{"id":13599513,"url":"https://github.com/mthcht/awesome-lists","last_synced_at":"2025-10-10T15:19:53.918Z","repository":{"id":64607916,"uuid":"576895240","full_name":"mthcht/awesome-lists","owner":"mthcht","description":"Awesome Security lists for SOC/CERT/CTI","archived":false,"fork":false,"pushed_at":"2025-10-04T04:18:40.000Z","size":30693458,"stargazers_count":1127,"open_issues_count":17,"forks_count":143,"subscribers_count":29,"default_branch":"main","last_synced_at":"2025-10-04T04:18:43.329Z","etag":null,"topics":["awesome-list","blueteam","blueteam-tools","cti","detection","detection-engineering","dfir","hacktools","incident-response","ioc","iocs","ir","ransomware","redteam","rmm","security","siem","soc","threat-hunting","threat-intelligence"],"latest_commit_sha":null,"homepage":"","language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mthcht.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"mthcht","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2022-12-11T10:45:11.000Z","updated_at":"2025-10-04T04:18:33.000Z","dependencies_parsed_at":"2025-09-27T03:32:30.718Z","dependency_job_id":null,"html_url":"https://github.com/mthcht/awesome-lists","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/mthcht/awesome-lists","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mthcht%2Fawesome-lists","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mthcht%2Fawesome-lists/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mthcht%2Fawesome-lists/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mthcht%2Fawesome-lists/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mthcht","download_url":"https://codeload.github.com/mthcht/awesome-lists/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mthcht%2Fawesome-lists/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279004577,"owners_count":26083735,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-10T02:00:06.843Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["awesome-list","blueteam","blueteam-tools","cti","detection","detection-engineering","dfir","hacktools","incident-response","ioc","iocs","ir","ransomware","redteam","rmm","security","siem","soc","threat-hunting","threat-intelligence"],"created_at":"2024-08-01T17:01:05.579Z","updated_at":"2025-10-10T15:19:48.893Z","avatar_url":"https://github.com/mthcht.png","language":"YARA","readme":"# Security lists for SOC/DFIR detections [![Awesome](https://awesome.re/badge.svg)](https://awesome.re)\n![dt](https://github.com/mthcht/awesome-lists/assets/75267080/059432aa-cfe9-46d1-a611-fbb225bce66e)\n\n\n\n## Threat Hunting:\n- [ThreatHunting keywords Site](https://mthcht.github.io/ThreatHunting-Keywords/)\n- [ThreatHunting keywords Lists](https://github.com/mthcht/ThreatHunting-Keywords)\n- [ThreatHunting Yara rules](https://github.com/mthcht/ThreatHunting-Keywords-yara-rules)\n\n[ThreatHunting searches](https://github.com/mthcht/Purpleteam/tree/main/Detection/Threat%20Hunting/generic)\n\u003cdetails\u003e\n \n - [Windows Services Searches](https://detect.fyi/threat-hunting-suspicious-windows-service-names-2f0dceea204c)\n - [User-Agents Searches](https://mthcht.medium.com/threat-hunting-suspicious-user-agents-3dd764470bd0)\n - [DNS Over HTTPS Searches](https://mthcht.medium.com/detecting-dns-over-https-30fddb55ac78)\n - [Suspicious TLDs