{"id":13603202,"url":"https://github.com/A-poc/BlueTeam-Tools","last_synced_at":"2025-04-11T14:30:33.785Z","repository":{"id":65701051,"uuid":"584522336","full_name":"A-poc/BlueTeam-Tools","owner":"A-poc","description":"Tools and Techniques for Blue Team / Incident Response","archived":false,"fork":false,"pushed_at":"2025-03-27T22:38:04.000Z","size":216,"stargazers_count":3044,"open_issues_count":0,"forks_count":464,"subscribers_count":75,"default_branch":"main","last_synced_at":"2025-04-05T19:22:11.452Z","etag":null,"topics":["blue-team","blueteam","cheatsheet","cyber-security","defender","incident","incident-response","malware-analysis","resources","tools","vulnerability-management","wiki"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/A-poc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-02T20:08:16.000Z","updated_at":"2025-04-05T00:04:42.000Z","dependencies_parsed_at":"2024-01-14T04:44:34.379Z","dependency_job_id":"4f170b5a-db64-4947-8250-e5acee027808","html_url":"https://github.com/A-poc/BlueTeam-Tools","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/A-poc%2FBlueTeam-Tools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/A-poc%2FBlueTeam-Tools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/A-poc%2FBlueTeam-Tools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/A-poc%2FBlueTeam-Tools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/A-poc","download_url":"https://codeload.github.com/A-poc/BlueTeam-Tools/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248419647,"owners_count":21100213,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blue-team","blueteam","cheatsheet","cyber-security","defender","incident","incident-response","malware-analysis","resources","tools","vulnerability-management","wiki"],"created_at":"2024-08-01T18:01:57.170Z","updated_at":"2025-04-11T14:30:33.745Z","avatar_url":"https://github.com/A-poc.png","language":null,"funding_links":[],"categories":["miscellaneous","Others","cheatsheet","扫描器_资产收集_子域名","取证溯源"],"sub_categories":["资源传输下载"],"readme":"# BlueTeam-Tools\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210680535-40d8c113-2336-4417-bdb4-4825a7477164.png\" height=\"300\"\u003e\n\u003c/p\u003e \n\nThis github repository contains a collection of **65+** **tools** and **resources** that can be useful for **blue teaming activities**. \n\nSome of the tools may be specifically designed for blue teaming, while others are more general-purpose and can be adapted for use in a blue teaming context.\n\n\u003e 🔗 If you are a Red Teamer, check out [RedTeam-Tools](https://github.com/A-poc/RedTeam-Tools)\n\n\u003e **Warning** \n\u003e \n\u003e *The materials in this repository are for informational and educational purposes only. They are not intended for use in any illegal activities.*\n\n\u003e **Note** \n\u003e \n\u003e *Hide Tool List headings with the arrow.*\n\u003e \n\u003e *Click 🔙 to get back to the list.*\n\n# Tool List\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eBlue Team Tips\u003c/b\u003e 4 tips\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#payload-extraction-with-process-hacker\"\u003ePayload extraction with Process Hacker\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @embee_research\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#prevent-script-execution-via-double-click\"\u003ePrevent Script Execution via Double Click\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Default Application GPO Change\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#detect-cryptojacking-malware-with-proxy-logs\"\u003eDetect Cryptojacking Malware with Proxy Logs\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Dave Mckay\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#remove-null-bytes-in-cyberchef-malware-analysis\"\u003eRemove null bytes in CyberChef malware analysis\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Securityinbits\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eNetwork Discovery and Mapping\u003c/b\u003e 6 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#nmap\"\u003eNmap\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Network scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#nuclei\"\u003eNuclei\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Vulnerability scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#masscan\"\u003eMasscan\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Fast network scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#angry-ip-scanner\"\u003eAngry IP Scanner\u003c/a\u003e\u003c/b\u003e\u003ci\u003e IP/port scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#zmap\"\u003eZMap\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Large network scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#shodan\"\u003eShodan\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Internet facing asset search engine\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eVulnerability Management\u003c/b\u003e 4 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#openvas\"\u003eOpenVAS\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Open-source vulnerability scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#nessus-essentials\"\u003eNessus Essentials\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Vulnerability scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#nexpose\"\u003eNexpose\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Vulnerability management tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#hackerone\"\u003eHackerOne\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Bug Bounty Management Platform\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eSecurity Monitoring\u003c/b\u003e 10 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sysmon\"\u003eSysmon\u003c/a\u003e\u003c/b\u003e\u003ci\u003e System Monitor for Windows\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#kibana\"\u003eKibana\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Data visualization and exploration\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#logstash\"\u003eLogstash\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Data collection and processing\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#parsedmarc\"\u003eparsedmarc\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Email DMARC data visualisation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#phishing-catcher\"\u003ePhishing Catcher\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Phishing catcher using Certstream\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#maltrail\"\u003emaltrail\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Malicious traffic detection system\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#autorunstowineventlog\"\u003eAutorunsToWinEventLog\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows AutoRuns Event Parser\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#procfilter\"\u003eprocfilter\u003c/a\u003e\u003c/b\u003e\u003ci\u003e YARA-integrated process denial framework\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#velociraptor\"\u003evelociraptor\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Endpoint visibility and collection tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sysmonsearch\"\u003eSysmonSearch\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Sysmon event log visualisation\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eThreat Tools and Techniques\u003c/b\u003e 11 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#lolbas-projectgithubio\"\u003elolbas-project.github.io\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Living Off The Land Windows Binaries\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#gtfobinsgithubio\"\u003egtfobins.github.io\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Living Off The Land Linux Binaries\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#filesecio\"\u003efilesec.io\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Attacker file extensions\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#kql-search\"\u003eKQL Search\u003c/a\u003e\u003c/b\u003e\u003ci\u003e KQL query aggregator\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#unprotect-project\"\u003eUnprotect Project\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Malware evasion techniques knowledge base\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#chainsaw\"\u003echainsaw\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Fast Windows Forensic Artefacts Searcher\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#freq\"\u003efreq\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Domain generation algorithm malware detection\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#yargen\"\u003eyarGen\u003c/a\u003e\u003c/b\u003e\u003ci\u003e YARA rule generator\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#emailanalyzer\"\u003eEmailAnalyzer\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Suspicious emails analyser\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#vcg\"\u003eVCG\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Code security scanning tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#cyberchef\"\u003eCyberChef\u003c/a\u003e\u003c/b\u003e\u003ci\u003e GCHQ online data manipulation platform\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eThreat Intelligence\u003c/b\u003e 4 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#maltego\"\u003eMaltego\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Threat Intelligence Platform\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#misp\"\u003eMISP\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Malware Information Sharing Platform\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#threatconnect\"\u003eThreatConnect\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Threat data aggregation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#adversary-emulation-library\"\u003eAdversary Emulation Library\u003c/a\u003e\u003c/b\u003e\u003ci\u003e An open library of adversary emulation plans\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eIncident Response Planning\u003c/b\u003e 5 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#nist\"\u003eNIST\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Cybersecurity Framework\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#incident-response-plan\"\u003eIncident Response Plan\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Framework for incident response\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#ransomware-response-plan\"\u003eRansomware Response Plan\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Framework for ransomware response\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#incident-response-reference-guide\"\u003eIncident Response Reference Guide\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Incident preparation guidance paper\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#awesome-incident-response\"\u003eAwesome Incident Response\u003c/a\u003e\u003c/b\u003e\u003ci\u003e List of tools for incident response\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eMalware Detection and Analysis\u003c/b\u003e 11 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#virustotal\"\u003eVirusTotal\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Malicious IOC Sharing Platform\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#ida\"\u003eIDA\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Malware disassembler and debugger\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#ghidra\"\u003eGhidra\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Malware reverse engineering tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#decode-vbe\"\u003edecode-vbe\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Encoded VBE script decoder\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#pafish\"\u003epafish\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Virtual machine sandbox detector\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#lookyloo\"\u003elookyloo\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Phishing domain mapping\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#yara\"\u003eYARA\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Malware identification via pattern matching\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#cuckoo-sandbox\"\u003eCuckoo Sandbox\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Malware analysis sandbox\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#radare2\"\u003eRadare2\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Reverse engineering framework\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#dnspy\"\u003ednSpy\u003c/a\u003e\u003c/b\u003e\u003ci\u003e .NET debugger and assembly editor\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#malware-traffic-analysisnet\"\u003emalware-traffic-analysis.net\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Malware and packet capture samples\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eData Recovery\u003c/b\u003e 3 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#recuva\"\u003eRecuva\u003c/a\u003e\u003c/b\u003e\u003ci\u003e File recovery\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#extundelete\"\u003eExtundelete\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Ext3 or ext4 partition recovery\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#testdisk\"\u003eTestDisk\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Data Recovery\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eDigital Forensics\u003c/b\u003e 3 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sans-sift\"\u003eSANS SIFT\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Forensic toolkit\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#the-sleuth-kit\"\u003eThe Sleuth Kit\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Disk images analysis tools\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#autopsy\"\u003eAutopsy\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Digital forensics platform\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eSecurity Awareness Training\u003c/b\u003e 4 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#tryhackme\"\u003eTryHackMe\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Cyber security challenges platform\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#hackthebox\"\u003eHackTheBox\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Cyber security challenges platform\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#cyberdefenders\"\u003eCyberDefenders\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Blue team cyber security challenges platform\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#phishme\"\u003ePhishMe\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Phishing training\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eCommunication and Collaboration\u003c/b\u003e 2 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#twitter\"\u003eTwitter\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Cyber Security Accounts\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#facebook-theatexchange\"\u003eFacebook TheatExchange\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Malicious indicators sharing platform\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\nBlue Team Tips\n====================\n\n*Learn from Blue Teamers with a collection of Blue Teaming Tips. These tips cover a range of tactics, tools, and methodologies to improve your blue teaming abilities.*\n\n### [🔙](#tool-list)Payload extraction with Process Hacker\n\n![image](https://user-images.githubusercontent.com/100603074/217382117-acb26f85-d352-43b3-8818-6c5a0d90f350.png)\n\n**Description:** \n*'Malware Analysis Tip - Use Process Hacker to watch for suspicious .NET assemblies in newly spawned processes. Combined with DnSpy - it's possible to locate and extract malicious payloads without needing to manually de-obfuscate.'*\n\n**Credit:** [@embee_research](https://twitter.com/embee_research)\n\n**Link:** [Twitter](https://twitter.com/embee_research/status/1614871485931458560)\n\n### [🔙](#tool-list)Prevent Script Execution via Double Click\n\n![image](https://user-images.githubusercontent.com/100603074/218200763-53f9fc80-59e1-468a-93e2-69b84d1c7196.png)\n\n**Description:** \n*On Windows, it's common to see threat actors achieve initial execution via malicious script files masquerading as Microsoft Office files. A nice way to prevent this attack chain is to alter the default application associated with these files (HTA, JS, VBA, VBS) to `notepad.exe`. Now when a user is successfully tricked into clicking a HTA file on disk it will open the script in notepad and execution will not occur*.\n\n**Credit:** [bluesoul](https://bluesoul.me/)\n\n**Link:** [Blog](https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/)\n\n### [🔙](#tool-list)Detect Cryptojacking Malware with Proxy Logs\n\n**Description:** *Cryptojacking malware is becoming more suffisticated, with mining malware leveraging DLL sideloading to hide on machine and reducing CPU load to stay below detection thresholds. One thing they all have in common is they have to make connections to mining pools, this is where we can find them. Monitor your proxy and DNS logs for connections containing common mining pool strings (e.g `*xmr.*` OR `*pool.com` OR `*pool.org` OR `pool.*`).*\n\n**Credit:** [Dave Mckay](https://www.howtogeek.com/author/davidmckay/)\n\n**Link:** [Blog](https://www.howtogeek.com/devops/how-to-detect-and-defeat-cryptominers-in-your-network/)\n\n### [🔙](#tool-list)Remove null bytes in CyberChef malware analysis\n\n![image](https://user-images.githubusercontent.com/100603074/223865015-00128d71-0093-4422-b271-e26dac723013.png)\n\n**Description:** *'After decoding base64 for Unicode string during malware analysis, you may encounter null bytes. Keep your code readable by using the \"Remove null bytes\" operation in CyberChef'.*\n\n**Credit:** [Ayush Anand](https://twitter.com/Securityinbits)\n\n**Link:** [Twitter](https://twitter.com/securityinbits/status/1628364983661694976)\n\nNetwork Discovery and Mapping\n====================\n\n*Tools for scanning and mapping out the network, discovering devices and services, and identifying potential vulnerabilities.*\n\n### [🔙](#tool-list)[Nmap](https://nmap.org)\n\nNmap (short for Network Mapper) is a free and open-source network scanner tool used to discover hosts and services on a computer network, and to probe for information about their characteristics.\n\nIt can be used to determine which ports on a network are open and what services are running on those ports. Including the ability to identify security vulnerabilities on the network.\n\n**Install:** \n\nYou can download the latest release from [here](https://nmap.org/download).\n\n**Usage:** \n\n```bash\n# Scan a single IP\nnmap 192.168.1.1\n\n# Scan a range\nnmap 192.168.1.1-254\n\n# Scan targets from a file\nnmap -iL targets.txt\n\n# Port scan for port 21\nnmap 192.168.1.1 -p 21\n\n# Enables OS detection, version detection, script scanning, and traceroute\nnmap 192.168.1.1 -A\n\n```\n\nNice usage [cheat sheet](https://www.stationx.net/nmap-cheat-sheet/).\n\n![image](https://user-images.githubusercontent.com/100603074/210288428-01875d96-72e6-4857-b18d-4e10d80863ad.png)\n\n*Image used from https://kirelos.com/nmap-version-scan-determining-the-version-and-available-services/*\n\n### [🔙](#tool-list)[Nuclei](https://nuclei.projectdiscovery.io/nuclei/get-started/)\n\nA specialized tool designed to automate the process of detecting vulnerabilities in web applications, networks, and infrastructure.\n\nNuclei uses pre-defined templates to probe a target and identify potential vulnerabilities. It can be used to test a single host or a range of hosts, and can be configured to run a variety of tests to check for different types of vulnerabilities.\n\n**Install:** \n\n```bash\ngit clone https://github.com/projectdiscovery/nuclei.git; \\\ncd nuclei/v2/cmd/nuclei; \\\ngo build; \\\nmv nuclei /usr/local/bin/; \\\nnuclei -version;\n```\n\n**Usage:** \n\n```bash\n# All the templates gets executed from default template installation path.\nnuclei -u https://example.com\n\n# Custom template directory or multiple template directory\nnuclei -u https://example.com -t cves/ -t exposures/\n\n# Templates can be executed against list of URLs\nnuclei -list http_urls.txt\n\n# Excluding single template\nnuclei -list urls.txt -t cves/ -exclude-templates cves/2020/CVE-2020-XXXX.yaml\n```\n\nFull usage information can be found [here](https://nuclei.projectdiscovery.io/nuclei/get-started/#running-nuclei).\n\n![image](https://user-images.githubusercontent.com/100603074/210288448-c2d9da7d-e68f-4d06-9066-b702ce4b5cb3.png)\n\n*Image used from https://www.appsecsanta.com/nuclei*\n\n### [🔙](#tool-list)[Masscan]()\n\nA port scanner that is similar to nmap, but is much faster and can scan a large number of ports in a short amount of time.\n\nMasscan uses a novel technique called \"SYN scan\" to scan networks, which allows it to scan a large number of ports very quickly.\n\n**Install: (Apt)** \n\n```bash\nsudo apt install masscan\n```\n\n**Install: (Git)** \n\n```bash\nsudo apt-get install clang git gcc make libpcap-dev\ngit clone https://github.com/robertdavidgraham/masscan\ncd masscan\nmake\n```\n\n**Usage:** \n\n```bash\n# Scan for a selection of ports (-p22,80,445) across a given subnet (192.168.1.0/24)\nmasscan -p22,80,445 192.168.1.0/24\n\n# Scan a class B subnet for ports 22 through 25\nmasscan 10.11.0.0/16 -p22-25\n\n# Scan a class B subnet for the top 100 ports at 100,000 packets per second\nmasscan 10.11.0.0/16 ‐‐top-ports 100 ––rate 100000\n\n# Scan a class B subnet, but avoid the ranges in exclude.txt\nmasscan 10.11.0.0/16 ‐‐top-ports 100 ‐‐excludefile exclude.txt\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210288465-fa4d7b45-d7ff-4c5e-82a6-e0d480b387c7.png)\n\n*Image used from https://kalilinuxtutorials.com/masscan/*\n\n### [🔙](#tool-list)[Angry IP Scanner](https://angryip.org/)\n\nA free and open-source tool for scanning IP addresses and ports. \n\nIt's a cross-platform tool, designed to be fast and easy to use, and can scan an entire network or a range of IP addresses to find live hosts.\n\nAngry IP Scanner can also detect the hostname and MAC address of a device, and can be used to perform basic ping sweeps and port scans.\n\n**Install:** \n\nYou can download the latest release from [here](https://angryip.org/download/).\n\n**Usage:** \n\nAngry IP Scanner can be used via the GUI.\n\nFull usage information and documentation can be found [here](https://angryip.org/documentation/).\n\n![image](https://user-images.githubusercontent.com/100603074/210288485-711924ca-504e-4655-9e91-a0ecf32b2e63.png)\n\n*Image used from https://angryip.org/screenshots/*\n\n### [🔙](#tool-list)[ZMap](https://github.com/zmap/zmap)\n\nZMap is a network scanner designed to perform comprehensive scans of the IPv4 address space or large portions of it.\n\nOn a typical desktop computer with a gigabit Ethernet connection, ZMap is capable scanning the entire public IPv4 address space in under 45 minutes.\n\n**Install:** \n\nYou can download the latest release from [here](https://github.com/zmap/zmap/releases).\n\n**Usage:** \n\n```bash\n# Scan only 10.0.0.0/8 and 192.168.0.0/16 on TCP/80\nzmap -p 80 10.0.0.0/8 192.168.0.0/16\n```\n\nFull usage information can be found [here](https://github.com/zmap/zmap/wiki).\n\n![image](https://user-images.githubusercontent.com/100603074/210288512-fe050de5-fe7a-4c90-aab3-f307146f2b20.png)\n\n*Image used from https://www.hackers-arise.com/post/zmap-for-scanning-the-internet-scan-the-entire-internet-in-45-minutes*\n\n### [🔙](#tool-list)[Shodan]()\n\nShodan is a search engine for internet-connected devices.\n\nIt crawls the internet for assets, allowing users to search for specific devices and view information about them. \n\nThis information can include the device's IP address, the software and version it is running, and the type of device it is.\n\n**Install:** \n\nThe search engine can be accessed at [https://www.shodan.io/dashboard](https://www.shodan.io/dashboard).