github.com/tsale/EDR-Telemetry)\n- [PurpleTeam Scripts](https://github.com/mthcht/Purpleteam)\n- [Awesome-SOC](https://github.com/cyb3rxp/awesome-soc)\n- [Awesome SOC analyst](https://github.com/st0pp3r/awesome-soc-analyst)\n- [Threat-Hunting with Splunk](https://github.com/mthcht/ThreatHunting-Keywords)\n- [Detection Lists](https://github.com/mthcht/awesome-lists/Lists)\n- [PurpleTeam atomics](https://github.com/redcanaryco/atomic-red-team)\n\n\u003c/details\u003e \n\n### 📊 TI TTP/Framework/Model/Trackers \n\n\u003cdetails\u003e\n  \n- [Tools used by ransomware groups - @BushidoToken](https://github.com/BushidoUK/Ransomware-Tool-Matrix)\n- [Tools used by Russian APT](https://github.com/BushidoUK/Russian-APT-Tool-Matrix)\n- [Tools associated with groups (partial)](https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU)\n- [Techniques - MITRE ATT\u0026CK](https://attack.mitre.org/techniques/enterprise/)\n- [Tactics - MITRE ATT\u0026CK](https://attack.mitre.org/tactics/enterprise/)\n- [Groups \u0026 Operations Naming conventions matrix](https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU)\n- [Mitigation - MITRE ATT\u0026CK](https://attack.mitre.org/mitigations/enterprise/)\n- [ATT\u0026CK matrix navigator](https://mitre-attack.github.io/attack-navigator/)\n- [All MITRE data in xlsx format](https://attack.mitre.org/resources/attack-data-and-tools/) \n- [Tools used by threat actor groups - MITRE ATT\u0026CK](https://attack.mitre.org/software/)\n- [atomic-red-team](https://github.com/redcanaryco/atomic-red-team)\n- [redcanary Threat Detection report](https://redcanary.com/threat-detection-report/)\n- [The-Unified-Kill-Chain](https://www.unifiedkillchain.com/assets/The-Unified-Kill-Chain.pdf)\n- [TTP pyramid](https://scythe.io/library/summiting-the-pyramid-of-pain-the-ttp-pyramid)\n- [Pyramid of pain](https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html)\n- [Cyber Kill chain](https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html)\n- [MITRE D3FEND](https://d3fend.mitre.org/)\n- [MITRE CAPEC](https://capec.mitre.org/)\n- [MITRE CAR](https://car.mitre.org/)\n- [MITRE DeTTECT](https://github.com/rabobank-cdc/DeTTECT)\n- [MITRE PRE-ATT\u0026CK Techniques](https://attack.mitre.org/versions/v7/techniques/pre/)\n- [APTMAP](https://github.com/andreacristaldi/APTmap)\n- [CVE Vuln Database](https://cve.mitre.org/)\n- [CVE Vuln Framework](https://github.com/CERTCC/SSVC)\n- [REACT framework](https://atc-project.github.io/react-navigator/)\n- [🔥ALL TI Reports🔥](https://github.com/mthcht/ThreatIntel-Reports)\n- [🔥ALL TI Reports searches🔥](https://mthcht.github.io/ThreatIntel-Reports/)\n  \n\u003c/details\u003e\n\n\n### 🕵️‍♂️ Investigation\n\n#### 📊 TI checks\n\n\u003cdetails\u003e\n  \n  - [Virustotal](https://www.virustotal.com/#/home/search)\n  - [SpamHaus](https://check.spamhaus.org/)\n  - [app.spur.us](https://app.spur.us/)\n  - [AbuseIPDB](https://www.abuseipdb.com/)\n  - [Telegram BOT hunting](https://matkap.cti.monster/)\n  - [Malwarebazaar](https://bazaar.abuse.ch/)\n  - [emailrep](https://emailrep.io/)\n  - [dnsdumpster](https://dnsdumpster.com/)\n  - [nslookup.io](https://www.nslookup.io/)\n  - [cloudfare URL scan](https://radar.cloudflare.com/scan)\n  - [proxy IP check - proxycheck.io](https://proxycheck.io/web/)\n  - [reputation IP check criminalip](https://www.criminalip.io/en)\n  - [proxy IP check - iphub.info](https://iphub.info/)\n  - [shodan](https://www.shodan.io/)\n  - [Onyphe](https://www.onyphe.io/)\n  - [haveibeenpwned](https://haveibeenpwned.com/)\n  - [leakcheck.io](leakcheck.io)\n  - [Censys](https://search.censys.io/)\n  - [cybergordon (URL reputation check)](https://cybergordon.com/)\n  - [threatminer](https://www.threatminer.org/)\n  - [urlscan](https://urlscan.io/)\n  - [Apptotal (apps and extensions analysis)](https://apptotal.io/)\n  - [urlquery](http://urlquery.net/)\n  - [cloudfare scanner](https://radar.cloudflare.com/)\n  - [scamsearch.io](https://scamsearch.io/#anchorCeckNow)\n  - [scamdb.net](https://www.scamdb.net/)\n  - [urlvoid](https://www.urlvoid.com)\n  - [urldna.io](https://urldna.io/)\n  - [url checkphish](https://checkphish.bolster.ai/)\n  - [ipvoid](https://www.ipvoid.com/)\n  - [mxtoolbox](https://mxtoolbox.com/NetworkTools.aspx)\n  - [mxtoolbox mail header](https://mxtoolbox.com/EmailHeaders.aspx)\n  - [Microsoft TI](https://ti.defender.microsoft.com/)\n  - [pulsedive](https://pulsedive.com/)\n  - [URL Redirect Checker](https://redirect-checker.net/)\n  - [threatbook](https://threatbook.io/)\n  - [web archive](https://web.archive.org/)\n  - [McAfee Threat Intelligence Exchange](https://www.mcafee.com/enterprise/en-us/products/threat-intelligence-exchange.html)\n  - [Kaspersky Security Network](https://www.kaspersky.com/security-network)\n  - [Microsoft Security Intelligence Report](https://www.microsoft.com/en-us/wdsi/intelligence-report)\n  - [IBM X-Force Exchange](https://exchange.xforce.ibmcloud.com/) \n  - [AlienVault OTX](https://otx.alienvault.com/)\n  - [greynoise](https://viz.greynoise.io/)\n  - [whoxy](https://www.whoxy.com/reverse-whois/)\n  - [url tiny-scan](https://www.tiny-scan.com/)\n  - [certificates - crt.sh](https://crt.sh/)\n  - [site web-check](https://web-check.as93.net/)\n  - [validin.com](https://app.validin.com/)\n  - [Browser Extension CRX checker](https://crxaminer.tech/)\n  - [.EXE lookup - echotrail](https://www.echotrail.io/)\n  - [Malware-Traffic-Analysis (PCAP files)](https://malware-traffic-analysis.net/)\n  - [redhuntlabs](https://redhuntlabs.com/online-ide-search)\n  - [whois domaintools](https://whois.domaintools.com/)\n  - [ASN check bgp.he](/bgp.he.net/)\n  - [viewdns](http://viewdns.info/)\n  - [OUI mac address lookup](https://www.wireshark.org/tools/oui-lookup.html)\n  - [macvendorlookup](https://www.macvendorlookup.com/)\n  - [.EXE lookup - xcyclopedia](https://strontic.github.io/xcyclopedia/)\n  - [abuse.ch](https://abuse.ch/#platforms)\n  - [malware-traffic-analysis](https://www.malware-traffic-analysis.net/index.html)\n  - [waybackmachine](http://web.archive.org/)\n  - [Online Paste Tools Lookup](https://redhuntlabs.com/online-ide-search/)\n  - [dnshistory](https://dnshistory.org/)\n  - [asnlookup](https://asnlookup.com/)\n  - [Browser extension checker - CRXaminer](https://crxaminer.tech/)\n  - [ipinfo.io](https://ipinfo.io)\n  - [fofa.info](https://fofa.info/)\n  - [SecurityTrail](https://securitytrails.com/)\n  - [ZommEye](https://www.zoomeye.ai/)\n  - [BlueCoat lookup](https://sitereview.bluecoat.com/)\n  - [Norton lookup](https://safeweb.norton.com/)\n  - [Fortinet lookup](https://www.fortiguard.com/webfilter)\n  - [McAfee lookup](https://sitelookup.mcafee.com/)\n  - [Trellix lookup](https://trustedsource.org/)\n  - [Palo Alto lookup](https://urlfiltering.paloaltonetworks.com/query/)\n  - [Talos Intelligence lookup](https://www.talosintelligence.com/reputation_center)\n  - [Checkpoint lookup](https://urlcat.checkpoint.com/urlcat/main.htm)\n  - [Cyren lookup](https://www.cyren.com/security-center/url-category-check-gate)\n  - [Forcepoint lookup](https://support.forcepoint.com/s/site-lookup)\n  - [TrendMicro lookup](https://global.sitesafety.trendmicro.com/)\n  - [USB \u0026 PCI database - DeviceHunt](https://devicehunt.com/)\n\n\u003c/details\u003e\n\n#### 🔬 Sandbox / Emulation\n\n\u003cdetails\u003e\n  \n- [Sandbox Anyrun](https://any.run/)\n- [triage](https://tria.ge/s)\n- [capesandbox](https://www.capesandbox.com/)\n- [joesandbox](https://www.joesandbox.com/analysispaged/0)\n- [filescan.io](https://www.filescan.io/)\n- [Hybrid Analysis](https://www.hybrid-analysis.com/)\n- [virustotal](https://www.virustotal.com)\n- [threat zone](https://app.threat.zone/scan)\n- [vmray](https://www.vmray.com/)\n- [kaspersky opentip](https://opentip.kaspersky.com/requests)\n- [speakeasy (kernel and user mode emulation)](https://github.com/mandiant/speakeasy)\n- [DOGGuard](https://app.docguard.io/)\n- [Kaspersky Threat Intelligence Portal](https://opentip.kaspersky.com/?tab=upload)\n\n\u003c/details\u003e\n\n\n### 🧩 Data manipulation\n\n\u003cdetails\u003e\n\n- [CyberChef](https://gchq.github.io/CyberChef/)\n- [jsoncrack](https://jsoncrack.com/editor)\n- [Grok debugger](https://grokdebugger.com/)\n- [JS deobfuscator](https://lelinhtinh.github.io/de4js/)\n- [PCAP online analyzer](https://apackets.com/)\n- [Hash calculator](https://md5calc.com/hash)\n- [regex101](https://regex101.com/)\n- [PCAP Analyzer Online](https://apackets.com/)\n- [Javascript Deobfuscator - deobfuscate.relative.im](https://deobfuscate.relative.im/)\n- [Javascript Deobfuscator - de4js](https://lelinhtinh.github.io/de4js/)\n- [JSONViewer](https://jsonviewer.stack.hu/)\n- [TextMechanic](https://textmechanic.com/)\n- [UrlEncode.org](https://www.urlencoder.org/)\n- [TextFixer](https://www.textfixer.com/)\n- [RegExr](https://regexr.com/)\n- [TextUtils](https://textutils.com/)\n- [TextCompactor](https://textcompactor.com/)\n- [Pretty Diff](https://prettydiff.com/)\n- [XML Tree](http://www.xmltree.com/)\n- [Online XML Formatter and Beautifier](https://www.freeformatter.com/xml-formatter.html)\n- [XML Escape Tool](https://www.freeformatter.com/xml-escape.html)\n- [DiffChecker](https://www.diffchecker.com/)\n- [CSVJSON](https://www.csvjson.com/)\n- [HTML Formatter](https://htmlformatter.com/)\n- [Text Tool](https://texttools.netlify.app/)\n- [String Manipulation Tool](https://string-functions.com/)\n- [unshorten it](https://www.unshorten.it)\n- [urlunscrambler](https://www.urlunscrambler.com/)\n- [URLEncode \u0026 Decode](https://www.urlencoder.org/)\n- [longurl](https://www.longurl.org/)\n- [Message Header](https://mha.azurewebsites.net/pages/mha.html)\n- [MXToolbox EmailHeaders](https://mxtoolbox.com/EmailHeaders.aspx)\n- [Email Header Analyzer](https://emailheaders.verification-check.com/)\n- [Email Header Analysis](https://www.email-format.com/header-analysis/)\n- [Gitlab dashboard from Excel](https://thisdavej.com/copy-table-in-excel-and-paste-as-a-markdown-table/)\n- [uncoder](https://uncoder.io/)\n- [DeHashed](https://dehashed.com/)\n- [Diff Checker](https://www.diffchecker.com/)\n- [IT tools](https://it-tools.tech/)\n- [ChatGPT](https://chatgpt.com/)\n\n\u003c/details\u003e\n\n\n### 📡 Detection Resources\n\n\u003cdetails\u003e\n\n- [Detection Lists](https://github.com/mthcht/awesome-lists/tree/main/Lists)\n- [MITRE techniques](https://attack.mitre.org/techniques/enterprise/)\n- [MITRE Updates](https://attack.mitre.org/resources/updates/)\n- [MITRE D3fend](https://d3fend.mitre.org/)\n- [MITRE Navigator](https://mitre-attack.github.io/attack-navigator/)\n- [MITRE Datasources](https://attack.mitre.org/datasources/)\n- [GTFOBIN](https://github.com/mthcht/GTFOBins.github.io)\n- [LOLBAS](https://github.com/mthcht/LOLBAS)\n- [LOTS](https://lots-project.com/)\n- [LOLRMM](https://github.com/magicsword-io/LOLRMM)\n- [loldrivers](https://www.loldrivers.io/)\n- [LOLRMM](https://github.com/magicsword-io/LOLRMM)\n- [LOLC2](https://github.com/lolc2/lolc2.github.io)\n- [LOLESXI](https://github.com/LOLESXi-Project/LOLESXi)\n- [WTFBIN](https://wtfbins.wtf/)\n- [Sigma](https://github.com/mthcht/sigma/tree/master/rules)\n- [Splunk Rules](https://research.splunk.com/detections/)\n- [Elastic Rules](https://github.com/elastic/detection-rules)\n- [DFIR-Report Sigma-Rules](https://github.com/The-DFIR-Report/Sigma-Rules)\n- [JoeSecurity