Searches](https://mthcht.medium.com/threat-hunting-suspicious-tlds-a742c2adbf58)\n - [HijackLibs Searches](https://mthcht.medium.com/detect-dll-hijacking-techniques-from-hijacklibs-with-splunk-c760d2e0656f)\n - [Phishing \u0026 DNSTWIST Searches](https://detect.fyi/detecting-phishing-attempts-with-dnstwist-37c426b3bbb8)\n - [Browsers extensions Searches](https://mthcht.medium.com/detecting-browser-extensions-installations-e0ac2b45c46b)\n - [C2 hiding in plain sigh](https://mthcht.medium.com/c2-hiding-in-plain-sight-7a83963b9344)\n - [HTML Smuggling artifacts](https://mthcht.medium.com/detecting-html-smuggling-phishing-attempts-15af824e60e4)\n - [PSEXEC \u0026 similar tools Searches](https://mthcht.medium.com/detecting-psexec-and-similar-tools-c812bf3dca6c)\n - [Time Slipping detection](https://mthcht.medium.com/event-log-manipulations-1-time-slipping-55bf95631c40)\n\u003c/details\u003e\n\n## My Detection Lists \n- ๐Ÿ“‹ Lists: https://github.com/mthcht/awesome-lists/tree/main/Lists\n- ๐Ÿ•ต๏ธโ€โ™‚๏ธ ThreatHunting Guides: https://mthcht.medium.com/list/threat-hunting-708624e9266f\n- ๐Ÿšฐ Suspicious Named pipes: [suspicious_named_pipe_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_named_pipe_list.csv)\n- ๐ŸŒ Suspicious TLDs (updated automatically): [[suspicious_TLDs]](https://github.com/mthcht/awesome-lists/tree/main/Lists/TLDs)\n- ๐ŸŒ Suspicious ASNs (updated automatically): [[suspicious ASNs]](https://github.com/mthcht/awesome-lists/tree/main/Lists/ASNs)\n- ๐Ÿ”ง Suspicious Windows Services: [suspicious_windows_services_names_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_services_names_list.csv)\n- โฒ๏ธ Suspicious Windows Tasks: [suspicious_windows_tasks_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_tasks_list.csv)\n- ๐Ÿšช Suspicious destination port: [suspicious_ports_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_ports_list.csv)\n- ๐Ÿ›ก๏ธ Suspicious Firewall rules: [suspicious_windows_firewall_rules_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_firewall_rules_list.csv)\n- ๐Ÿ†” Suspicious User-agent: [suspicious_http_user_agents_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_http_user_agents_list.csv)\n- ๐Ÿ“‡ Suspicious USB Ids: [suspicious_usb_ids_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_usb_ids_list.csv)\n- ๐Ÿ”ข Suspicious MAC address: [suspicious_mac_address_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_mac_address_list.csv)\n- ๐Ÿ“› Suspicious Hostname: [suspicious_hostnames_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_hostnames_list.csv)\n- ๐Ÿงฎ Metadata Executables: [executables_metadata_informations_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/Windows%20Metadata/executables_metadata_informations_list.csv)\n- ๐Ÿ•ธ๏ธ DNS over HTTPS server list: [dns_over_https_servers_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/dns_over_https_servers_list.csv)\n- ๐Ÿ“š Hijacklibs (updated automatically): [hijacklibs_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/Hijacklibs/hijacklibs_list.csv)\n- ๐ŸŒ TOR Nodes Lists (updated automatically): [[TOR]](https://github.com/mthcht/awesome-lists/tree/main/Lists/TOR)\n- ๐Ÿ› ๏ธ LOLDriver List (updated automatically): [loldrivers_only_hashes_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/Drivers/loldrivers_only_hashes_list.csv)\n- ๐Ÿ› ๏ธ Malicious Bootloader List (updated automatically): [malicious_bootloaders_only_hashes_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/Drivers/malicious_bootloaders_only_hashes_list.csv)\n- ๐Ÿ“œ Malicious SSL Certificates List (updated automatically): [ssl_certificates_malicious_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/SSL%20CERTS/ssl_certificates_malicious_list.csv)\n- ๐Ÿ–ฅ๏ธ RMM detection: [[RMM]](https://github.com/mthcht/awesome-lists/tree/main/Lists/RMM)\n- ๐Ÿ‘ค๐Ÿ”‘ Important Roles and groups for AD/EntraID/AWS: [[permissions]](https://github.com/mthcht/awesome-lists/tree/main/Lists/permissions)\n- ๐Ÿ’ป๐Ÿ”’ Ransomware known file extensions: [ransomware_extensions_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/ransomware_extensions_list.csv)\n- ๐Ÿ’ป๐Ÿ”’ Ransomware known file name ransom notes: [ransomware_notes_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/ransomware_notes_list.csv)\n- ๐Ÿ“ Windows ASR rules: [windows_asr_rules.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/windows_asr_rules.csv)\n- ๐ŸŒ DNSTWIST Lists (updated automatically): [DNSTWIST Default Domains + script](https://github.com/mthcht/awesome-lists/tree/main/Lists/DNSTWIST)\n- ๐ŸŒ VPN IP address Lists (updated automatically): \n - ๐Ÿ›ก๏ธ NordVPN: [nordvpn_ips_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/VPN/NordVPN/nordvpn_ips_list.csv)\n - ๐Ÿ›ก๏ธ ProtonVPN: [protonvpn_ip_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/VPN/ProtonVPN/protonvpn_ip_list.csv)\n- ๐Ÿข Companies IP Range Lists (updated automatically): [Default Lists + script](https://github.com/mthcht/awesome-lists/tree/main/Lists/Ranges_IP_Address_Company_List/bgp.he.net) / [Microsoft](https://github.com/mthcht/awesome-lists/tree/main/Lists/Ranges_IP_Address_Company_List/Microsoft)\n- ๐Ÿ“ GeoIP services Lists: [ip_location_sites_list.csv](https://github.com/mthcht/awesome-lists/blob/main/Lists/GeoIP/ip_location_sites_list.csv)\n- ๐Ÿงฌ Yara rules: [Threat Hunting yara rules](https://github.com/mthcht/ThreatHunting-Keywords-yara-rules)\n- ๐Ÿงฌ Offensive Tools detection patterns: [offensive_tool_keywords.csv](https://raw.githubusercontent.com/mthcht/ThreatHunting-Keywords/main/offensive_tool_keyword.csv)\n- ๐Ÿงฌ Greyware Tools detection patterns: [greyware_tool_keyword.csv](https://raw.githubusercontent.com/mthcht/ThreatHunting-Keywords/main/greyware_tool_keyword.csv)\n- ๐Ÿงฌ AV signatures keywords: [signature_keyword.csv](https://github.com/mthcht/ThreatHunting-Keywords/blob/main/signature_keyword.csv)\n- ๐Ÿงฌ Microsoft Defender AV signatures lists: [[Defender]](https://github.com/mthcht/awesome-lists/tree/main/Lists/AV%20signatures/Defender) \n- ๐Ÿ”— Others correlation Lists: [[Others]](https://github.com/mthcht/awesome-lists/tree/main/Lists/Others)\n- ๐Ÿ“‹ Lists i need to finish: [[todo]](https://github.com/mthcht/awesome-lists/tree/main/todo)\n\nI regularly update most of these lists after each tool i analyze in my [detection keywords](https://github.com/mthcht/ThreatHunting-Keywords) project\n\n## Other Lists\n\n### IOC Feeds/Blacklists:\n\n\u003cdetails\u003e \n\n- [ABUSE.CH BLACKLISTS](https://sslbl.abuse.ch/blacklist/)\n- [Block Lists](https://github.com/blocklistproject/Lists)\n- [DNS Block List](https://github.com/hagezi/dns-blocklists)\n- [Phishing Block