\n\n**Usage:** \n\n[Shodan query fundamentals](https://help.shodan.io/the-basics/search-query-fundamentals)\n\n[Shodan query examples](https://www.shodan.io/search/examples)\n\n[Nice query cheatsheet](https://www.osintme.com/index.php/2021/01/16/ultimate-osint-with-shodan-100-great-shodan-queries/)\n\n![image](https://user-images.githubusercontent.com/100603074/191689282-70f99fe9-aa08-4cd3-b881-764eface8546.png)\n\n*Image used from https://www.shodan.io/*\n\nVulnerability Management\n====================\n\n*Tools for identifying, prioritizing, and mitigating vulnerabilities in the network and on individual devices.*\n\n### [🔙](#tool-list)[OpenVAS](https://openvas.org/)\n\nOpenVAS is an open-source vulnerability scanner that helps identify security vulnerabilities in software and networks.\n\nIt is a tool that can be used to perform network security assessments and is often used to identify vulnerabilities in systems and applications so that they can be patched or mitigated. \n\nOpenVAS is developed by the Greenbone Networks company and is available as a free and open-source software application.\n\n**Install: (Kali)** \n\n```bash\napt-get update\napt-get dist-upgrade\napt-get install openvas\nopenvas-setup\n```\n\n**Usage:** \n\n```bash\nopenvas-start\n```\n\nVisit https://127.0.0.1:9392, accept the SSL certificate popup and login with admin credentials:\n\n- username:admin\n- password:(*Password in openvas-setup command output*)\n\n![image](https://user-images.githubusercontent.com/100603074/210452918-aa8d7be0-e557-4556-937c-334df02702dc.png)\n\n*Image used from https://www.kali.org/blog/openvas-vulnerability-scanning/*\n\n### [🔙](#tool-list)[Nessus Essentials](https://www.tenable.com/products/nessus/nessus-essentials)\n\nNessus is a vulnerability scanner that helps identify and assess the vulnerabilities that exist within a network or computer system.\n\nIt is a tool that is used to perform security assessments and can be used to identify vulnerabilities in systems and applications so that they can be patched or mitigated.\n\nNessus is developed by Tenable, Inc. and is available in both free and paid versions: \n\n- The free version, called Nessus Essentials, is available for personal use only and is limited in its capabilities compared to the paid version. \n- The paid version, called Nessus Professional, is more fully featured and is intended for use in a professional setting.\n\n**Install:** \n\nRegister for a Nessus Essentials activation code [here](https://www.tenable.com/products/nessus/nessus-essentials) and download.\n\nPurchase Nessus Professional from [here](https://www.tenable.com/products/nessus/nessus-professional).\n\n**Usage:** \n\nExtensive documentation can be found [here](https://docs.tenable.com/nessus/Content/GetStarted.htm).\n\n[Nessus Plugins Search](https://www.tenable.com/plugins/search)\n\n[Tenable Community](https://community.tenable.com/)\n\n![image](https://user-images.githubusercontent.com/100603074/210452954-6208f96a-d180-4c8d-9579-313613d2cbe2.png)\n\n*Image used from https://www.tenable.com*\n\n### [🔙](#tool-list)[Nexpose](https://www.rapid7.com/products/nexpose/)\n\nNexpose is a vulnerability management tool developed by Rapid7. It is designed to help organizations identify and assess vulnerabilities in their systems and applications in order to mitigate risk and improve security.\n\nNexpose can be used to scan networks, devices, and applications in order to identify vulnerabilities and provide recommendations for remediation.\n\nIt also offers features such as asset discovery, risk prioritization, and integration with other tools in the Rapid7 vulnerability management platform.\n\n**Install:** \n\nFor detailed installation instructions see [here](https://docs.rapid7.com/nexpose/install/).\n\n**Usage:** \n\nFor full login information see [here](https://docs.rapid7.com/nexpose/log-in-and-activate).\n\nFor usage and scan creation instructions see [here](https://docs.rapid7.com/nexpose/create-and-scan-a-site).\n\n![image](https://user-images.githubusercontent.com/100603074/210452992-cf9976ee-6b93-465d-bc1c-6e23cc387dba.png)\n\n*Image used from https://www.rapid7.com/products/nexpose/*\n\n### [🔙](#tool-list)[HackerOne](https://www.hackerone.com/)\n\nHackerOne is a bug bounty management company that can be used to create and manage bug bounty programs for your business.\n\nBug bounty programs are a great way to outsource external vulnerability assessments, with the platform offering both private and public programs with the ability set program scopes and rules of engagement.\n\nHackerOne also offer initial triage and management of external bug reports from researchers, with the ability to compensate researchers directly through the platform.\n\n![image](https://user-images.githubusercontent.com/100603074/217382232-b8df098a-c74b-4552-b344-f5228c84c383.png)\n\n*Image used from https://www.hackerone.com/product/bug-bounty-platform*\n\nSecurity Monitoring\n====================\n\n*Tools for collecting and analyzing security logs and other data sources to identify potential threats and anomalous activity.*\n\n### [🔙](#tool-list)[Sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon)\n\nSysmon is a Windows system monitor that tracks system activity and logs it to the Windows event log.\n\nIt provides detailed information about system activity, including process creation and termination, network connections, and changes to file creation time.\n\nSysmon can be configured to monitor specific events or processes and can be used to alert administrators of suspicious activity on a system.\n\n**Install:** \n\nDownload the sysmon binary from [here](https://download.sysinternals.com/files/Sysmon.zip).\n\n**Usage:** \n\n```bash\n# Install with default settings (process images hashed with SHA1 and no network monitoring)\nsysmon -accepteula -i\n\n# Install Sysmon with a configuration file (as described below)\nsysmon -accepteula -i c:\\windows\\config.xml\n\n# Uninstall\nsysmon -u\n\n# Dump the current configuration\nsysmon -c\n```\n\nFull event filtering information can be found [here](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#event-filtering-entries).\n\nThe Microsoft documentation page can be found [here](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon).\n\n![image](https://user-images.githubusercontent.com/100603074/210621009-b3c31c2b-f789-450a-acbf-7578fa943abd.png)\n\n*Image used from https://nsaneforums.com/topic/281207-sysmon-5-brings-registry-modification-logging/*\n\n### [🔙](#tool-list)[Kibana](https://www.elastic.co/kibana/)\n\nKibana is an open-source data visualization and exploration tool that is often used for log analysis in combination with Elasticsearch.\n\nKibana provides a user-friendly interface for searching, visualizing, and analyzing log data, which can be helpful for identifying patterns and trends that may indicate a security threat.\n\nKibana can be used to analyze a wide range of data sources, including system logs, network logs, and application logs. It can also be used to create custom dashboards and alerts to help security teams stay informed about potential threats and respond quickly to incidents.\n\n**Install:** \n\nYou can download Kibana from [here](https://www.elastic.co/downloads/kibana).\n\nInstallation instructions can be found [here](https://www.elastic.co/guide/en/kibana/current/install.html).\n\n**Usage: (Visualize and explore log data)** \n\nKibana provides a range of visualization tools that can help you identify patterns and trends in your log data. You can use these tools to create custom dashboards that display relevant metrics and alerts.\n\n**Usage: (Threat Alerting)**\n\nKibana can be configured to send alerts when it detects certain patterns or anomalies in your log data. You can set up alerts to notify you of potential security threats, such as failed login attempts or network connections to known malicious IP addresses.\n\nNice [blog](https://phoenixnap.com/kb/kibana-tutorial) about querying and visualizing data in Kibana.\n\n![image](https://user-images.githubusercontent.com/100603074/210621061-badf3acf-2680-42c5-bbd9-43bca7a85cf2.png)\n\n*Image used from https://www.pinterest.co.uk/pin/analysing-honeypot-data-using-kibana-and-elasticsearch--684758318328369269/*\n\n### [🔙](#tool-list)[Logstash](https://www.elastic.co/logstash/)\n\nLogstash is a open-source data collection engine with real-time pipelining capabilities. It is a server-side data processing pipeline that ingests data from a multitude of sources simultaneously, transforms it, and then sends it to a \"stash\" like Elasticsearch.\n\nLogstash has a rich set of plugins, which allows it to connect to a variety of sources and process the data in multiple ways. It can parse and transform logs, translate data into a structured format, or send it to another tool for further processing.\n\nWith its ability to process large volumes of data quickly, Logstash is an integral part of the ELK stack (Elasticsearch, Logstash, and Kibana) and is often used to centralize, transform, and monitor log data.\n\n**Install:** \n\nDownload logstash from [here](https://www.elastic.co/downloads/logstash).\n\n**Usage:** \n\nFull logstash documentation [here](https://www.elastic.co/guide/en/logstash/current/introduction.html).\n\nConfiguration examples [here](https://www.elastic.co/guide/en/logstash/current/config-examples.html).\n\n![image](https://user-images.githubusercontent.com/100603074/210621111-e7630493-bc1c-41fa-af98-0261fbf6e293.png)\n\n*Image used from https://www.elastic.co/guide/en/logstash/current/logstash-modules.html*\n\n### [🔙](#tool-list)[parsedmarc](https://github.com/domainaware/parsedmarc)\n\nA Python module and CLI utility for parsing DMARC reports. \n\nWhen used with Elasticsearch and Kibana (or Splunk), it works as a self-hosted open source alternative to commercial DMARC report processing services such as Agari Brand Protection, Dmarcian, OnDMARC, ProofPoint Email Fraud Defense, and Valimail.\n\nFeatures:\n\n- Parses draft and 1.0 standard aggregate/rua reports\n- Parses forensic/failure/ruf reports\n- Can parse reports from an inbox over IMAP, Microsoft Graph, or Gmail API\n- Transparently handles gzip or zip compressed reports\n- Consistent data structures\n- Simple JSON and/or CSV output\n- Optionally email the results\n- Optionally send the results to Elasticsearch and/or Splunk, for use with premade dashboards\n- Optionally send reports to Apache Kafka\n\n![image](https://user-images.githubusercontent.com/100603074/217382301-064ac450-3690-469d-9c86-c2e3c6cdeca9.png)\n\n*Image used from https://github.com/domainaware/parsedmarc*\n\n### [🔙](#tool-list)[Phishing Catcher](https://github.com/x0rz/phishing_catcher)\n\nAs a business, phishing can cause reputational and financial damage to you and your customers. Being able to proactively identify phishing infrastructure targeting your business helps to reduce the risk of these damages.\n\nPhish catcher allows you to catch possible phishing domains in near real time by looking for suspicious TLS certificate issuances reported to the Certificate Transparency Log (CTL) via the CertStream API. \n\n\"Suspicious\" issuances are those whose domain name scores beyond a certain threshold based on a configuration file.\n\n![image](https://user-images.githubusercontent.com/100603074/217382453-400a044b-720d-47ce-adff-0a23e5511ae1.png)\n\n*Image used from https://github.com/x0rz/phishing_catcher*\n\n### [🔙](#tool-list)[maltrail](https://github.com/stamparm/maltrail)\n\nMaltrail is a malicious traffic detection system, utilizing publicly available lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists. A trail can be anything from domain name, URL, IP address or HTTP User-Agent header value.\n\nA demo page for this tool can be found [here](https://maltraildemo.github.io/).\n\n**Install:** \n\n```bash\nsudo apt-get install git python3 python3-dev python3-pip python-is-python3 libpcap-dev build-essential procps schedtool\nsudo pip3 install pcapy-ng\ngit clone --depth 1 https://github.com/stamparm/maltrail.git\ncd maltrail\n```\n\n**Usage:** \n\n```bash\nsudo python3 sensor.py\n```\n\n![image](https://user-images.githubusercontent.com/100603074/217382540-fa1283d7-9825-4529-a92f-11f447e4657b.png)\n\n*Image used from https://github.com/stamparm/maltrail*\n\n### [🔙](#tool-list)[AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog)\n\nAutoruns is a tool developed by Sysinternals that allows you to view all of the locations in Windows where applications can insert themselves to launch at boot or when certain applications are opened. Malware often takes advantages of these locations to ensure that it runs whenever your computer boots up.