Sigma-Rules](https://github.com/joesecurity/sigma-rules/tree/master/rules)\n- [mdecrevoisier Sigma-Rules](https://github.com/mdecrevoisier/SIGMA-detection-rules)\n- [P4T12ICK Sigma-Rules](https://github.com/P4T12ICK/Sigma-Rule-Repository)\n- [tsale Sigma-Rules](https://github.com/tsale/Sigma_rules)\n- [list of detections resources](https://github.com/jatrost/awesome-detection-rules)\n- [KQL Hunting Queries](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules)\n- [detection engineering resources](https://github.com/infosecB/awesome-detection-engineering)\n- [Defender Resource](https://defenderresourcehub.info/)\n- [awesome-threat-detection](https://github.com/0x4D31/awesome-threat-detection)\n- [LOLOLFarm](https://lolol.farm/)\n\n\u003c/details\u003e\n\n\n\n### 🌐 Security News\n\n\u003cdetails\u003e\n\n- [Adam Chester Blog Feed](https://blog.xpnsec.com/rss.xml)\n- [ahnlab apt feed](https://asec.ahnlab.com/en/category/apt-en/feed/)\n- [ahnlab cert feed](https://asec.ahnlab.com/en/category/cert-en/feed)\n- [ahnlab phishing feed](https://asec.ahnlab.com/en/category/phishing-scam-en/feed)\n- [ahnlab trend feed](https://asec.ahnlab.com/en/category/trend-en/feed)\n- [Akamai blog feed](https://feeds.feedburner.com/akamai/blog)\n- [Any.run malware analysis blog feed](https://any.run/cybersecurity-blog/category/malware-analysis/feed/)\n- [Avast Blog feed](https://blog.avast.com/rss.xml)\n- [badsectorlabs Last week in security - Redteam](https://blog.badsectorlabs.com/feeds/all.atom.xml)\n- [bi-zone blog feed](https://medium.com/feed/@bi-zone)\n- [bitdefender labs feed](https://www.bitdefender.com/nuxt/api/en-us/rss/labs/)\n- [binarydefense blog feed](https://www.binarydefense.com/feed/)\n- [Blackberry blog](https://blogs.blackberry.com/en/home)\n- [Bleepingcomputer Feed](https://www.bleepingcomputer.com/feed/)\n- [bleepingcomputer feed](https://www.bleepingcomputer.com/feed/)\n- [broadcom blog feed](https://sed-cms.broadcom.com/rss/v1/blogs/rss.xml)\n- [CERT FR Alerts](https://www.cert.ssi.gouv.fr/alerte/)\n- [CERT FR Avis](https://www.cert.ssi.gouv.fr/avis/)\n- [CERT LV feed](https://cert.lv/en/feed/rss/all)\n- [CERT PL feed](https://cert.pl/en/rss.xml)\n- [CERT SE feed](https://www.cert.se/feed.rss)\n- [CERT SI feed](https://www.cert.si/en/category/news/feed/)\n- [CERT UA feed](https://cert.gov.ua/api/articles/rss)\n- [CERT-FR](https://www.cert.ssi.gouv.fr/)\n- [Checkpoint Research feed](https://research.checkpoint.com/feed)\n- [CIRT bd feed](https://www.cirt.gov.bd/feed/)\n- [CISA news feed](https://www.cisa.gov/cybersecurity-advisories/all.xml)\n- [CISA news](https://www.cisa.gov/news-events/news)\n- [Cisco Talos](https://www.talosintelligence.com/)\n- [claroty team82 research](https://claroty.com/team82/research/)\n- [Cloudfare security feed](https://blog.cloudflare.com/tag/security/rss)\n- [Clément Notin Feed](https://clement.notin.org/feed.xml)\n- [crowdstrike counter adversary operations blog](https://www.crowdstrike.com/en-us/blog/category.counter-adversary-operations/)\n- [deepinstinct blog](https://www.deepinstinct.com/blog)\n- [detect.fyi](https://detect.fyi/)\n- [Detection engineering weekly](https://www.detectionengineering.net/)\n- [DFIR weekly news](https://thisweekin4n6.com/)\n- [DFIR weekly news feed](https://thisweekin4n6.wordpress.com/feed/)\n- [drweb virus alert feed](https://news.drweb.com/rss/get/?c=9)\n- [eclecticiq threat intel](https://www-eclecticiq-com.sandbox.hs-sites.com/blog?type=intelligence-research#overview)\n- [Elastic security labs blog](https://www.elastic.co/security-labs)\n- [elastic security labs blog feed](https://www.elastic.co/security-labs/rss/feed.xml)\n- [EricaZelic Blog](https://ericazelic.medium.com/)\n- [forcepoint lab blog](https://www.forcepoint.com/blog/x-labs)\n- [genians threat intel feed](https://www.genians.co.kr/blog/threat_intelligence/rss.xml)\n- [gi7w0rm threat intel feed](https://medium.com/feed/@gi7w0rm)\n- [Google Project Zero blog feed](https://googleprojectzero.blogspot.com/feeds/posts/default?alt=rss)\n- [Google threat intelligence feed](https://feeds.feedburner.com/threatintelligence/pvexyqv7v0v)\n- [Google Threat Intelligence](https://cloud.google.com/blog/topics/threat-intelligence)\n- [Google Threat analysis feed](https://blog.google/threat-analysis-group/rss/)\n- [Group-IB feed](https://blog.group-ib.com/rss.xml)\n- [HackerNews Feed](https://feeds.feedburner.com/TheHackersNews)\n- [harfanglab lab feed](https://harfanglab.io/insidethelab/feed/)\n- [hexacorn blog feed](http://www.hexacorn.com/blog/feed/)\n- [horizon3 Feed](https://www.horizon3.ai/feed/)\n- [hunt.io blog](https://hunt.io/blog)\n- [huntress blog feed](https://www.huntress.com/blog/rss.xml)\n- [IC3 CSA feed](https://www.ic3.gov/CSA/rss)\n- [Infostealers Hub News Feed](https://www.infostealers.com/learn-info-stealers/feed/)\n- [infostealers reports feed](https://www.infostealers.com/info-stealers-reports/feed/)\n- [Intrinsec feed](https://www.intrinsec.com/feed/)\n- [isc sans edu feed](https://isc.sans.edu/rssfeed.xml)\n- [JPCERT feed](https://blogs.jpcert.or.jp/en/atom.xml)\n- [JPCERT](https://www.jpcert.or.jp/english/)\n- [krebsonsecurity feed](https://krebsonsecurity.com/feed/)\n- [malwarebytes blog feed](https://www.malwarebytes.com/blog/feed/index.xml)\n- [malwaretech feed](https://www.malwaretech.com/feed)\n- [Mauricio Velazco Blog](https://medium.com/@mvelazco)\n- [mcafee labs feed](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/feed/)\n- [Michael Haag Blog](https://haggis-m.medium.com/)\n- [Microsoft security blog feed](https://www.microsoft.com/en-us/security/blog/feed/)\n- [Microsoft Incident response