List](https://github.com/jarelllama/Scam-Blocklist)\n- [C2IntelFeeds](https://github.com/drb-ra/C2IntelFeeds)\n- [Volexity TI](https://github.com/volexity/threat-intel)\n- [Open Source TI](https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds)\n- [C2 Tracker](https://github.com/montysecurity/C2-Tracker)\n- [Unit42 IOC](https://github.com/mthcht/iocs)\n- [Sekoia IOC](https://github.com/SEKOIA-IO/Community/tree/main/IOCs)\n- [Unit42 Timely IOC](https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel)\n- [Unit42 Articles IOC](https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information)\n- [ThreatFOX IOC](https://threatfox.abuse.ch/export/)\n- [Zscaler ThreatLabz IOC](https://github.com/threatlabz/iocs)\n- [Zscaler ThreatLabz Ransomware notes](https://github.com/ThreatLabz/ransomware_notes)\n- [experiant.ca](https://fsrm.experiant.ca/api/v1/get])\n- [Sophos lab IOC](https://github.com/sophoslabs/IoCs)\n- [ESET Research IOC](https://github.com/eset/malware-ioc)\n- [ExecuteMalware IOC](https://github.com/executemalware/Malware-IOCs)\n- [Cisco Talos IOC](https://github.com/Cisco-Talos/IOCs)\n- [Elastic Lab IOC](https://github.com/elastic/labs-releases/tree/main/indicators)\n- [Blackorbid APT Report IOC](https://github.com/blackorbird/APT_REPORT)\n- [AVAST IOC](https://github.com/avast/ioc)\n- [DoctorWeb IOC](https://github.com/DoctorWebLtd/malware-iocs)\n- [BlackLotusLab IOC](https://github.com/blacklotuslabs/IOCs)\n- [prodaft IOC](https://github.com/prodaft/malware-ioc)\n- [Pr0xylife DarkGate IOC](https://github.com/pr0xylife/DarkGate)\n- [Pr0xylife Latrodectus IOC](https://github.com/pr0xylife/Latrodectus)\n- [Pr0xylife WikiLoader IOC](https://github.com/pr0xylife/WikiLoader)\n- [Pr0xylife SSLoad IOC](https://github.com/pr0xylife/SSLoad)\n- [Pr0xylife Pikabot IOC](https://github.com/pr0xylife/Pikabot)\n- [Pr0xylife Matanbuchus IOC](https://github.com/pr0xylife/Matanbuchus)\n- [Pr0xylife QakBot IOC](https://github.com/pr0xylife/Qakbot)\n- [Pr0xylife IceID IOC](https://github.com/pr0xylife/IcedID)\n- [Pr0xylife Emotet IOC](https://github.com/pr0xylife/Emotet)\n- [Pr0xylife BumbleBee IOC](https://github.com/pr0xylife/Bumblebee)\n- [Pr0xylife Gozi IOC](https://github.com/pr0xylife/Gozi)\n- [Pr0xylife NanoCore IOC](https://github.com/pr0xylife/Nanocore)\n- [Pr0xylife NetWire IOC](https://github.com/pr0xylife/Netwire)\n- [Pr0xylife AsyncRAT IOC](https://github.com/pr0xylife/AsyncRAT)\n- [Pr0xylife Lokibot IOC](https://github.com/pr0xylife/Lokibot)\n- [Pr0xylife RemcosRAT IOC](https://github.com/pr0xylife/RemcosRAT)\n- [Pr0xylife nworm IOC](https://github.com/pr0xylife/nworm)\n- [Pr0xylife AZORult IOC](https://github.com/pr0xylife/AZORult)\n- [Pr0xylife NetSupportRAT IOC](https://github.com/pr0xylife/NetSupportRAT)\n- [Pr0xylife BitRAT IOC](https://github.com/pr0xylife/BitRAT)\n- [Pr0xylife BazarLoader IOC](https://github.com/pr0xylife/BazarLoader)\n- [Pr0xylife SnakeKeylogger IOC](https://github.com/pr0xylife/SnakeKeylogger)\n- [Pr0xylife njRat IOC](https://github.com/pr0xylife/njRat)\n- [Pr0xylife Vidar IOC](https://github.com/pr0xylife/Vidar)\n- [SpamHaus drop.txt](https://www.spamhaus.org/drop/drop.txt)\n- [vx-underground - Great Resource for Samples and Intelligence Reports](https://vx-underground.org/Samples)\n\n\u003c/details\u003e \n\n### Github\n\n\u003cdetails\u003e\n\nMore