\n\nAutoruns conveniently includes a non-interactive command line utility. This code generates a CSV of Autoruns entries, converts them to JSON, and finally inserts them into a custom Windows Event Log. By doing this, we can take advantage of our existing WEF infrastructure to get these entries into our SIEM and start looking for signs of malicious persistence on endpoints and servers.\n\n**Install:** \n\nDownload [AutorunsToWinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog).\n\n**Usage:** \n\nFrom an Admin Powershell console run `.\\Install.ps1` \n\nThis script does the following:\n\n- Creates the directory structure at c:\\Program Files\\AutorunsToWinEventLog\n- Copies over AutorunsToWinEventLog.ps1 to that directory\n- Downloads Autorunsc64.exe from https://live.sysinternals.com\n- Sets up a scheduled task to run the script daily @ 11am\n\n![image](https://user-images.githubusercontent.com/100603074/218199447-40e7add1-68ee-44e2-a297-3bf03c977a9c.png)\n\n*Image used from https://www.detectionlab.network/usage/autorunstowineventlog/*\n\n### [🔙](#tool-list)[procfilter](https://github.com/godaddy/procfilter)\n\nProcFilter is a process filtering system for Windows with built-in [YARA](https://github.com/virustotal/yara) integration. YARA rules can be instrumented with custom meta tags that tailor its response to rule matches. It runs as a Windows service and is integrated with [Microsoft's ETW API](https://msdn.microsoft.com/en-us/library/windows/desktop/bb968803%28v=vs.85%29.aspx), making results viewable in the Windows Event Log. Installation, activation, and removal can be done dynamically and does not require a reboot.\n\nProcFilter's intended use is for malware analysts to be able to create YARA signatures that protect their Windows environments against a specific threat. It does not include a large signature set. Think lightweight, precise, and targeted rather than broad or all-encompassing. ProcFilter is also intended for use in controlled analysis environments where custom plugins can perform artifact-specific actions.\n\n**Install:** \n\n[ProcFilter x86/x64 Release/Debug Installers](https://github.com/godaddy/procfilter/releases)\n\n*Note: Unpatched Windows 7 systems require hotfix 3033929 to load the driver component. More information can be found here.*\n\nNice configuration template file [here](https://github.com/godaddy/procfilter/blob/master/files/procfilter.ini).\n\n**Usage:** \n\n```\nprocfilter -start\n```\n\nUsage screenshots can be found [here](https://github.com/godaddy/procfilter#screenshots).\n\n![image](https://user-images.githubusercontent.com/100603074/218200282-f2465b93-169a-43d6-8e12-dea61ed9272c.png)\n\n*Image used from https://github.com/godaddy/procfilter*\n\n### [🔙](#tool-list)[velociraptor](https://github.com/Velocidex/velociraptor)\n\nVelociraptor is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform.\n\nIt was developed by Digital Forensic and Incident Response (DFIR) professionals who needed a powerful and efficient way to hunt for specific artifacts and monitor activities across fleets of endpoints. Velociraptor provides you with the ability to more effectively respond to a wide range of digital forensic and cyber incident response investigations and data breaches:\n\nFeatures:\n\n- Reconstruct attacker activities through digital forensic analysis\n- Hunt for evidence of sophisticated adversaries\n- Investigate malware outbreaks and other suspicious network activities\n- Monitory continuously for suspicious user activities, such as files copied to USB devices\n- Discover whether disclosure of confidential information occurred outside the network\n- Gather endpoint data over time for use in threat hunting and future investigations\n\n\n**Install:** \n\nDownload the binary from the [release page](https://github.com/Velocidex/velociraptor/releases).\n\n**Usage:** \n\n```\nvelociraptor gui\n```\n\nFull usage information can be found [here](https://docs.velociraptor.app/).\n\n![image](https://user-images.githubusercontent.com/100603074/218200327-3f5ab599-11f1-46dc-8f28-b27c1258224a.png)\n\n*Image used from https://docs.velociraptor.app*\n\n### [🔙](#tool-list)[SysmonSearch](https://github.com/JPCERTCC/SysmonSearch)\n\nSysmonSearch makes event log analysis more effective and less time consuming, by aggregating event logs generated by Microsoft's Sysmon.\n\n SysmonSearch uses Elasticserach and Kibana (and Kibana plugin).\n * **Elasticserach** \n Elasticsearch collects/stores Sysmon's event log.\n * **Kibana** \n Kibana provides user interface for your Sysmon's event log analysis. The following functions are implemented as Kibana plugin.\n * Visualizes Function \n This function visualizes Sysmon's event logs to illustrate correlation of processes and networks.\n * Statistical Function \n This function collects the statistics of each device or Sysmon's event ID.\n * Monitor Function \n This function monitor incoming logs based on the preconfigured rules, and trigers alert.\n * **StixIoC server** \n You can add search/monitor condition by uploading STIX/IOC file. From StixIoC server Web UI, you can upload STIXv1, STIXv2 and OpenIOC format files.\n\n**Install: (Linux)** \n\n```bash\ngit clone https://github.com/JPCERTCC/SysmonSearch.git\n```\n\n[Modify Elasticsearch configuration](https://github.com/JPCERTCC/SysmonSearch/wiki/Install#elasticsearch-server-setup)\n\n[Modify Kibana configuration](https://github.com/JPCERTCC/SysmonSearch/wiki/Install#kibana-server-setup)\n\nFull installation instructions can be found [here](https://github.com/JPCERTCC/SysmonSearch/wiki/Install).\n\n**Usage:** \n\n*Once Elasticsearch and Kibana configurations have been modified, restart the services and navigate to your Kibana interface. The SysmonSearch ribbon should be visible.*\n\n[Visualize the Sysmon log to investigate suspicious behavior](https://blogs.jpcert.or.jp/ja/2018/09/SysmonSearch.html)\n\n![image](https://user-images.githubusercontent.com/100603074/218200383-84e4c9f4-3e34-4973-b37c-a9160a74b5e0.png)\n\n*Image used from https://blogs.jpcert.or.jp/ja/2018/09/SysmonSearch.html*\n\nThreat Tools and Techniques\n====================\n\n*Tools for identifying and implementing detections against TTPs used by threat actors.*\n\n### [🔙](#tool-list)[lolbas-project.github.io](https://lolbas-project.github.io/)\n\nLiving off the land binaries (LOLBins) are legitimate Windows executables that can be used by threat actors to carry out malicious activities without raising suspicion. \n\nUsing LOLBins allows attackers to blend in with normal system activity and evade detection, making them a popular choice for malicious actors.\n\nThe LOLBAS project is a MITRE mapped list of LOLBINS with commands, usage and detection information for defenders.\n\nVisit [https://lolbas-project.github.io/](https://lolbas-project.github.io/).\n\n**Usage:** \n\nUse the information for detection opportunities to harden your infrastructure against LOLBIN usage. \n\nHere are some project links to get started:\n\n- [Bitsadmin.exe](https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/)\n- [Certutil.exe](https://lolbas-project.github.io/lolbas/Binaries/Certutil/)\n- [Cscript.exe](https://lolbas-project.github.io/lolbas/Binaries/Cscript/)\n\n![image](https://user-images.githubusercontent.com/100603074/210625466-9ab87233-e822-4961-a68a-f863f56ef830.png)\n\n*Image used from https://lolbas-project.github.io/*\n\n### [🔙](#tool-list)[gtfobins.github.io](https://gtfobins.github.io/)\n\nGTFOBins (short for \"Get The F* Out Binaries\") is a collection of Unix binaries that can be used to escalate privileges, bypass restrictions, or execute arbitrary commands on a system.\n\nThey can be used by threat actors to gain unauthorized access to systems and carry out malicious activities.\n\nThe GTFOBins project is a list of Unix binaries with command and usage information for attackers. This information can be used to implement unix detections.\n\nVisit [https://gtfobins.github.io/](https://gtfobins.github.io/).\n\n**Usage:** \n\nHere are some project links to get started:\n\n- [base64](https://gtfobins.github.io/gtfobins/base64/)\n- [curl](https://gtfobins.github.io/gtfobins/curl/)\n- [nano](https://gtfobins.github.io/gtfobins/nano/)\n\n![image](https://user-images.githubusercontent.com/100603074/210625527-6a037b81-e3fe-4282-a193-1cc4b9c06f75.png)\n\n*Image used from https://gtfobins.github.io/*\n\n### [🔙](#tool-list)[filesec.io](https://filesec.io/)\n\nFilesec is a list of file extensions that can be used by attackers for phishing, execution, macros etc.\n\nThis is a nice resource to understand the malicious use cases of common file extentions and ways that you can defend against them.\n\nEach file extension page contains a description, related operating system and recommendations.\n\nVisit [https://filesec.io/](https://filesec.io/).\n\n**Usage:** \n\nHere are some project links to get started:\n\n- [.Docm](https://filesec.io/docm)\n- [.Iso](https://filesec.io/iso)\n- [.Ppam](https://filesec.io/ppam)\n\n![image](https://user-images.githubusercontent.com/100603074/210625626-58223992-2821-42c6-878a-e6aea4b9a508.png)\n\n*Image used from https://filesec.io/*\n\n### [🔙](#tool-list)[KQL Search](https://www.kqlsearch.com/)\n\nKQL stands for \"Kusto Query Language\", and it is a query language used to search and filter data in Azure Monitor logs. It is similar to SQL, but is more optimized for log analytics and time-series data.\n\nKQL query language is particularly useful for blue teamers because it allows you to quickly and easily search through large volumes of log data to identify security events and anomalies that may indicate a threat.\n\nKQL Search is a web app created by [@ugurkocde](https://twitter.com/ugurkocde) that aggregates KQL queries that are shared on GitHub.\n\nYou can visit the site at [https://www.kqlsearch.com/](https://www.kqlsearch.com/).\n\nMore information about Kusto Query Language (KQL) can be found [here](https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/).\n\n![image](https://user-images.githubusercontent.com/100603074/210736862-1e0cf987-7c85-40c1-b51c-1f3a1f946f7d.png)\n\n*Image used from https://www.kqlsearch.com/*\n\n### [🔙](#tool-list)[Unprotect Project](https://unprotect.it/about/)\n\nMalware authors spend a great deal of time and effort to develop complex code to perform malicious actions against a target system. It is crucial for malware to remain undetected and avoid sandbox analysis, antiviruses or malware analysts. \n\nWith this kind of technics, malware are able to pass under the radar and stay undetected on a system. The goal of this free database is to centralize the information about malware evasion techniques.\n\nThe project aims to provide Malware Analysts and Defenders with actionable insights and detection capabilities to shorten their response times.\n\nThe project can be found at [https://unprotect.it/](https://unprotect.it/).\n\nThe project has an API - Docs [here](https://unprotect.it/api/).\n\n![image](https://user-images.githubusercontent.com/100603074/210743650-6adaddce-ecb3-41bb-854b-292482b73d55.png)\n\n*Image used from https://unprotect.it/map/*\n\n### [🔙](#tool-list)[chainsaw](https://github.com/WithSecureLabs/chainsaw)\n\nChainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and MFTs. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.\n\nFeatures:\n\n- Hunt for threats using Sigma detection rules and custom Chainsaw detection rules\n- Search and extract forensic artefacts by string matching, and regex patterns\n- Lightning fast, written in rust, wrapping the EVTX parser library by @OBenamram\n- Clean and lightweight execution and output formats without unnecessary bloat\n- Document tagging (detection logic matching) provided by the TAU Engine Library\n- Output results in a variety of formats, such as ASCII table format, CSV format, and JSON format\n- Can be run on MacOS, Linux and Windows\n\n**Install:** \n\n```bash\ngit clone https://github.com/countercept/chainsaw.git\ncargo build --release\ngit clone https://github.com/SigmaHQ/sigma\ngit clone https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git\n```\n\n**Usage:** \n\n```bash\n./chainsaw hunt EVTX-ATTACK-SAMPLES/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml\n```\n\n![image](https://user-images.githubusercontent.com/100603074/217382675-1834c13d-1789-4ea7-a46e-25808477bcf0.png)\n\n*Image used from https://twitter.com/FranticTyping/status/1433386064429916162/*\n\n### [🔙](#tool-list)[freq](https://github.com/MarkBaggett/freq)\n\nAdversaries attempt to bypass signature based/pattern matching/blacklist techniques by introducing random: filenames, service names, workstation names, domains, hostnames, SSL cert subjects and issuer subjects, etc.