ninja hub](https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/welcome-to-the-microsoft-incident-response-ninja-hub/4243594)\n- [Microsoft Threat Intel feed](https://www.microsoft.com/en-us/security/blog/topic/threat-intelligence/feed)\n- [morphisec threat research](https://blog.morphisec.com/topic/threat-research)\n- [NCC Group research feed](https://research.nccgroup.com/feed/)\n- [nccgroup research blog security](https://www.nccgroup.com/us/research-blog/?resource=18345\u0026category=18146#hub)\n- [NCSC news feed](https://feeds.english.ncsc.nl/news.rss)\n- [NIST CVEs](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0)\n- [NIST cybersecurity insights feed](https://www.nist.gov/blogs/cybersecurity-insights/rss.xml)\n- [Offensive Research - DSAS by INJECT](https://blog.injectexp.dev/)\n- [orangecyberdefense Intel](https://www.orangecyberdefense.com/global/blog?tx_solr%5Bfilter%5D%5B0%5D=tags%3AIntelligence-led+Security)\n- [outpost24 research and threat intel feed](https://outpost24.com/blog/category/research-and-threat-intel/feed/)\n- [proofpoint threat insight](https://www.proofpoint.com/us/blog/threat-insight#)\n- [Qualys Threat research feed](https://blog.qualys.com/vulnerabilities-threat-research/feed)\n- [redcanary feed](https://www.redcanary.co/feed/)\n- [reversinglabs threat research](https://www.reversinglabs.com/blog/tag/threat-research)\n- [sans blog](https://www.sans.org/blog/)\n- [security.com threat intel](https://www.security.com/threat-intelligence)\n- [securityaffairs apt feed](https://securityaffairs.com/category/apt/feed)\n- [securityweek feed](https://www.securityweek.com/feed/)\n- [securlist apt targeted attacks feed](https://securelist.com/threat-category/apt-targeted-attacks/feed/)\n- [Sekoia Blog](https://blog.sekoia.io/)\n- [Sekoia blog feed](https://blog.sekoia.io/feed/)\n- [SentinelOne labs feed](https://www.sentinelone.com/labs/feed/)\n- [seqrite techical blog](https://www.seqrite.com/blog/category/technical/)\n- [Simone Kraus blog feed](https://medium.com/feed/@simone.kraus)\n- [sophos threat research feed](https://news.sophos.com/en-us/category/threat-research/feed/)\n- [specterops feed](https://posts.specterops.io/feed)\n- [Splunk Research Blog](https://www.splunk.com/en_us/blog/author/secmrkt-research.html)\n- [Sybersecyrity news feed](https://cybersecuritynews.com/feed/)\n- [Talos feed](https://feeds.feedburner.com/feedburner/Talos)\n- [tenable Blog](https://medium.com/tenable-techblog)\n- [The HackerNews feed](https://feeds.feedburner.com/TheHackersNews)\n- [thedfirreport feed](https://thedfirreport.com/feed/)\n- [threat connect blog feed](https://threatconnect.com/blog/feed/)\n- [threatlabz zscaler blog](https://threatlabz.zscaler.com/blogs)\n- [threatpost feed](https://threatpost.com/feed/)\n- [trendmicro security feed](http://feeds.trendmicro.com/TrendMicroSimplySecurity)\n- [Trustwave blog feed](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rss.xml)\n- [Twitter](https://twitter.com/home)\n- [Unit42 feed](http://feeds.feedburner.com/Unit42)\n- [Unit42 feed](https://unit42.paloaltonetworks.com/feed/)\n- [virusbulletin feed](https://www.virusbulletin.com/rss)\n- [virusbulletin](https://www.virusbulletin.com/virusbulletin/)\n- [volexity blog feed](https://www.volexity.com/blog/feed/)\n- [welivesecurity feed](https://www.welivesecurity.com/en/rss/feed/)\n- [tl;dr sec newsletter](https://tldrsec.com/)\n\u003c/details\u003e\n\n\n\n### 📺 Youtube/Twitch channels\n\n\u003cdetails\u003e\n  \n  - [DFIR - 13cubed videos](https://www.youtube.com/@13Cubed/videos)\n  - [DFIR - SANS videos](https://www.youtube.com/@SANSForensics/videos)\n  - [DFIR - MyDFIR](https://youtube.com/@mydfir)\n  - [DFIR - DFIRScience](https://www.youtube.com/@DFIRScience/videos)\n  - [Malware Analysis - jstrosch](https://www.youtube.com/@jstrosch/videos)\n  - [Malware Analysis - cyberraiju](https://www.youtube.com/@cyberraiju/videos)\n  - [Malware Analysis - Botconf](https://www.youtube.com/@BotConfTV)\n  - [DFIR - AntisyphonTraining](https://www.youtube.com/@AntisyphonTraining)\n  - [DFIR - BlackPerl](https://youtube.com/watch?v=KzD0MmEYAzQ\u0026list=PLjWEV7pmvSa6f-NTpXsaUYWZLjLAB_0TS)\n  - [Malware Analysis - malwareanalysisforhedgehogs](https://youtube.com/@malwareanalysisforhedgehogs?si=rHy80uPhjtyPtX0K)\n  - [DFIR - BlueMonkey4n6](https://www.youtube.com/@BlueMonkey4n6/playlists)\n  - [DFIR - binaryzone](https://www.youtube.com/@binaryz0ne/playlists)\n  - [Detection Engineering - Splunk - atomicsonafriday](https://www.youtube.com/@atomicsonafriday/streams)\n  - [Exploitation - HackerSploit](https://www.youtube.com/@HackerSploit/playlists)\n  - [DFIR - TheTaggartInstitute](https://www.youtube.com/@TheTaggartInstitute/videos)\n  - [Malware Analysis - JohnHammond](https://www.youtube.com/@_JohnHammond)\n  - [Malware Analysis - invokereversing](https://youtube.com/@invokereversing)\n  - [Exploitation - Defcon Talks](https://www.youtube.com/user/DEFCONConference/videos)  + https://media.defcon.org/\n  - [Exploitation - Alh4zr3d - twitch](https://www.twitch.tv/Alh4zr3d)\n  - [Exploitation - Alh4zr3d - youtube](https://www.youtube.com/@alh4zr3d3/videos)\n  - [Exploitation - incodenito](https://youtube.com/@incodenito?si=uV9UDhYFs_vQYayR)\n  - [Exploitation - dayzerosec](https://www.youtube.com/@dayzerosec/videos)\n  - [Malware Analysis - MalwareTechBlog](https://www.youtube.com/@MalwareTechBlog)\n  - [Malware Analysis - radkawar](https://www.youtube.com/@radkawar)\n  - [Exploitation - LiveOverflow](https://www.youtube.com/@LiveOverflow)\n  - [Malware Analysis - neoeno](https://youtube.com/@neoeno4242?si=_mVioHsmbvu17KNk)\n  - [Malware Analysis - AzakaSekai](https://www.youtube.com/@AzakaSekai)\n  - [CTI - bushidotoken](https://youtube.com/@bushidotoken)\n  - [CTI - @TLP_R3D](https://www.youtube.com/@TLP_R3D)\n  - [Windows Internal - @mrexodia](https://www.youtube.com/@mrexodia)\n  - [!!! Exploitation - ippsec](https://www.youtube.com/@ippsec)\n  - [Exploitation - flangvik](https://youtube.com/@flangvik?si=vVShvHdg3QCLrHJf)\n  - [Conferences channel - scrtinsomnihack](https://www.youtube.com/@scrtinsomnihack/videos)\n  - [Conferences channel - OffensiveCon](https://www.youtube.com/@OffensiveCon/videos)\n  - [Conferences channel - BSidesSF](https://www.youtube.com/@BSidesSF/videos)\n  - [Conferences channel - BSidesTLV](https://www.youtube.com/@BSidesTLV/videos)\n  - [Conferences channel - bsidesbudapest](https://www.youtube.com/@bsidesbudapest/videos)\n  - [Conferences channel - SecuritybsidesOrgUk](https://www.youtube.com/@SecuritybsidesOrgUk/videos)\n  - [Conferences channel - bsidescanberra9688](https://www.youtube.com/@bsidescanberra9688/videos)\n  - [Conferences channel - brucontalks](https://www.youtube.com/@brucontalks/videos)\n  - [Conferences channel - DEFCONConference](https://www.youtube.com/@DEFCONConference/videos)\n  - [Conferences channel - Disobey](https://www.youtube.com/@Disobey/videos)\n  - [Conferences channel - hitbsecconf](https://www.youtube.com/@hitbsecconf/videos)\n  - [Conferences channel - SANSOffensiveOperations](https://www.youtube.com/@SANSOffensiveOperations/videos)\n  - [Conferences channel - BlackHillsInformationSecurity](https://www.youtube.com/@BlackHillsInformationSecurity/videos)\n  - [Conferences channel - RITSEC](https://www.youtube.com/@RITSEC/videos)\n  - [Conferences channel - Preludeorg](https://www.youtube.com/@Preludeorg/videos)\n  - [Conferences channel - BlackHatOfficialYT](https://www.youtube.com/@BlackHatOfficialYT/videos)\n  - [Conferences channel - TROOPERScon](https://www.youtube.com/@TROOPERScon/videos)\n  - [Conferences site - infocon.org](https://infocon.org/cons/)\n  - [Conferences site - sectube.tv](https://sectube.tv/)\n  - [Conferences channel - x33conf](https://www.youtube.com/@x33fcon/videos)\n    \n\u003c/details\u003e\n\n### 🎙️ Podcasts\n\n\u003cdetails\u003e\n\n  - [darknetdiaries](https://darknetdiaries.com/)\n  - [risky.biz](https://risky.biz/)\n  - [DFIR Podcasts](https://digitalforensicsurvivalpodcast.libsyn.com/podcast)\n  - [cloud.withgoogle.com](https://cloud.withgoogle.com/cloudsecurity/podcast/)\n  - [Internet Storm Center sans podcast](https://isc.sans.edu/podcast.html)\n  - [7 minutes security Podcast](https://7minsec.com/)\n  - [hacking-humans](https://thecyberwire.com/podcasts/hacking-humans/)\n  - [dayzerosec](https://open.spotify.com/show/4NKCxk8aPEuEFuHsEQ9Tdt)\n  - [CISO series](https://cisoseries.com/category/podcast/cyber-security-headlines/)\n  - [Splunk Atomic on Friday](https://www.youtube.com/@atomicsonafriday/streams)\n  - [NolimitSecu (FR)](https://www.nolimitsecu.fr/)\n  - [HacknSpeak (FR)](https://open.spotify.com/show/2lwA1WLVqnYvnlc7WkV3yU)\n  - [Radio CSIRT (FR)](https://www.radiocsirt.org)\n  - [DEV podcasts (FR)](https://www.ifttd.io/liste-des-episodes)\n  - [Security Conversations](https://securityconversations.com/)\n  - [Monde de la cyber (FR)](https://open.spotify.com/show/0uNuF41uZYwwik1AW6hOSM?si=iv8LKD8VQQSM8Tqf-F1X0w)\n\n\u003c/details\u003e\n\n### 💬 Discord /Slack channels\n\n\u003cdetails\u003e\n\n- [RedTeam - 🔥 Initial Access Guild 🔥 Discord](https://discord.com/channels/1118340483337424936)\n- [RedTeam - 🔥 Red-Team VX community 🔥 Discord](https://discord.com/channels/1012733841229746240)\n- [RedTeam - BloodHoundHQ Slack](bloodhoundhq.slack.com)\n- [RedTeam - evilsocket Discord](https://discord.com/channels/1100085665766572142)\n- [RedTeam - OffSec Discord](https://discord.com/channels/780824470113615893/)\n- [Threat Hunting - Threat Hunter community Discord](https://discord.com/channels/690293821866508430/)\n- [PurpleTeam - Ipurpleteam Discord](https://discord.com/channels/1285691872928595968)\n- [Blueteam Detection engineering - Hunter's Den Discord](https://discord.com/channels/1104707391569797200)\n- [Blueteam Detection engineering - Sigma HQ Discord](https://discord.com/channels/1176230866515669072)\n- [Blueteam Threat Intel - Malcore Discord](https://discord.com/channels/1087758991809060876/1165463214457368677)\n\n\u003c/details\u003e\n\n### 📚 Training\n\n\u003cdetails\u003e\n\n#### DFIR\n  \n  - 13cubed - Investigating Windows Endpoints [13cubed.com -windows endpoints](https://training.13cubed.com/investigating-windows-endpoints)\n  - 13cubed - Investigating Windows Memory [13cubed.com -windows memory](https://training.13cubed.com/investigating-windows-memory)\n  - 13cubed - Investigating Linux Devices [13cubed.com - linux](https://training.13cubed.com/investigating-linux-devices)\n  - SANS: [FOR500](https://www.sans.org/cyber-security-courses/windows-forensic-analysis/)\n  - SANS: [FOR508](https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/)\n  - Defensive-security: [Linux-live-forensics](https://edu.defensive-security.com/linux-attack-live-forensics-at-scale)\n  - @0gtweet - Forensic course: [Mastering Windows Forensics](https://grzegorz-tworek-s-school.teachable.com/)\n  - @DebugPrivilege : Forensic Debugging free course [InsightEngineering](https://github.com/DebugPrivilege/InsightEngineering)\n  \n  - Challenges:\n    - Arsenal Recon Disks Images for DFIR: [publicly-accessible-disk-images](https://arsenalrecon-dev.s3.amazonaws.com/blog/publicly-accessible-disk-images-\u0026-mobile-extractions-grid-for-dfir---september-24-2024-update.pdf)\n    - @inversecos - APT Emulation Labs: [xintra](https://www.xintra.org/labs)\n    - @TheDFIRReport : LABs with logs from the existing reports [dfir-labs](https://the-dfir-report-store.myshopify.com/collections/dfir-labs)\n    - @ACEresponder: Courses with Detailed Explanations and Labs [aceresponder.com](https://www.aceresponder.com/challenges)\n    - @binaryz0ne: DFIR challenges with [Datasets](https://www.ashemery.com/dfir.html) + [Linux forensic workshop](https://github.com/ashemery/LinuxForensics)\n\n#### SOC\n\n - tryhackme - [SOC lvl 1](https://tryhackme.com/path/outline/soclevel1)\n - tryHackme - [SOC lvl 2](https://tryhackme.com/path/outline/soclevel2)\n - letsdefend.io @chrissanders88 - [letsdefend.io](https://app.letsdefend.io/training)\n - Constructing Defense [constructingdefense.com](https://course.constructingdefense.com/constructing-defense)\n - SANS: [SANS555](https://www.sans.org/cyber-security-courses/siem-with-tactical-analytics/)\n - Xintra: [Attacking and Defending Azure M365](https://training.xintra.org/attacking-and-defending-azure-m365)\n  \n - Challenges:\n   - Splunk Boss Of The SOC - [BOTS](https://bots.splunk.com/)\n     - BOTS [dataset v1](https://github.com/splunk/botsv1)   \n     - BOTS [dataset v2](https://github.com/splunk/botsv2)   \n     - BOTS [dataset v3](https://github.com/splunk/botsv3)\n  - @TheDFIRReport : LABs with logs from the existing reports [dfir-labs](https://the-dfir-report-store.myshopify.com/collections/dfir-labs)\n  - @ACEresponder: Courses with Detailed Explanations and Labs [aceresponder.com](https://www.aceresponder.com/challenges)\n  - @inversecos - APT Emulation Labs: [xintra](https://www.xintra.org/labs)\n\n#### Offensive\n  - [OSCP - HTB](https://0xdf.gitlab.io/cheatsheets/offsec)\n  - [OSCP - Course PEN200](https://www.offsec.com/courses/pen-200/)\n  - [OSEP - Course PEN300](https://www.offsec.com/courses/pen-300/) \n  \n#### Challenges\n\n  - [HackTheBox](https://www.hackthebox.com)\n  - [Pentestlab](https://pentesterlab.com)\n  - [Root-Me](https://www.root-me.org)\n  - [TryHackMe](https://tryhackme.com)\n  - [Zenk-Security](https://www.zenk-security.com/challenges)\n\n\n#### RE / Malware Analysis / Deep Dive\n  - [OpenSecurityTraining2](https://p.ost2.fyi/)\n\n \u003c/details\u003e\n\n### 📚 Books\n\n\u003cdetails\u003e\n  \n#### DFIR\n  - [Practical Forensic Imaging](https://www.amazon.com/Practical-Forensic-Imaging-Securing-Evidence/dp/1593277938)\n  - [Practical-Linux-Forensics-Digital-Investigators](https://www.amazon.com/Practical-Linux-Forensics-Digital-Investigators-ebook/dp/B096Z4CRC8)\n  - [TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts - Free](https://leanpub.com/TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts)\n  - [Forensic Artifacts - Microsoft GuideBook - free](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/IR-Guidebook-Final.pdf)\n  - [Eric Zimmerman Manual Tools - Free](https://leanpub.com/eztoolsmanuals)\n  - [The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory](https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098)\n  - [Applied Incident Response](https://www.amazon.com/Applied-Incident-Response-Steve-Anson/dp/1119560268)\n  - [SANS FOR500 / FOR508 book](https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/)\n  - [Blue Team Handbook: Incident Response Edition](https://www.amazon.com/Blue-Team-Handbook-condensed-Responder/dp/1500734756)\n  - [Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software](https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901)\n  - [Placing the Suspect Behind the Keyboard: DFIR Investigative Mindset](https://www.amazon.com/Placing-Suspect-Behind-Keyboard-Investigative/dp/B0CZPJF23Q)\n  - [Crafting the InfoSec Playbook: Security Monitoring and Incident](https://www.amazon.com/Crafting-InfoSec-Playbook-Security-Monitoring/dp/1491949406)\n  - [Investigating Windows Systems](https://www.amazon.com/Investigating-Windows-Systems-Harlan-Carvey/dp/0128114150)\n\n#### Malware Anaysis\n  - [Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software](https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901)\n  - [The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory](https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098)\n  - [Evasive Malware: A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats](https://www.amazon.fr/Evasive-Malware-Understanding-Deceptive-Self-Defending/dp/1718503261)\n\n#### SOC\n  - [Blue Team Handbook: SOC, SIEM, and Threat Hunting](https://www.amazon.com/Blue-Team-Handbook-Condensed-Operations/dp/1091493898)\n  - [BTFM: Blue Team Field Manual](https://www.amazon.fr/Blue-Team-Field-Manual-BTFM/dp/154101636X)\n  - [PTFM: Purple Team Field Manual](https://www.amazon.com/PTFM-Purple-Team-Field-Manual/dp/B08LJV1QCD) + [PTFM: Purple Team Field Manual v2](https://www.amazon.com/PTFM-2nd-Purple-Field-Manual/dp/1736526790)\n  - [EDR - Introduction to endpoint security](https://www.amazon.com/Endpoint-Detection-Response-Essentials-deployment/dp/1835463266)\n  - [MITRE - 11 Strategies of a World-Class Cybersecurity Operations Center](https://www.amazon.com/Strategies-World-Class-Cybersecurity-Operations-Center-ebook/dp/B09ZDWRFMW)\n  - [Big picture on running a SOC - Modern SOC](https://www.amazon.com/Modern-Security-Operations-Center-ebook/dp/B08BW8Y9Q4)\n  - [Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software](https://www.amazon.com/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901)\n  - [SANS 555 book](https://www.sans.org/cyber-security-courses/siem-with-tactical-analytics/)\n  \n\n#### Deep Dive\n  - [Windows Internals Books](https://learn.microsoft.com/en-us/sysinternals/resources/windows-internals)\n  - [How Linux