github lists: https://github.com/mthcht?tab=stars\u0026user_lists_direction=asc\u0026user_lists_sort=name\n\n\u003c/details\u003e\n\n### SIEM/SOC related:\n\u003cdetails\u003e\n \n- [EDR Telemetry](https://github.com/tsale/EDR-Telemetry)\n- [PurpleTeam Scripts](https://github.com/mthcht/Purpleteam)\n- [Awesome-SOC](https://github.com/cyb3rxp/awesome-soc)\n- [Threat-Hunting with Splunk](https://github.com/mthcht/ThreatHunting-Keywords)\n \n\u003c/details\u003e \n\n### Investigation\n\n#### TI\n\n\u003cdetails\u003e\n \n - [Virustotal](https://www.virustotal.com/#/home/search)\n - [SpamHaus](https://check.spamhaus.org/)\n - [AbuseIPDB](https://www.abuseipdb.com/)\n - [Malwarebazaar](https://bazaar.abuse.ch/)\n - [emailrep](https://emailrep.io/)\n - [cloudfare scan](https://radar.cloudflare.com/scan)\n - [shodan](https://www.shodan.io/)\n - [Onyphe](https://www.onyphe.io/)\n - [Censys](https://search.censys.io/)\n - [cybergordon (reputation check)](https://cybergordon.com/)\n - [threatminer](https://www.threatminer.org/)\n - [urlscan](https://urlscan.io/)\n - [Apptotal (apps and extensions analysis)](https://apptotal.io/)\n - [urlquery](http://urlquery.net/)\n - [cloudfare scanner](https://radar.cloudflare.com/)\n - [urlvoid](https://www.urlvoid.com)\n - [urldna.io](https://urldna.io/)\n - [checkphish](https://checkphish.bolster.ai/)\n - [ipvoid](https://www.ipvoid.com/)\n - [mxtoolbox](https://mxtoolbox.com/NetworkTools.aspx)\n - [Microsoft TI](https://ti.defender.microsoft.com/)\n - [pulsedive](https://pulsedive.com/)\n - [threatbook](https://threatbook.io/)\n - [McAfee Threat Intelligence Exchange](https://www.mcafee.com/enterprise/en-us/products/threat-intelligence-exchange.html)\n - [Kaspersky Security Network](https://www.kaspersky.com/security-network)\n - [Microsoft Security Intelligence Report](https://www.microsoft.com/en-us/wdsi/intelligence-report)\n - [IBM X-Force Exchange](https://exchange.xforce.ibmcloud.com/) \n - [AlienVault OTX](https://otx.alienvault.com/)\n - [greynoise](https://viz.greynoise.io/)\n - [whoxy](https://www.whoxy.com/reverse-whois/)\n\n\u003c/details\u003e\n\n#### More TI\n\n\u003cdetails\u003e\n \n - [echotrail](https://www.echotrail.io/)\n - [Malware-Traffic-Analysis (PCAP files)](https://malware-traffic-analysis.net/)\n - [redhuntlabs](https://redhuntlabs.com/online-ide-search)\n - [whois domaintools](https://whois.domaintools.com/)\n - [ASN check bgp.he](/bgp.he.net/)\n - [viewdns](http://viewdns.info/)\n - [OUI mac address lookup](https://www.wireshark.org/tools/oui-lookup.html)\n - [xcyclopedia](https://strontic.github.io/xcyclopedia/)\n - [abuse.ch](https://abuse.ch/#platforms)\n - [malware-traffic-analysis](https://www.malware-traffic-analysis.net/index.html)\n - [waybackmachine](http://web.archive.org/)\n - [dnshistory](https://dnshistory.org/)\n - [asnlookup](https://asnlookup.com/)\n - [fofa.info](https://fofa.info/)\n - [SecurityTrail](https://securitytrails.com/)\n - [ZommEye](https://www.zoomeye.hk/)\n\u003c/details\u003e\n\n\n#### Sandbox\n\n\u003cdetails\u003e\n \n- [Sandbox Anyrun](https://any.run/)\n- [triage](https://tria.ge/s)\n- [capesandbox](https://www.capesandbox.com/)\n- [joesandbox](https://www.joesandbox.com/analysispaged/0)\n- [filescan.io](https://www.filescan.io/)\n- [Sandbox