\n\nFreq is a python API designed by Mark Baggett to handle mass entropy testing. It was designed to be used in conjunction with a SIEM solutions but can work with anything that can submit a web request.\n\nThe tool uses frequency tables that map how likely one character will follow another\n\n**Install:** \n\n```bash\ngit clone https://github.com/MarkBaggett/freq\ncd freq\n```\n\n**Usage:** \n\n```bash\n# Running freq_server.py on port 10004 and using a frequency table of /opt/freq/dns.freq\n/usr/bin/python /opt/freq/freq_server.py 10004 /opt/freq/dns.freq\n```\n\n### [🔙](#tool-list)[yarGen](https://github.com/Neo23x0/yarGen)\n\nyarGen is a generator for YARA rules\n\nThe main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use.\n\nThe rule generation process also tries to identify similarities between the files that get analyzed and then combines the strings to so called super rules. The super rule generation does not remove the simple rule for the files that have been combined in a single super rule. This means that there is some redundancy when super rules are created. You can suppress a simple rule for a file that was already covered by super rule by using --nosimple.\n\n**Install:** \n\nDownload the latest [release](https://github.com/Neo23x0/yarGen/releases).\n\n```bash\npip install -r requirements.txt\npython yarGen.py --update\n```\n\n**Usage:** \n\n```bash\n# Create a new strings and opcodes database from an Office 2013 program directory\nyarGen.py -c --opcodes -i office -g /opt/packs/office2013\n\n# Update the once created databases with the \"-u\" parameter\nyarGen.py -u --opcodes -i office -g /opt/packs/office365\n```\n\nUsage examples can be found [here](https://github.com/Neo23x0/yarGen#examples).\n\n![image](https://user-images.githubusercontent.com/100603074/218200487-8476950d-c63e-4d5a-a03c-f2969b6001cc.png)\n\n*Image used from https://github.com/Neo23x0/yarGen*\n\n### [🔙](#tool-list)[EmailAnalyzer](https://github.com/keraattin/EmailAnalyzer)\n\nWith EmailAnalyzer you can able to analyze your suspicious emails. You can extract headers, links and hashes from the .eml file\n\n**Install:** \n\n```bash\ngit clone https://github.com/keraattin/EmailAnalyzer\ncd EmailAnalyzer\n```\n\n**Usage:** \n\n```bash\n# View headers in eml file\npython3 email-analyzer.py -f \u003ceml file\u003e --headers\n\n# Get hashes \npython3 email-analyzer.py -f \u003ceml file\u003e --digests\n\n# Get links\npython3 email-analyzer.py -f \u003ceml file\u003e --links\n\n# Get attachments\npython3 email-analyzer.py -f \u003ceml file\u003e --attachments\n```\n\n![image](https://user-images.githubusercontent.com/100603074/218200574-d9917b8c-433b-4bab-8db0-b6628b0d9424.png)\n\n*Text used from https://github.com/keraattin/EmailAnalyzer*\n\n### [🔙](#tool-list)[VCG](https://github.com/nccgroup/VCG)\n\nVCG is an automated code security review tool that handles C/C++, Java, C#, VB and PL/SQL. It has a few features that should hopefully make it useful to anyone conducting code security reviews, particularly where time is at a premium:\n\n- In addition to performing some more complex checks it also has a config file for each language that basically allows you to add any bad functions (or other text) that you want to search for\n- It attempts to find a range of around 20 phrases within comments that can indicate broken code (“ToDo”, “FixMe”, “Kludge”, etc.)\n- It provides a nice pie chart (for the entire codebase and for individual files) showing relative proportions of code, whitespace, comments, ‘ToDo’ style comments and bad code\n\n**Install:** \n\nYou can install the pre-compiled binary here.\n\nOpen the project .sln, choose \"Release\", and build.\n\n**Usage:** \n\n```\nSTARTUP OPTIONS:\n\t(Set desired starting point for GUI. If using console mode these options will set target(s) to be scanned.)\n\t-t, --target \u003cFilename|DirectoryName\u003e:\tSet target file or directory. Use this option either to load target immediately into GUI or to provide the target for console mode.\n\t-l, --language \u003cCPP|PLSQL|JAVA|CS|VB|PHP|COBOL\u003e:\tSet target language (Default is C/C++).\n\t-e, --extensions \u003cext1|ext2|ext3\u003e:\tSet file extensions to be analysed (See ReadMe or Options screen for language-specific defaults).\n\t-i, --import \u003cFilename\u003e:\tImport XML/CSV results to GUI.\n\nOUTPUT OPTIONS:\n\t(Automagically export results to a file in the specified format. Use XML or CSV output if you wish to reload results into the GUI later on.)\n\t-x, --export \u003cFilename\u003e:\tAutomatically export results to XML file.\n\t-f, --csv-export \u003cFilename\u003e:\tAutomatically export results to CSV file.\n\t-r, --results \u003cFilename\u003e:\tAutomatically export results to flat text file.\n\nCONSOLE OPTIONS:\n\t-c, --console:\t\tRun application in console only (hide GUI).\n\t-v, --verbose:\t\tSet console output to verbose mode.\n\t-h, --help:\t\tShow help.\n```\n\n### [🔙](#tool-list)[CyberChef](https://gchq.github.io/CyberChef/)\n\nCyberChef is a free, web-based tool that allows users to manipulate and transform data using a wide range of techniques.\n\nWith CyberChef, you can perform a wide range of operations on data, such as converting between different data formats (e.g., hexadecimal, base64, ASCII), encoding and decoding data, searching and replacing text etc.\n\nThe tool also includes a recipe system, which allows you to save and share data manipulation workflows with others.\n\nThe tool can be used from [here](https://gchq.github.io/CyberChef/).\n\n![image](https://user-images.githubusercontent.com/100603074/223865168-433fcd56-12e9-44a2-83aa-1531d711383d.png)\n\n*Image used from https://gchq.github.io/CyberChef/*\n\nThreat Intelligence\n====================\n\n*Tools for gathering and analyzing intelligence about current and emerging threats, and for generating alerts about potential threats.*\n\n### [🔙](#tool-list)[Maltego](https://www.maltego.com/solutions/cyber-threat-intelligence/)\n\nMaltego is a commercial threat intelligence and forensics tool developed by Paterva. It is used by security professionals to gather and analyze information about domains, IP addresses, networks, and individuals in order to identify relationships and connections that might not be immediately apparent.\n\nMaltego uses a visual interface to represent data as entities, which can be linked together to form a network of relationships. It includes a range of transforms, which are scripts that can be used to gather data from various sources, such as social media, DNS records, and WHOIS data.\n\nMaltego is often used in conjunction with other security tools, such as SIEMs and vulnerability scanners, as part of a comprehensive threat intelligence and incident response strategy.\n\nYou can schedule a demo [here](https://www.maltego.com/get-a-demo/).\n\n[Maltego handbook Handbook for Cyber Threat Intelligence](https://static.maltego.com/cdn/Handbooks/Maltego-Handbook-for-Cyber-Threat-Intelligence.pdf)\n\n![image](https://user-images.githubusercontent.com/100603074/210655712-e1409206-de1d-4601-88a5-f5a6ac3928c7.png)\n\n*Image used from https://www.maltego.com/reduce-your-cyber-security-risk-with-maltego/*\n\n### [🔙](#tool-list)[MISP](https://www.misp-project.org/)\n\nMISP (short for Malware Information Sharing Platform) is an open-source platform for sharing, storing, and correlating Indicators of Compromise (IOCs) of targeted attacks, threats, and malicious activity.\n\nMISP includes a range of features, such as real-time sharing of IOCs, support for multiple formats, and the ability to import and export data to and from other tools. \n\nIt also provides a RESTful API and various data models to facilitate the integration of MISP with other security systems. In addition to its use as a threat intelligence platform, MISP is also used for incident response, forensic analysis, and malware research.\n\n**Install:** \n\n```bash\n# Kali\nwget -O /tmp/misp-kali.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh \u0026\u0026 bash /tmp/misp-kali.sh\n\n# Ubuntu 20.04.2.0-server\nwget -O /tmp/INSTALL.sh https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/INSTALL.sh\nbash /tmp/INSTALL.sh\n```\n\nFull installation instructions can be found [here](https://misp.github.io/MISP/).\n\n**Usage:** \n\nMISP documentation can be found [here](https://www.misp-project.org/documentation/).\n\n[MISP user guide](https://github.com/MISP/misp-book)\n\n[MISP Training Cheat sheet](https://www.misp-project.org/misp-training/cheatsheet.pdf)\n\n![image](https://user-images.githubusercontent.com/100603074/210655743-b7fd5ab0-a106-4277-815d-c674525a9a91.png)\n\n*Image used from http://www.concordia-h2020.eu/blog-post/integration-of-misp-into-flowmon-ads/*\n\n### [🔙](#tool-list)[ThreatConnect](https://threatconnect.com/threat-intelligence-platform/)\n\nThreatConnect is a threat intelligence platform that helps organizations aggregate, analyze, and act on threat data. It is designed to provide a single, unified view of an organization's threat landscape and enable users to collaborate and share information about threats.\n\nThe platform includes a range of features for collecting, analyzing, and disseminating threat intelligence, such as a customizable dashboard, integration with third-party data sources, and the ability to create custom reports and alerts.\n\nIt is intended to help organizations improve their security posture by providing them with the information they need to identify, prioritize, and respond to potential threats.\n\nYou can request a demo from [here](https://threatconnect.com/request-a-demo/).\n\n[ThreatConnect for Threat Intel Analysts - PDF](https://threatconnect.com/wp-content/uploads/2022/12/Intel-Analysts-Datasheet.pdf)\n\n![image](https://user-images.githubusercontent.com/100603074/210655770-4413ead0-6216-47fe-a933-cbe0be9f86a1.png)\n\n*Image used from https://threatconnect.com/threat-intelligence-platform/*\n\n### [🔙](#tool-list)[Adversary Emulation Library](https://github.com/center-for-threat-informed-defense/adversary_emulation_library)\n\nThis is a library of adversary emulation plans to enable you to evaluate your defensive capabilities against real-world threats.\n\nEmulation plans are an essential component for organizations looking to prioritize defenses against behavior from specific threats.\n\nThe TTPs outlined in this resource can be used to design specific threat emulation activities to test your organisations defenses against specific threat actors.\n\nVisit the resource [here](https://github.com/center-for-threat-informed-defense/adversary_emulation_library).\n\n**Example (sandworm)**\n\n- [Sandworm Emulated Software Source Code](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/sandworm/Resources)\n- [Sandworm Detection Scenario Walkthrough](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/sandworm/Emulation_Plan/Scenario_1)\n- [Sandworm Intelligence Summary](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/sandworm/Intelligence_Summary/Intelligence_Summary.md)\n\n![image](https://user-images.githubusercontent.com/100603074/223865356-c4d491c3-edba-40d6-80b2-5c41029bddfd.png)\n\n*Image used from https://github.com/center-for-threat-informed-defense/adversary_emulation_library*\n\nIncident Response Planning\n====================\n\n*Tools for creating and maintaining an incident response plan, including templates and best practices for responding to different types of incidents.*\n\n### [🔙](#tool-list)[NIST](https://www.nist.gov/cyberframework)\n\nThe NIST Cybersecurity Framework (CSF) is a framework developed by the National Institute of Standards and Technology (NIST) to help organizations manage cybersecurity risks. It provides a set of guidelines, best practices, and standards for implementing and maintaining a robust cybersecurity program.