Works](https://www.amazon.com/How-Linux-Works-Brian-Ward-ebook/dp/B07X7S1JMB)\n  - [Linux Device Drivers](https://lwn.net/Kernel/LDD3/)\n  - [Understanding The Linux Virtual Memory Manager](https://www.kernel.org/doc/gorman/pdf/understand.pdf)\n  - [Linux insides](https://github.com/0xAX/linux-insides/blob/master/SUMMARY.md)\n  - [Linux Ebpf](https://www.amazon.com/Learning-eBPF-Programming-Observability-Networking/dp/1098135121)\n  - [Windows Security Internals](https://www.oreilly.com/library/view/windows-security-internals/9781098168834)\n\n#### Exploitation\n  - [Hacking Art Exploitation](https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson-ebook/dp/B004OEJN3I)\n  - [Hacker Playbook Practical Penetration Testing](https://www.amazon.com/Hacker-Playbook-Practical-Penetration-Testing-ebook/dp/B07CSPFYZ2)\n  - [RTFM: Red Team Field Manual](https://www.amazon.com/RTFM-Red-Team-Field-Manual-ebook/dp/B0B7H8X3XY)\n  - [Red Team Development and Operations: A practical guide](https://www.amazon.com/Red-Team-Development-Operations-practical-ebook/dp/B0842BMMCC)\n  - [RTRM: Red Team Reference Manual](https://www.amazon.com/RTRM-Red-Team-Reference-Manual/dp/B08N37KDPQ)\n  - [POC||GTFO](https://nostarch.com/search/gtfo)\n\n#### AI\n  - [Hands Machine Learning](https://www.amazon.fr/Hands-Machine-Learning-Scikit-learn-Tensorflow/dp/1492032646)\n\n\u003c/details\u003e\n\n### 📚 Knowledge sites\n\n\u003cdetails\u003e\n\n  - [DFIR - NTFS deepdive - ntfs.com](https://www.ntfs.com/index.html)\n  - [DFIR - aboutdfir](https://aboutdfir.com/)\n  - [DFIR - Forensic Artifacts - microsoft GuideBook](https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/IR-Guidebook-Final.pdf)\n  - [Malware Analysis - unprotect.it - Evasion techniques](https://unprotect.it/)\n  - [Exploitation - hacktricks](https://book.hacktricks.xyz/)\n  - [Exploitation - PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)\n  - [Exploitation - red-team-note](https://dmcxblue.gitbook.io/red-team-notes-2-0/files/red-team-guide)\n  - [Exploitation - Red Team Notes](https://www.ired.team/)\n  - [DFIR - JPCERT Tools Analysis](https://jpcertcc.github.io/ToolAnalysisResultSheet/)\n  - [Exploitation - Red Team TTP](https://rosesecurity.gitbook.io/red-teaming-ttps)\n  - [Linux - EBPF docs](https://docs.ebpf.io/)\n  - [DFIR - Microsoft NinjaHub](https://aka.ms/MicrosoftIRNinjaHub)\n  - [DEV - Windows PInvoke signatures](https://pinvoke.net/)\n  - [Privacy - VPN privacy guide](https://docs.google.com/spreadsheets/d/1L72gHJ5bTq0Djljz0P-NCAaURrXwsR1MsLpVmAt3bwg)\n  - [Detection - GCP Attack - Defense](https://github.com/anrbn/GCP-Attack-Defense)\n  - [Detection - Azure Attack Defense](https://github.com/Cloud-Architekt/AzureAD-Attack-Defense)\n  - [Detection - Unprotect project](https://unprotect.it/snippets/)\n  - [Exploitation - Hacker recipes](https://www.thehacker.recipes/)\n  - [Logs - Events IDs and others - eventlog-compendium](https://eventlog-compendium.streamlit.app/)\n  - [Logs - Events IDs - ultimatewindowssecurity](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx)\n  - [Logs - Event IDs \u0026 policies - microsoft](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-audit-policy-settings)\n  - [Logs - Event IDs Logon types - microsoft](https://learn.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types)\n  - [Logs - Azure SigninLogs Schema](https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs)\n  - [Logs - Azure SigninLogs Risk Detection](https://learn.microsoft.com/en-us/graph/api/resources/riskdetection?view=graph-rest-1.0)\n  - [Logs - AADSTS Error Codes](https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes#aadsts-error-codes)\n  - [Logs - Microsoft Errors Search](https://login.microsoftonline.com/error)\n  - [Logs - Microsoft Entra authentication and authorization error codes](https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes)\n  - [Logs - Microsoft Defender Event IDs](https://learn.microsoft.com/en-us/defender-endpoint/troubleshoot-microsoft-defender-antivirus)\n  - [Logs - Microsoft Defender for Cloud Alert References](https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference)\n  - [Logs - Microsoft Defender for Identity Alert References](https://learn.microsoft.com/en-us/defender-for-identity/alerts-overview)\n  - [Logs - Microsoft Defender XDR Schemas](https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-schema-tables)\n  - [Logs - Microsoft DNS Debug Event IDs](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)#dns-logging-and-diagnostics-1)\n  - [Logs - Sysmon Event IDs](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events)\n  - [more cheatsheets](https://github.com/r1cksec/cheatsheets)\n  - [Exploitation - TLS details](https://tls12.xargs.org/)\n  - [SOC - Email Headers IANA](https://www.iana.org/assignments/message-headers/message-headers.xhtml)\n  - [SOC - DKIM, DMARC, SPF](https://github.com/nicanorflavier/spf-dkim-dmarc-simplified)\n  - [SOC - Kerberos Protocol explained](https://en.hackndo.com/kerberos/)\n  - [SOC - ADSecurity AD Attacks](https://adsecurity.org/?page_id=4031)\n  - [SOC - Pass the ticket explained](https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1550-use-alternate-authentication-material/pass-the-ticket)\n  - [SOC - Kerberoasting explained](https://en.hackndo.com/kerberoasting/)\n  - [SOC - Kerberos Unconstrained Delegation explained](https://en.hackndo.com/constrained-unconstrained-delegation/)\n  - [SOC - AS_REP roasting explained](https://en.hackndo.com/kerberos-asrep-roasting/)\n  - [SOC - Golden tickets explained](https://en.hackndo.com/kerberos-silver-golden-tickets/)\n  - [SOC - Silver Ticket