HA](https://www.hybrid-analysis.com/)\n- [virustotal](https://www.virustotal.com)\n- [threat zone](https://app.threat.zone/scan)\n- [vmray](https://www.vmray.com/)\n\u003c/details\u003e\n\n\n### Data manipulation\n\n\u003cdetails\u003e\n \n- [jsoncrack](https://jsoncrack.com/editor)\n- [JS deobfuscator](https://lelinhtinh.github.io/de4js/)\n- [cyberchef](https://cyberchef.org/)\n- [PCAP online analyzer](https://apackets.com/)\n- [Hash calculator](https://md5calc.com/hash)\n- [regex101](https://regex101.com/)\n- [CyberChef](https://gchq.github.io/CyberChef/)\n- [Javascript Deobfuscator](https://deobfuscate.relative.im/)\n- [JSONViewer](https://jsonviewer.stack.hu/)\n- [TextMechanic](https://textmechanic.com/)\n- [UrlEncode.org](https://www.urlencoder.org/)\n- [TextFixer](https://www.textfixer.com/)\n- [RegExr](https://regexr.com/)\n- [TextUtils](https://textutils.com/)\n- [TextCompactor](https://textcompactor.com/)\n- [Pretty Diff](https://prettydiff.com/)\n- [XML Tree](http://www.xmltree.com/)\n- [Online XML Formatter and Beautifier](https://www.freeformatter.com/xml-formatter.html)\n- [XML Escape Tool](https://www.freeformatter.com/xml-escape.html)\n- [DiffChecker](https://www.diffchecker.com/)\n- [CSVJSON](https://www.csvjson.com/)\n- [HTML Formatter](https://htmlformatter.com/)\n- [Text Tool](https://texttools.netlify.app/)\n- [String Manipulation Tool](https://string-functions.com/)\n- [unshorten it](https://www.unshorten.it)\n- [urlunscrambler](https://www.urlunscrambler.com/)\n- [longurl](https://www.longurl.org/)\n- [Message Header](https://mha.azurewebsites.net/pages/mha.html)\n- [MXToolbox EmailHeaders](https://mxtoolbox.com/EmailHeaders.aspx)\n- [Email Header Analyzer](https://emailheaders.verification-check.com/)\n- [Email Header Analysis](https://www.email-format.com/header-analysis/)\n- [Gitlab dashboard from Excel](https://thisdavej.com/copy-table-in-excel-and-paste-as-a-markdown-table/)\n- [OPENAI](https://openai.com/playground)\n- [uncoder](https://uncoder.io/)\n- [DeHashed](https://dehashed.com/)\n\n\u003c/details\u003e\n\n\n### Detection Resources\n\n\u003cdetails\u003e\n \n- [MITRE techniques](https://attack.mitre.org/techniques/enterprise/)\n- [MITRE Updates](https://attack.mitre.org/resources/updates/)\n- [MITRE D3fend](https://d3fend.mitre.org/)\n- [MITRE Navigator](https://mitre-attack.github.io/attack-navigator/)\n- [MITRE Datasources](https://attack.mitre.org/datasources/)\n- [GTFOBIN](https://github.com/mthcht/GTFOBins.github.io)\n- [LOLBAS](https://github.com/mthcht/LOLBAS)\n- [LOTS](https://lots-project.com/)\n- [loldrivers](https://www.loldrivers.io/)\n- [WTFBIN](https://wtfbins.wtf/)\n- [Sigma](https://github.com/mthcht/sigma/tree/master/rules)\n- [Splunk Rules](https://research.splunk.com/detections/)\n- [Elastic Rules](https://github.com/elastic/detection-rules)\n- [DFIR-Report Sigma-Rules](https://github.com/The-DFIR-Report/Sigma-Rules)\n- [JoeSecurity Sigma-Rules](https://github.com/joesecurity/sigma-rules/tree/master/rules)\n- [mdecrevoisier Sigma-Rules](https://github.com/mdecrevoisier/SIGMA-detection-rules)\n- [P4T12ICK Sigma-Rules](https://github.com/P4T12ICK/Sigma-Rule-Repository)\n- [tsale Sigma-Rules](https://github.com/tsale/Sigma_rules)\n- [list of detections resources](https://github.com/jatrost/awesome-detection-rules)\n- [detection