\n\nThe framework is organized around five core functions: Identify, Protect, Detect, Respond, and Recover. These functions provide a structure for understanding and addressing the various components of cybersecurity risk.\n\nThe CSF is designed to be flexible and adaptable, and it can be customized to fit the specific needs and goals of an organization. It is intended to be used as a tool for improving an organization's cybersecurity posture and for helping organizations better understand and manage their cybersecurity risks.\n\n**Useful Links:** \n\n[NIST Quickstart Guide](https://csrc.nist.gov/Projects/cybersecurity-framework/nist-cybersecurity-framework-a-quick-start-guide)\n\n[Framework for Improving Critical Infrastructure Cybersecurity](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf)\n\n[Data Breach Response: A Guide for Business](https://www.ftc.gov/business-guidance/resources/data-breach-response-guide-business)\n\n[NIST Events and Presentations](https://www.nist.gov/cyberframework/events-and-presentations)\n\n[Twitter - @NISTcyber](https://www.twitter.com/NISTcyber)\n\n![image](https://user-images.githubusercontent.com/100603074/210655795-f809707f-fb3e-4df9-b07d-c4fa0392f020.png)\n\n*Image used from https://www.dell.com/en-us/blog/strengthen-security-of-your-data-center-with-the-nist-cybersecurity-framework/*\n\n### [🔙](#tool-list)Incident Response Plan\n\nAn incident response plan is a set of procedures that a company puts in place to manage and mitigate the impact of a security incident, such as a data breach or a cyber attack. \n\nThe theory behind an incident response plan is that it helps a company to be prepared for and respond effectively to a security incident, which can minimize the damage and reduce the chances of it happening again in the future.\n\nThere are several reasons why businesses need an incident response plan:\n\n1. **To minimize the impact of a security incident:** An incident response plan helps a company to identify and address the source of a security incident as quickly as possible, which can help to minimize the damage and reduce the chances of it spreading.\n\n2. **To meet regulatory requirements:** Many industries have regulations that require companies to have an incident response plan in place. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires merchants and other organizations that accept credit cards to have an incident response plan.\n\n3. **To protect reputation:** A security incident can damage a company's reputation, which can lead to a loss of customers and revenue. An incident response plan can help a company to manage the situation and minimize the damage to its reputation.\n\n4. **To reduce the cost of a security incident:** The cost of a security incident can be significant, including the cost of remediation, legal fees, and lost business. An incident response plan can help a company to minimize these costs by providing a roadmap for responding to the incident.\n\n**Useful Links:**\n\n[National Cyber Security Centre - Incident Response overview](https://www.ncsc.gov.uk/collection/incident-management/incident-response)\n\n[SANS - Security Policy Templates](https://www.sans.org/information-security-policy/)\n\n[SANS - Incident Handler's Handbook](https://www.sans.org/white-papers/33901/)\n\n[FRSecure - Incident Response Plan Template](https://frsecure.com/incident-response-plan-template/)\n\n[Cybersecurity and Infrastructure Security Agency - CYBER INCIDENT RESPONSE](https://www.cisa.gov/cyber-incident-response)\n\n[FBI - Incident Response Policy](https://www.fbi.gov/file-repository/incident-response-policy.pdf/view)\n\n![image](https://user-images.githubusercontent.com/100603074/210656422-d75791ae-797b-4135-bbd5-8b84335892ba.png)\n\n*Image used from https://www.ncsc.gov.uk/collection/incident-management/incident-response*\n\n### [🔙](#tool-list)Ransomware Response Plan\n\nRansomware is a type of malicious software that encrypts a victim's files. The attackers then demand a ransom from the victim to restore access to the files; hence the name ransomware.\n\nThe theory behind a ransomware response plan is that it helps a company to be prepared for and respond effectively to a ransomware attack, which can minimize the impact of the attack and reduce the chances of it happening again in the future.\n\nThere are several reasons why businesses need a ransomware response plan:\n\n1. **To minimize the impact of a ransomware attack:** A ransomware response plan helps a company to identify and address a ransomware attack as quickly as possible, which can help to minimize the damage and reduce the chances of the ransomware spreading to other systems.\n\n2. **To protect against data loss:** Ransomware attacks can result in the loss of important data, which can be costly and disruptive for a business. A ransomware response plan can help a company to recover from an attack and avoid data loss.\n\n3. **To protect reputation:** A ransomware attack can damage a company's reputation, which can lead to a loss of customers and revenue. A ransomware response plan can help a company to manage the situation and minimize the damage to its reputation.\n\n4. **To reduce the cost of a ransomware attack:** The cost of a ransomware attack can be significant, including the cost of remediation, legal fees, and lost business. A ransomware response plan can help a company to minimize these costs by providing a roadmap for responding to the attack.\n\n**Useful Links:**\n\n[National Cyber Security Centre - Mitigating malware and ransomware attacks](https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks)\n\n[NIST - Ransomware Protection and Response](https://csrc.nist.gov/Projects/ransomware-protection-and-response)\n\n[Cybersecurity and Infrastructure Security Agency - Ransomware Guide](https://www.cisa.gov/stopransomware/ransomware-guide)\n\n[Microsoft Security - Ransomware response](https://www.microsoft.com/en-us/security/blog/2019/12/16/ransomware-response-to-pay-or-not-to-pay/)\n\n[Blog - Creating a Ransomware Response Plan](https://www.msp360.com/resources/blog/designing-a-ransomware-response-plan/)\n\n![image](https://user-images.githubusercontent.com/100603074/210655863-d4044516-022a-4f6b-afaa-cf375c1f01b4.png)\n\n*Image used from https://csrc.nist.gov/Projects/ransomware-protection-and-response*\n\n### [🔙](#tool-list)[Incident Response Reference Guide](https://info.microsoft.com/rs/157-GQE-382/images/EN-US-CNTNT-emergency-doc-digital.pdf)\n\nThis is a “first aid” style of guidance for cybersecurity to help you prepare for a crisis and limit the potential damage in a crisis.\n\nThis includes tips and guidance for technical, operational, legal, and communications aspects of a major cybersecurity incident. \n\n**Key Takeaways**\n\n- **Preparation pays off** – Preparing for a major incident can reduce damage to the organization, as well as reduce incident cost and management difficulty.\n- **Operationalize your incident management processes** – Managing major cybersecurity incidents must be part of standard business risk management processes.\n- **Coordination is critical** – Effective cybersecurity incident management requires collaboration and coordination of technical, operations, communications, legal, and governance functions.\n- **Stay calm and do no harm in an incident** – Overreacting can be as damaging as underreacting.\n\nYou can read the paper [here](https://info.microsoft.com/rs/157-GQE-382/images/EN-US-CNTNT-emergency-doc-digital.pdf).\n\n![image](https://user-images.githubusercontent.com/100603074/223865803-a026ad87-00dd-4458-bf17-416a091566dd.png)\n\n*Image used from https://info.microsoft.com/rs/157-GQE-382/images/EN-US-CNTNT-emergency-doc-digital.pdf*\n\n### [🔙](#tool-list)[Awesome Incident Response](https://github.com/meirwah/awesome-incident-response)\n\nA curated list of tools and resources for security incident response, aimed to help security analysts and [DFIR](https://www.acronymfinder.com/Digital-Forensics%2c-Incident-Response-%28DFIR%29.html) teams.\n\nThis is a great resource full of links for different aspects of incident response, including:\n\n- Adversary Emulation\n- All-In-One Tools\n- Books\n- Communities\n- Disk Image Creation Tools\n\nVisit the resource [here](https://github.com/meirwah/awesome-incident-response).\n\n![image](https://user-images.githubusercontent.com/100603074/223865479-b54a2f98-0c2c-4bf1-8072-58ea7bfe4fb0.png)\n\n*Image used from https://github.com/meirwah/awesome-incident-response*\n\nMalware Detection and Analysis\n====================\n\n*Tools for detecting and analyzing malware, including antivirus software and forensic analysis tools.*\n\n### [🔙](#tool-list)[VirusTotal](https://www.virustotal.com/gui/home/search)\n\nVirusTotal is a website and cloud-based tool that analyzes and scans files, URLs, and software for viruses, worms, and other types of malware.\n\nWhen a file, URL, or software is submitted to VirusTotal, the tool uses various antivirus engines and other tools to scan and analyze it for malware. It then provides a report with the results of the analysis, which can help security professionals and blue teams identify and respond to potential threats. \n\nVirusTotal can also be used to check the reputation of a file or URL, and to monitor for malicious activity on a network.\n\nVisit [https://www.virustotal.com/gui/home/search](https://www.virustotal.com/gui/home/search)\n\n**Usage:** \n\n```bash\n# Recently created documents with macros embedded, detected at least by 5 AVs\n(type:doc OR type: docx) tag:macros p:5+ generated:30d+\n\n# Excel files bundled with powershell scripts and uploaded to VT for the last 10\ndays\n(type:xls OR type:xlsx) tag:powershell fs:10d+\n\n# Follina-like exploit payloads\nentity:file magic:\"HTML document text\" tag:powershell have:itw_url\n\n# URLs related to specified parent domain/subdomain with a specific header in\nthe response\nentity:url header_value:\"Apache/2.4.41 (Ubuntu)\" parent_domain:domain.org\n\n# Suspicious URLs with a specific HTML title\nentity:url ( title:\"XY Company\" or title:\"X.Y. Company\" or title:\"XYCompany\" ) p:5+\n```\n\nFull documentation can be found [here](https://support.virustotal.com/hc/en-us/categories/360000162878-Documentation).\n\n[VT INTELLIGENCE CHEAT SHEET](https://storage.googleapis.com/vtpublic/reports/VTI%20Cheatsheet.pdf)\n\n![image](https://user-images.githubusercontent.com/100603074/210655958-9a39783e-637e-46a3-a80c-4c64b389de60.png)\n\n*Image used from https://www.virustotal.com/gui/home/search*\n\n### [🔙](#tool-list)[IDA](https://hex-rays.com/ida-free/)\n\nIDA (Interactive Disassembler) is a powerful tool used to reverse engineer and analyze compiled and executable code. \n\nIt can be used to examine the inner workings of software, including malware, and to understand how it functions. IDA allows users to disassemble code, decompile it into a higher-level programming language, and view and edit the resulting source code. This can be useful for identifying vulnerabilities, analyzing malware, and understanding how a program works. \n\nIDA can also be used to generate graphs and charts that visualize the structure and flow of code, which can make it easier to understand and analyze.\n\n**Install:** \n\nDownload IDA from [here](https://hex-rays.com/ida-free/#download).\n\n**Usage:** \n\n[IDA Practical Cheatsheet](https://github.com/AdamTaguirov/IDA-practical-cheatsheet)\n\n[IDAPython cheatsheet](https://gist.github.com/icecr4ck/7a7af3277787c794c66965517199fc9c)\n\n[IDA Pro Cheatsheet](https://hex-rays.com/products/ida/support/freefiles/IDA_Pro_Shortcuts.pdf)\n\n![image](https://user-images.githubusercontent.com/100603074/210655977-e52a66eb-7698-4769-b002-a9d6f1503b85.png)\n\n*Image used from https://www.newton.com.tw/wiki/IDA%20Pro*\n\n### [🔙](#tool-list)[Ghidra](https://ghidra-sre.org/)\n\nGhidra is a free, open-source software reverse engineering tool developed by the National Security Agency (NSA). It is used to analyze compiled and executable code, including malware. \n\nGhidra allows users to disassemble code, decompile it into a higher-level programming language, and view and edit the resulting source code. This can be useful for identifying vulnerabilities, analyzing malware, and understanding how a program works. \n\nGhidra also includes a range of features and tools that support SRE tasks, such as debugging, code graphing, and data visualization. Ghidra is written in Java and is available for Windows, MacOS, and Linux.