explained](https://en.hackndo.com/kerberos-silver-golden-tickets/)\n  - [SOC - Skeleton Key explained](https://adsecurity.org/?p=1255)\n  - [SOC - NTLM Relay explained](https://en.hackndo.com/ntlm-relay/)\n  - [SOC - LLMNR Poisoning explained](https://medium.com/@rymak/llmnr-poisoning-an-attack-on-the-active-directory-of-an-organization-9907bf0498ff)\n  - [SOC - DCsync explained](https://adsecurity.org/?p=1729)\n  - [SOC - DCshadow attack explained](https://www.dcshadow.com/)\n  - [SOC - Interview Questions by LetsDefend](https://github.com/LetsDefend/SOC-Interview-Questions)\n  - [SOC - explain shell command arguments](https://explainshell.com/)\n\n\u003c/details\u003e\n\n### 🧪 LAB\n\n\u003cdetails\u003e\n\n- [LAB automation - ludus](https://gitlab.com/badsectorlabs/ludus)\n- [LAB env - windows - GOAD](https://github.com/Orange-Cyberdefense/GOAD)\n- [LAB automation - warhorse](https://github.com/warhorse/warhorse)\n- [LAB automation - Azure - BadZure](https://github.com/mvelazc0/BadZure)\n- [LAB automation - Azure - AzureGoat](https://github.com/ine-labs/AzureGoat)\n- [OS - Malware analysis - flare-vm](https://github.com/mandiant/flare-vm)\n- [SandBox - cuckoo](https://github.com/cuckoosandbox/cuckoo)\n- [SandBox - CAPEv2](https://github.com/kevoreilly/CAPEv2)\n- [SandBox - Malice (Virustotal self hosted clone)](https://github.com/maliceio/malice)\n- [Detection platform - wazuh](https://github.com/wazuh/wazuh)\n- [Detection platform - securityonion](https://github.com/Security-Onion-Solutions/securityonion)\n- [Detection platform - Splunk](https://www.splunk.com/en_us/download.html)\n- [Detection platform - Elastic](https://www.elastic.co/downloads/elasticsearch)\n- [Deployment - ansible](https://github.com/ansible/ansible)\n- [SOC - Use Case Factory Automation - DetectIQ](https://github.com/AttackIQ/DetectIQ)\n- [Network Logs - StratosphereLinuxIPS](https://github.com/stratosphereips/StratosphereLinuxIPS)\n- [Network Logs - flare-fakenet-ng](https://github.com/mandiant/flare-fakenet-ng)\n- [Network Logs - maltrail](https://github.com/stamparm/maltrail)\n- [Purpleteam - openbas](https://github.com/OpenBAS-Platform/openbas)\n- [Honeypot - LLM honeypot galah](https://github.com/0x4D31/galah)\n- [Honeypot - canary](https://github.com/thinkst/opencanary)\n- [Honeypot - opencanary](https://github.com/thinkst/opencanary)\n- [Honeypot - Respotter (Responder honeypot)](https://github.com/lawndoc/Respotter)\n- [Honeypot - Certiception (ADCS honeypot)](https://github.com/srlabs/Certiception)\n- [Honeypot - cowrie](https://github.com/cowrie/cowrie)\n- [Maldev - Defense Evasion - avred](https://github.com/dobin/avred)\n- [Maldev - Defense Evasion - gocheck](https://github.com/gatariee/gocheck)\n- [Reconnaissance - HEDnsExtractor](https://github.com/HuntDownProject/HEDnsExtractor)\n- [Detection Agent - Sandfly linux agent](https://github.com/sandflysecurity/sandfly-setup)\n- [Log Forwarder - openwec (windows event forwarder)](https://github.com/cea-sec/openwec)\n- [Threat Hunting Platform - deephunter](https://github.com/sebastiendamaye/deephunter)\n- [Windows Logs - JonMon](https://github.com/jsecurity101/JonMon)\n- [Windows Logs - Sysmon](https://learn.microsoft.com/pt-br/sysinternals/downloads/sysmon)\n- [LInux Logs - ossec](https://github.com/ossec/ossec-hids)\n- [Linux Logs - ecapture (SSL/TLS)](https://github.com/gojue/ecapture)\n- [Linux Logs - tracee](https://github.com/aquasecurity/tracee)\n- [Linux Logs - auditd](https://packages.debian.org/sid/auditd)\n- [Linux Logs - SysmonForLinux](https://github.com/microsoft/SysmonForLinux)\n- [Linux Logs - kunai](https://github.com/kunai-project/kunai)\n- [CTI - OpenCTI](https://github.com/OpenCTI-Platform/opencti)\n- [CTI - MISP](https://github.com/MISP/MISP)\n- [Code analysis](https://github.com/semgrep/semgrep)\n- [IR platform - iris-web](https://github.com/dfir-iris/iris-web)\n- [IR platform - rAIdline](https://github.com/certsocietegenerale/rAIdline)\n- [IR platform - FIR](https://github.com/certsocietegenerale/FIR)\n- [Challenges - DFIR LABS](https://github.com/Azr43lKn1ght/DFIR-LABS)\n- [Log samples - Splunk Attack range](https://github.com/splunk/attack_range)\n- [IT - Remote connections manager - xpipe](https://github.com/xpipe-io/xpipe)\n- [Endpoint Security - Windows Hardening - Harden-Windows-Security](https://github.com/HotCakeX/Harden-Windows-Security)\n- [Endpoint Security - Linux Hardening - lynis](https://github.com/CISOfy/lynis)\n- [Endpoint Security - Linux - apparmor](https://ubuntu.com/server/docs/apparmor)\n\n\u003c/details\u003e\n\n### 📦 Others\n\n\u003cdetails\u003e\n  \n- [Crontab check](https://crontab.guru/every-2-minutes)\n- [markmap.js.org (markdown to mindmap)](https://markmap.js.org/repl)\n- [Subnet Calculator](https://mxtoolbox.com/subnetcalculator.aspx)\n- [chmod calculator](https://chmod-calculator.com/)\n- [Epoch time converter](https://www.epochconverter.com/)\n- [cyberchef](https://cyberchef.org/)\n- [Chrome Addon for TI checks](https://chromewebstore.google.com/detail/osintlytics/kfpbbegdghffnakhgcbonaglepgoedmm)\n- [sms verification](textverified.com)\n- [temp mail](https://temp-mail.org)\n- [10 minute mail](https://10minutemail.com/)\n\n\u003c/details\u003e\n\n### Content creation\n\n\u003cdetails\u003e\n\n- [Attack animation creator - aceresponder](https://aceresponder.com/attackanimator)\n\n\u003c/details\u003e\n\n\n ### 🏷️ Bookmarks\n\n- ⭐ Bookmarks with all my lists to import in your browser (updated automatically) [UPDATE Bookmarks](https://github.com/mthcht/awesome-lists/blob/main/_utils/bookmarks.html)\n\n","projects_url":"https://awesome.ecosyste.ms/api/v1/lists/mthcht%2Fawesome-lists/projects"}