engineering resources](https://github.com/infosecB/awesome-detection-engineering)\n- [awesome-threat-detection](https://github.com/0x4D31/awesome-threat-detection)\n\u003c/details\u003e\n\n\n### DFIR\n\n\u003cdetails\u003e\n\n - [EricZimmerman Tools](https://ericzimmerman.github.io/#!index.md)\n - [dfir-orc](https://github.com/dfir-orc)\n - [dfir-orc-config](https://github.com/DFIR-ORC/dfir-orc-config)\n - [Splunk4DFIR](https://github.com/mf1d3l/Splunk4DFIR)\n - [dfiq](https://github.com/google/dfiq)\n - [PSBits](https://github.com/gtworek/PSBits)\n - [Yara TH](https://github.com/mthcht/ThreatHunting-Keywords-yara-rules) + [TH](https://github.com/mthcht/ThreatHunting-Keywords)\n - [Hayabusa](https://github.com/Yamato-Security/hayabusa)\n - [chainsaw](https://github.com/WithSecureLabs/chainsaw)\n - [regripper](https://github.com/warewolf/regripper)\n - [RdpCacheStitcher](https://github.com/BSI-Bund/RdpCacheStitcher)\n - [ripgrep](https://github.com/BurntSushi/ripgrep)\n - [Kape](https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape)\n - [Kape Files](https://github.com/EricZimmerman/KapeFiles)\n - [More Kape ressources](https://github.com/AndrewRathbun/Awesome-KAPE)\n - [VolatileDataCollector](https://github.com/gtworek/VolatileDataCollector)\n - [Velociraptor](https://github.com/Velocidex/velociraptor)\n - [MemDump](https://nircmd.nirsoft.net/memdump.html)\n - [MemProcFS](https://github.com/ufrisk/MemProcFS)\n - [avml](https://github.com/microsoft/avml)\n - [Lime](https://github.com/504ensicsLabs/LiME)\n - [WinPmem](https://github.com/Velocidex/WinPmem)\n - [Volatility](https://github.com/volatilityfoundation/volatility3/)\n - [Windows artifacts](https://github.com/Psmths/windows-forensic-artifacts)\n - [UAC](https://github.com/tclahr/uac)\n\n\u003c/details\u003e\n\n### Security News\n\n\u003cdetails\u003e\n \n- [Twitter](https://twitter.com/home)\n- [CERT-FR](https://www.cert.ssi.gouv.fr/)\n- [CERT FR Alerts](https://www.cert.ssi.gouv.fr/alerte/)\n- [CERT FR Avis](https://www.cert.ssi.gouv.fr/avis/)\n- [NIST CVEs](https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false\u0026results_type=overview\u0026form_type=Basic\u0026search_type=all\u0026startIndex=0)\n- [JPCERT](https://www.jpcert.or.jp/english/)\n- [CISA news](https://www.cisa.gov/news-events/news)\n- [thedfirreport Feed](https://thedfirreport.com/feed/)\n- [Splunk Research Blog](https://www.splunk.com/en_us/blog/author/secmrkt-research.html)\n- [Unit42 Feed](http://feeds.feedburner.com/Unit42)\n- [DFIR weekly sumary - thisweekin4n6](https://thisweekin4n6.wordpress.com/feed/)\n- [Google Threat Intelligence](https://cloud.google.com/blog/topics/threat-intelligence)\n- [Sekoi Blog](https://blog.sekoia.io/)\n- [akamai Feed](http://blogs.akamai.com/atom.xml)\n- [Elastic Blog](https://www.elastic.co/security-labs)\n- [Checkpoint research Feed](https://research.checkpoint.com/feed)\n- [Cisco Talos Feed](http://vrt-sourcefire.blogspot.com/feeds/posts/default)\n- [Crowdstrike Feed](http://blog.crowdstrike.com/feed)\n- [Hexacorn Blog](http://www.hexacorn.com/blog/feed/)\n- [simone kraus Blog](https://medium.com/@simone.kraus)\n- [Michael Haag Blog](https://haggis-m.medium.com/)\n- [EricaZelic Blog](https://ericazelic.medium.com/)\n- [Adam Chester Blog Feed](https://blog.xpnsec.com/rss.xml)\n- [Mauricio