\n\n**Install:** \n\n1. Download the latest release from [here](https://github.com/NationalSecurityAgency/ghidra/releases).\n2. Extract the zip\n\nFull installation and error fix information can be found [here](https://ghidra-sre.org/InstallationGuide.html#Install).\n\n**Usage:** \n\n1. Navigate to the unzipped folder\n\n```bash\n# Windows\nghidraRun.bat\n\n# Linux\n./ghidraRun\n```\n\nIf Ghidra failed to launch, see the [Troubleshooting](https://ghidra-sre.org/InstallationGuide.html#Troubleshooting) link.\n\n![image](https://user-images.githubusercontent.com/100603074/210656000-9b31d5fc-7b95-447e-94ed-94aef602de46.png)\n\n*Image used from https://www.malwaretech.com/2019/03/video-first-look-at-ghidra-nsa-reverse-engineering-tool.html*\n\n\n### [🔙](#tool-list)[decode-vbe](https://github.com/DidierStevens/DidierStevensSuite/blob/master/decode-vbe.py)\n\nScript Encoding was introduced by Microsoft (long ago) to prevent people from being able to read, understand and alter VBScript files. \n\nEncoded scripts are unreadable but still able to execute, making it a popular mechanism with threat actors looking to hide their malicious code, IOCs, hardcoded C2 domains etc whilst still being able to achieve execution.\n\nThe decode-vbe script can be used to convert encoded VBE files back to plaintext for analysis. \n\nNice blog about VBE files [here](https://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16).\n\n**Install:** \n\n```bash\ngit clone https://github.com/DidierStevens/DidierStevensSuite/\ncd DidierStevensSuite\n```\n\n**Usage:** \n\n```bash\n# Decode literal string\ndecode-vbe.py \"##@~^DgAAAA==\\ko$K6,JCV^GJqAQAAA==^#~@\"\n\n# Decode hexadecimal (prefix #h#)\ndecode-vbe.py #h#23407E5E4467414141413D3D5C6B6F244B362C4A437F565E474A7141514141413D3D5E237E40\n\n# Decode base64 (prefix #b#)\ndecode-vbe.py #b#I0B+XkRnQUFBQT09XGtvJEs2LEpDf1ZeR0pxQVFBQUE9PV4jfkA=\n```\n\n### [🔙](#tool-list)[pafish](https://github.com/a0rtega/pafish)\n\nPafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do.\n\nThe project is free and open source; the code of all the anti-analysis techniques is publicly available. Pafish executables for Windows (x86 32-bit and 64-bit) can be downloaded from the [releases page](https://github.com/a0rtega/pafish/releases).\n\n**Install: (Build)** \n\nPafish is written in C and can be built with Mingw-w64 and make.\n\nThe wiki page \"[How to build](https://github.com/a0rtega/pafish/wiki/How-to-build)\" contains detailed instructions.\n\n**Usage:** \n\n```bash\npafish.exe\n```\n![image](https://user-images.githubusercontent.com/100603074/218870623-4c149ec7-2002-42ea-9c24-0d35f562bb8c.png)\n\n*Image used from https://github.com/a0rtega/pafish*\n\n### [🔙](#tool-list)[lookyloo](https://github.com/Lookyloo/lookyloo)\n\nLookyloo is a web interface that captures a webpage and then displays a tree of the domains, that call each other.\n\nUse Lookyloo to map the journey a website page takes - from entering the initial URL address to the various redirects to third-party affiliations. \n\n**Install:** \n\n```bash\ngit clone https://github.com/Lookyloo/lookyloo.git\ncd lookyloo\npoetry install\necho LOOKYLOO_HOME=\"'`pwd`'\" \u003e .env\n```\n\nFull installation instructions can be found [here](https://www.lookyloo.eu/docs/main/install-lookyloo.html).\n\n**Usage:** \n\nOnce installed and running, lookyloo can be operated via the web interface hosted locally.\n\n![image](https://user-images.githubusercontent.com/100603074/218870701-24d0b7c1-50d9-4b7d-9b9d-b76c98b4e10f.png)\n\n*Image used from https://www.lookyloo.eu/*\n\n### [🔙](#tool-list)[YARA](https://github.com/virustotal/yara)\n\nYARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. \n\nEach description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.\n\n**Install:** \n\n```bash\ntar -zxf yara-4.2.0.tar.gz\ncd yara-4.2.0\n./bootstrap.sh\nsudo apt-get install automake libtool make gcc pkg-config\ngit clone https://github.com/VirusTotal/yara\ncd yara\n./bootstrap.sh\n./configure\nmake\nsudo make install\n```\n\nFull installation instructions can be found [here](https://yara.readthedocs.io/en/stable/gettingstarted.html#compiling-and-installing-yara).\n\n**Usage:** \n\n```bash\n# Apply rule in /foo/bar/rules to all files in the current directory\nyara /foo/bar/rules .\n\n# Scan all files in the /foo directory and its subdirectories:\nyara /foo/bar/rules -r /foo\n```\n\nNice YARA cheatsheet [here](https://github.com/mattnotmax/DFIR-notes/blob/master/cheatsheet_yara.md).\n\n![image](https://user-images.githubusercontent.com/100603074/218871209-da726de1-1563-40b4-857c-3234f7415fdb.png)\n\n*Image used from https://virustotal.github.io/yara/*\n\n### [🔙](#tool-list)[Cuckoo Sandbox](https://cuckoosandbox.org/)\n\nCuckoo is an open source automated malware analysis system.\n\nIt’s used to automatically run and analyze files and collect comprehensive analysis results that outline what the malware does while running inside an isolated operating system.\n\nIt can retrieve the following type of results:\n\n- Traces of calls performed by all processes spawned by the malware.\n- Files being created, deleted and downloaded by the malware during its execution.\n- Memory dumps of the malware processes.\n- Network traffic trace in PCAP format.\n- Screenshots taken during the execution of the malware.\n- Full memory dumps of the machines.\n\n**Install:** \n\nFor installation follow the docs [here](https://cuckoo.readthedocs.io/en/latest/installation/).\n\n**Usage:** \n\nFor usage follow the docs [here](https://cuckoo.readthedocs.io/en/latest/usage/).\n\n### [🔙](#tool-list)[radare2](https://github.com/radareorg/radare2)\n\nRadare2 provides a set of libraries, tools and plugins to ease reverse engineering tasks.\n\nr2 is a featureful low-level command-line tool with support for scripting. r2 can edit files on local hard drives, view kernel memory, and debug programs locally or via a remote gdb server. r2's wide architecture support allows you to analyze, emulate, debug, modify, and disassemble any binary.\n\n**Install:** \n\n```bash\ngit clone https://github.com/radareorg/radare2\nradare2/sys/install.sh\n```\n\n**Usage:** \n\n```bash\n$ r2 /bin/ls # open the binary in read-only mode\n\u003e aaa # same as r2 -A, analyse the binary\n\u003e afl # list all functions (try aflt, aflm)\n\u003e px 32 # print 32 byte hexdump current block\n\u003e s sym.main # seek to the given offset (by flag name, number, ..)\n\u003e f~foo # filter flags with ~grep (same as |grep)\n\u003e iS;is # list sections and symbols (same as rabin2 -Ss)\n\u003e pdf; agf # print function and show control-flow-graph in ascii-art\n\u003e oo+;w hello # reopen in rw mode and write a string in the current offset\n\u003e ?*~... # interactive filter all command help messages\n\u003e q # quit\n```\n\nGreat usage book [here](https://book.rada.re/).\n\n![image](https://user-images.githubusercontent.com/100603074/218871325-90800880-ee58-4a61-9372-fa9cb09f6bf3.png)\n\n*Image used from https://github.com/radareorg/radare2*\n\n### [🔙](#tool-list)[dnSpy](https://github.com/dnSpy/dnSpy)\n\ndnSpy is a debugger and .NET assembly editor. You can use it to edit and debug assemblies. \n\nMain features:\n\n- Debug .NET and Unity assemblies\n- Edit .NET and Unity assemblies\n\n**Install: (Build)** \n\n```bash\ngit clone --recursive https://github.com/dnSpy/dnSpy.git\ncd dnSpy\n./build.ps1 -NoMsbuild\n```\n\n**Usage:** \n\n```bash\ndnSpy.exe\n```\n\nNice tutorial page [here](https://7d2dsdx.github.io/Tutorials/index.html?StartingdnSpy.html).\n\n![image](https://user-images.githubusercontent.com/100603074/218871411-7eb20cb7-f2e8-4d29-98a9-d5820a138c8e.png)\n\n*Image used from https://7d2dsdx.github.io/Tutorials/index.html?StartingdnSpy.html*\n\n### [🔙](#tool-list)[malware-traffic-analysis.net](https://www.malware-traffic-analysis.net/)\n\nThis is a site with over 2,200 blog entries about malicious network traffic. Almost every post on the site has pcap files or malware samples (or both).\n\nThe site also contains a number of traffic analysis exercises, including technical blog posts outlining techniques being used by threat actors.\n\n**Usage:** \n\nVisit [https://www.malware-traffic-analysis.net/](https://www.malware-traffic-analysis.net/).\n\n![image](https://user-images.githubusercontent.com/100603074/218871486-f782e3f1-fcea-4e68-a99b-235146490b84.png)\n\n*Image used from https://www.malware-traffic-analysis.net/*\n\nData Recovery\n====================\n\n*Tools for recovering data from damaged or corrupted systems and devices.*\n\n### [🔙](#tool-list)[Recuva](https://www.ccleaner.com/recuva)\n\nRecuva is a data recovery tool that can be used to recover deleted files from your computer. \n\nIt is often used to recover deleted files that may contain valuable information, such as deleted logs or documents that could be used to investigate a security incident. \n\nRecuva can recover files from hard drives, USB drives, and memory cards, and it is available for Windows and Mac operating systems.\n\n**Install:** \n\nYou can download the tool from [here](https://www.ccleaner.com/recuva).\n\n**Usage:** \n\nNice step by step [guide](https://toolbox.iskysoft.com/data-recovery-tips/recuva-windows-10.html).\n\n![image](https://user-images.githubusercontent.com/100603074/210668891-58312f55-d4d0-4f77-9cd6-f716bbdb5b44.png)\n\n*Image used from https://www.softpedia.com/blog/recuva-explained-usage-video-and-download-503681.shtml*\n\n### [🔙](#tool-list)[Extundelete](https://extundelete.sourceforge.net/)\n\nExtundelete is a utility that can be used to recover deleted files from an ext3 or ext4 file system. \n\nIt works by searching the file system for blocks of data that used to belong to a file, and then attempting to recreate the file using those blocks of data. It is often used to recover important files that have been accidentally or maliciously deleted. \n\n**Install:** \n\nYou can download the tool from [here](https://sourceforge.net/project/platformdownload.php?group_id=260221).\n\n**Usage:** \n\n```bash\n# Prints information about the filesystem from the superblock.\n--superblock\n\n# Attemps to restore the file which was deleted at the given filename, called as \"--restore-file dirname/filename\".\n--restore-file path/to/deleted/file\n\n# Restores all files possible to undelete to their names before deletion, when possible. Other files are restored to a filename like \"file.NNNN\".\n--restore-all\n```\n\nFull usage information can be found [here](https://extundelete.sourceforge.net/options.html).\n\n![image](https://user-images.githubusercontent.com/100603074/210669234-0d2d4920-7856-4731-b81c-3d7132f752ad.png)\n\n*Image used from https://theevilbit.blogspot.com/2013/01/backtrack-forensics-ext34-file-recovery.html*\n\n### [🔙](#tool-list)[TestDisk](https://www.cgsecurity.org/wiki/TestDisk_Download)\n\nTestDisk is a free and open-source data recovery software tool that is designed to help recover lost partitions and make non-booting disks bootable again. It is useful for both computer forensics and data recovery. \n\nIt can be used to recover data that has been lost due to a variety of reasons, such as accidental deletion, formatting, or corruption of the partition table. \n\nTestDisk can also be used to repair damaged boot sectors, recover deleted partitions, and recover lost files. It supports a wide range of file systems, including FAT, NTFS, and ext2/3/4, and can be used to recover data from disks that are damaged or formatted with a different file system than the one they were originally created with.\n\n**Install:** \n\nYou can download the tool from [here](https://www.cgsecurity.org/wiki/TestDisk_Download).\n\n**Usage:** \n\nFull usage examples [here](https://www.cgsecurity.org/wiki/Data_Recovery_Examples).\n\n[Step by step guide](https://www.cgsecurity.org/wiki/TestDisk_Step_By_Step)\n\n[TestDisk Documentation PDF - 60 Pages](https://www.cgsecurity.org/testdisk.pdf)\n\n![image](https://user-images.githubusercontent.com/100603074/210668956-4ed75998-bd6d-48cf-a2e7-dfa75656eece.png)\n\n*Image used from https://www.cgsecurity.org/wiki/*\n\nDigital Forensics\n====================\n\n*Tools for conducting forensic investigations of digital devices and systems, including tools for collecting and analyzing evidence.*\n\n### [🔙](#tool-list)[SANS SIFT](https://www.sans.org/tools/sift-workstation/)\n\nSANS SIFT (SANS Investigative Forensic Toolkit) is a powerful toolkit for forensic analysis and incident response. \n\nIt is a collection of open source and commercial tools that can be used to perform forensic analysis on a wide range of systems, including Windows, Linux, and Mac OS X. The SANS SIFT kit is designed to be run on a forensic workstation, which is a specialized computer that is used to perform forensic analysis on digital evidence.\n\nThe SANS SIFT kit is particularly useful for blue teamers, as it provides a wide range of tools and resources that can be used to investigate incidents, respond to threats, and perform forensic analysis on compromised systems.\n\n**Install:** \n\n1. Visit [https://www.sans.org/tools/sift-workstation/](https://www.sans.org/tools/sift-workstation/).\n\n2. Click the 'Login to Download' button and input (or create) your SANS Portal account credentials to download the virtual machine. \n\n3. Once you have booted the virtual machine, use the credentials below to gain access.\n\n```\nLogin = sansforensics\nPassword = forensics\n```\n\n**Note:** *Use to elevate privileges to root while mounting disk images.*\n\nAdditional install options [here](https://www.sans.org/tools/sift-workstation/).\n\n**Usage:** \n\n```bash\n# Registry Parsing - Regripper\nrip.pl -r \u003cHIVEFILE\u003e -f \u003cHIVETYPE\u003e\n\n# Recover deleted registry keys\ndeleted.pl \u003cHIVEFILE\u003e\n\n# Mount E01 Images\newfmount image.E01 mountpoint\nmount -o\n\n# Stream Extraction\nbulk_extractor \u003coptions\u003e -o output_dir\n```\n\nFull usage guide [here](https://www.sans.org/posters/sift-cheat-sheet/).\n\n![image](https://user-images.githubusercontent.com/100603074/210668984-bdec731b-ce80-4c3b-9696-9431dd77f9b0.png)\n\n*Image used from https://securityboulevard.com/2020/08/how-to-install-sift-workstation-and-remnux-on-the-same-system-for-forensics-and-malware-analysis/*\n\n### [🔙](#tool-list)[The Sleuth Kit](https://sleuthkit.org/sleuthkit/)\n\nThe Sleuth Kit is a collection of command line tools that can be used to analyze disk images and recover files from them. \n\nIt is primarily used by forensic investigators to examine digital evidence after a computer has been seized or an image of a disk has been made. It can be useful because it can help understand what happened during a security incident and identify any malicious activity. \n\nThe tools in The Sleuth Kit can be used to extract deleted files, analyze disk partition structures, and examine the file system for evidence of tampering or unusual activity.\n\n**Install:** \n\nDownload tool from [here](https://sleuthkit.org/sleuthkit/download.php).\n\n**Usage:** \n\nLink to [documentation](https://sleuthkit.org/sleuthkit/docs.php).\n\n![image](https://user-images.githubusercontent.com/100603074/210669006-6dfab59d-b50e-49db-b390-b9ef27cab6fe.png)\n\n*Image used from http://www.effecthacking.com/2016/09/the-sleuth-kit-digital-forensic-tool.html*\n\n### [🔙](#tool-list)[Autopsy](https://www.autopsy.com/)\n\nAutopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools.\n\nIt is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can use it to analyze disk images and recover files, as well as to identify system and user activity. \n\nAutopsy is used by \"blue teams\" (the cybersecurity professionals who defend organizations against attacks) to conduct forensic analysis and incident response. It can help blue teams understand the nature and scope of an attack, and identify any malicious activity that may have occurred on a computer or network.\n\n**Install:** \n\nDownload the tool from [here](https://www.autopsy.com/download/).\n\n**Usage:** \n\n[Autopsy User Guide](http://sleuthkit.org/autopsy/docs/user-docs/4.19.3//)\n\n[SANS - Introduction to using the AUTOPSY Forensic Browser](https://www.sans.org/blog/a-step-by-step-introduction-to-using-the-autopsy-forensic-browser/)\n\n![image](https://user-images.githubusercontent.com/100603074/210669037-449e7790-85c8-4b8c-97b9-2b46a1ea6e61.png)\n\n*Image used from https://www.kitploit.com/2014/01/autopsy-digital-investigation-analysis.html*\n\nSecurity Awareness Training\n====================\n\n*Tools for training employees and other users on how to recognize and prevent potential security threats.*\n\n### [🔙](#tool-list)[TryHackMe](https://tryhackme.com/dashboard)\n\nTryHackMe is a platform that offers a variety of virtual machines, known as \"rooms,\" which are designed to teach cybersecurity concepts and skills through hands-on learning. \n\nThese rooms are interactive and gamified, allowing users to learn about topics such as web vulnerabilities, network security, and cryptography by solving challenges and completing tasks. \n\nThe platform is often used for security awareness training, as it provides a safe and controlled environment for users to practice their skills and learn about different types of cyber threats and how to defend against them.\n\nVisit [https://tryhackme.com/](https://tryhackme.com/) and create an account.\n\n[TryHackMe - Getting Started Guide](https://docs.tryhackme.com/docs/teaching/teaching-getting-started/)\n\n**Useful links:** \n\n[Pre-Security Learning Path](https://tryhackme.com/path-action/presecurity/join)\n\n[introduction to Cyber Security Learning Path](https://tryhackme.com/path-action/introtocyber/join)\n\nVisit the [hacktivities](https://tryhackme.com/hacktivities) tab for a full list of available rooms and modules.\n\n![image](https://user-images.githubusercontent.com/100603074/210669062-dba079b7-a677-4b7a-ac99-6892ba894ac8.png)\n\n*Image used from https://www.hostingadvice.com/blog/learn-cybersecurity-with-tryhackme/*\n\n### [🔙](#tool-list)[HackTheBox](https://www.hackthebox.com/)\n\nHackTheBox is a platform for practicing and improving your hacking skills. \n\nIt consists of a set of challenges that simulate real-world scenarios and require you to use your knowledge of various hacking techniques to solve them. These challenges are designed to test your knowledge of topics such as network security, cryptography, web security, and more. \n\nHackTheBox is often used by security professionals as a way to practice and improve their skills, and it can also be a useful resource for security awareness training. By working through the challenges and learning how to solve them, individuals can gain a better understanding of how to identify and mitigate common security threats.\n\nVisit [https://app.hackthebox.com/login](https://app.hackthebox.com/login) and create an account.\n\n**Useful links:** \n\n[Blog - Introduction to Hack The Box](https://help.hackthebox.com/en/articles/5185158-introduction-to-hack-the-box)\n\n[Blog - Learn to Hack with Hack The Box: The Beginner's Bible](https://www.hackthebox.com/blog/learn-to-hack-beginners-bible)\n\n[Blog - Introduction to Starting Point](https://help.hackthebox.com/en/articles/6007919-introduction-to-starting-point)\n\n![image](https://user-images.githubusercontent.com/100603074/210669087-d00d76d1-300f-48c9-8f7f-4b9b5157626e.png)\n\n*Image used from https://www.hackthebox.com/login*\n\n### [🔙](#tool-list)[CyberDefenders](https://cyberdefenders.org/)\n\nCyberDefenders is a dedicated platform designed for blue team professionals to enhance their cyber security skills.\n\nThe platform provides real-world blue team labs that cover a broad range of disciplines. Participants are encouraged to apply their knowledge in areas such as incident response, digital forensics, and threat hunting to navigate through these scenarios.\n\nThe goal is to offer a practical learning environment that mirrors the complexities that defenders encounter in Security Operations Centers.\n\nVisit [https://cyberdefenders.org/](https://cyberdefenders.org/) and create an account.\n\n**Useful links:** \n\n[Blue Team Labs](https://cyberdefenders.org/blue-team-labs/)\n\n[Certified CyberDefender Certification](https://cyberdefenders.org/blue-team-training/courses/certified-cyberdefender-certification/)\n\n![image](https://github.com/ahmedkhalidali/BlueTeam-Tools/assets/30199198/fe2ef3c9-d8a9-4a82-91c8-d93487df3afb)\n\n### [🔙](#tool-list)[PhishMe](https://cofense.com/product-services/phishme/)\n\nPhishMe is a company that provides security awareness training to help organizations educate their employees about how to identify and prevent phishing attacks. \n\nPhishMe's training programs aim to teach employees how to recognize and report phishing attempts, as well as how to protect their personal and professional accounts from these types of attacks. \n\nThe company's training programs can be customized to fit the needs of different organizations and can be delivered through a variety of mediums, including online courses, in-person training, and simulations.\n\nRequest a demo from [here](https://go.cofense.com/live-demo/).\n\n**Useful links:** \n\n[Cofense Blog](https://cofense.com/blog/)\n\n[Cofense Knowledge Center](https://cofense.com/knowledge-center-hub/)\n\n![image](https://user-images.githubusercontent.com/100603074/210669120-1b29007a-f7f6-40f6-922b-9b5b251f6447.png)\n\n*Image used from https://cofense.com/product-services/phishme/*\n\nCommunication and Collaboration\n====================\n\nTools for coordinating and communicating with team members during an incident, including chat, email, and project management software.\n\n### [🔙](#tool-list)[Twitter](https://twitter.com/)\n\nTwitter is a great platform for sharing information about cyber security. \n\nIt's a platform that is widely used by security professionals, researchers, and experts, giving you access to an endless amount of new information.\n\nSome great accounts to follow:\n\n- [@vxunderground](https://twitter.com/vxunderground)\n- [@Alh4zr3d](https://twitter.com/Alh4zr3d)\n- [@3xp0rtblog](https://twitter.com/3xp0rtblog)\n- [@C5pider](https://twitter.com/C5pider)\n- [@_JohnHammond](https://twitter.com/_JohnHammond)\n- [@mrd0x](https://twitter.com/mrd0x)\n- [@TheHackersNews](https://twitter.com/TheHackersNews)\n- [@pancak3lullz](https://twitter.com/pancak3lullz)\n- [@GossiTheDog](https://twitter.com/GossiTheDog)\n- [@briankrebs](https://twitter.com/briankrebs)\n- [@SwiftOnSecurity](https://twitter.com/SwiftOnSecurity)\n- [@schneierblog](https://twitter.com/schneierblog)\n- [@mikko](https://twitter.com/mikko)\n- [@campuscodi](https://twitter.com/campuscodi)\n\n### [🔙](#tool-list)[Facebook TheatExchange](https://developers.facebook.com/docs/threat-exchange/getting-started)\n\nFacebook ThreatExchange is a platform for security professionals to share and analyze information about cyber threats. \n\nIt was designed to help organizations better defend against threats by allowing them to share threat intelligence with each other in a private and secure way. \n\nIt is intended to be used by \"blue teams\", who are responsible for the security of an organization and work to prevent, detect, and respond to cyber threats.\n\n**Usage:**\n\nTo request access to ThreatExchange, you have to submit an application via [https://developers.facebook.com/products/threat-exchange/](https://developers.facebook.com/products/threat-exchange/).\n\n**Useful links:** \n\n[Welcome to ThreatExchange!](https://developers.facebook.com/docs/threat-exchange/getting-started)\n\n[ThreatExchange UI Overview](https://developers.facebook.com/docs/threat-exchange/ui)\n\n[ThreatExchange API Reference](https://developers.facebook.com/docs/threat-exchange/reference/apis)\n\n[GitHub - ThreatExchange](https://github.com/facebook/ThreatExchange/tree/main/python-threatexchange)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FA-poc%2FBlueTeam-Tools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FA-poc%2FBlueTeam-Tools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FA-poc%2FBlueTeam-Tools/lists"}