Velazco Blog](https://medium.com/@mvelazco)\n- [Clรฉment Notin Feed](https://clement.notin.org/feed.xml)\n- [tenable Blog](https://medium.com/tenable-techblog)\n- [horizon3 Feed](https://www.horizon3.ai/feed/)\n- [Incidents reports Feed](https://fetchrss.com/rss/65b0eb775582bd1c19083c4365b0fdb664898a0daa63bef4.xml)\n- [NCC Group Research Feed](https://research.nccgroup.com/feed/)\n- [SpecterOps Feed](https://posts.specterops.io/feed)\n- [Redcanary Feed](https://www.redcanary.co/feed/)\n- [Sophos Research Feed](https://news.sophos.com/en-us/category/threat-research/feed/)\n- [virusbulletin](https://www.virusbulletin.com/virusbulletin/)\n- [Offensive Research - DSAS by INJECT](https://blog.injectexp.dev/)\n- [HackerNews Feed](https://feeds.feedburner.com/TheHackersNews)\n- [Bleepingcomputer Feed](https://www.bleepingcomputer.com/feed/)\n- [detect.fyi](https://detect.fyi/)\n\u003c/details\u003e\n\n### Formations\n\n\u003cdetails\u003e\n\n#### DFIR\n\n \u003cdetails\u003e\n \n - @inversecos - APT Emulation Labs: [xintra](https://www.xintra.org/labs)\n - 13cubed - Investigating Windows Endpoints: [13cubed.com](https://training.13cubed.com/investigating-windows-endpoints)\n - @0gtweet - Forensic course: [Mastering Windows Forensics](https://grzegorz-tworek-s-school.teachable.com/)\n - SANS: [SANS508](https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/)\n - Defensive-security: [Linux-live-forensics](https://edu.defensive-security.com/linux-attack-live-forensics-at-scale)\n - @TheDFIRReport : LABs with logs from the existing reports [dfir-labs](https://the-dfir-report-store.myshopify.com/collections/dfir-labs)\n - @DebugPrivilege : Forensic Debugging free course [InsightEngineering](https://github.com/DebugPrivilege/InsightEngineering)\n - @ACEresponder: Courses with Detailed Explanations and Labs [aceresponder.com](https://www.aceresponder.com/challenges)\n - @binaryz0ne: DFIR challenges with [Datasets](https://www.ashemery.com/dfir.html) \n \u003c/details\u003e\n\n#### SOC\n\n \u003cdetails\u003e\n \n - tryhackme - [SOC lvl1](https://tryhackme.com/path/outline/soclevel1)\n - letsdefend.io @chrissanders88 - [letsdefend.io](https://www.letsdefend.io/)\n - SANS: [SANS555](https://www.sans.org/cyber-security-courses/siem-with-tactical-analytics/)\n - Splunk Boss Of The SOC - [BOTS](https://bots.splunk.com/)\n - BOTS [dataset v1](https://github.com/splunk/botsv1) \n - BOTS [dataset v2](https://github.com/splunk/botsv2) \n - BOTS [dataset v3](https://github.com/splunk/botsv3)\n \n \u003c/details\u003e\n\n \u003c/details\u003e\n\n\n### Others\n\n\u003cdetails\u003e\n \n- [Crontab check](https://crontab.guru/every-2-minutes)\n- [Subnet Calculator](https://mxtoolbox.com/subnetcalculator.aspx)\n- [chmod calculator](https://chmod-calculator.com/)\n- [Epoch time converter](https://www.epochconverter.com/)\n- [cyberchef](https://cyberchef.org/)\n\n\u003c/details\u003e\n\n","funding_links":["https://github.com/sponsors/mthcht"],"categories":["Related Awesome Lists","GLSL","Other Lists"],"sub_categories":["โœจ Other","TeX Lists"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmthcht%2Fawesome-lists","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmthcht%2Fawesome-lists","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmthcht%2Fawesome-lists/lists"}