Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

awesome-incident-response


https://github.com/MCabreraSSE/awesome-incident-response

Last synced: about 22 hours ago
JSON representation

  • IR Tools Collection

    • Adversary Emulation

      • APTSimulator - Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.
      • Atomic Red Team (ART) - Small and highly portable detection tests mapped to the MITRE ATT&CK Framework.
      • AutoTTP - Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers.
      • DumpsterFire - Modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations.
      • Metta - Information security preparedness tool to do adversarial simulation.
      • Network Flight Simulator - Lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility.
      • Red Team Automation (RTA) - RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
      • RedHunt-OS - Virtual machine for adversary emulation and threat hunting.
      • Blue Team Training Toolkit (BT3) - Software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level.
      • Caldera - Automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project.
    • Books

    • All-In-One Tools

      • Doorman - osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness.
      • Falcon Orchestrator - Extendable Windows-based application that provides workflow automation, case management and security response functionality.
      • Fleetdm - State of the art host monitoring platform tailored for security experts. Leveraging Facebook's battle-tested osquery project, Fleetdm delivers continuous updates, features and fast answers to big questions.
      • GRR Rapid Response - Incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent. Besides the included Python API client, [PowerGRR](https://github.com/swisscom/PowerGRR) provides an API client library in PowerShell working on Windows, Linux and macOS for GRR automation and scripting.
      • IRIS - IRIS is a web collaborative platform for incident response analysts allowing to share investigations at a technical level.
      • Kuiper - Digital Forensics Investigation Platform
      • MozDef - Automates the security incident handling process and facilitate the real-time activities of incident handlers.
      • nightHawk - Application built for asynchronus forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections.
      • Velociraptor - Endpoint visibility and collection tool
      • osquery - Easily ask questions about your Linux and macOS infrastructure using a SQL-like query language; the provided *incident-response pack* helps you detect and respond to breaches.
      • Belkasoft Evidence Center - The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.
      • CimSweep - Suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
      • CIRTkit - CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes.
      • Flare - A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing.
    • Communities

    • Evidence Collection

      • Live Response Collection - Automated tool that collects volatile data from Windows, OSX, and \*nix based operating systems.
    • Incident Management

      • Cyphon - Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.
    • Linux Distributions

      • The Appliance for Digital Investigation and Analysis (ADIA) - VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available.
      • Digital Evidence & Forensics Toolkit (DEFT) - Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection.
      • NST - Network Security Toolkit - Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional.
      • PALADIN - Modified Linux distribution to perform various forensics task in a forensically sound manner. It comes with many open source forensics tools included.
    • Log Analysis Tools

      • Event Log Explorer - Tool developed to quickly analyze log files and other data.
      • Event Log Observer - View, analyze and monitor events recorded in Microsoft Windows event logs with this GUI tool.
      • Log Parser Lizard - Execute SQL queries against structured log data: server logs, Windows Events, file system, Active Directory, log4net logs, comma/tab separated text, XML or JSON files. Also provides a GUI to Microsoft LogParser 2.2 with powerful UI elements: syntax editor, data grid, chart, pivot table, dashboard, query manager and more.
    • Memory Analysis Tools

      • Rekall - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples.
      • Responder PRO - Responder PRO is the industry standard physical memory and automated malware analysis solution.
      • Rekall - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples.
    • OSX Evidence Collection

      • The ESF Playground - A tool to view the events in Apple Endpoint Security Framework (ESF) in real time.
      • OSX Collector - OSX Auditor offshoot for live response.
    • Other Lists

      • Eric Zimmerman Tools - An updated list of forensic tools created by Eric Zimmerman, an instructor for SANS institute.
    • Other Tools

      • Crits - Web-based tool which combines an analytic engine with a cyber threat database.
      • Cortex - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API.
      • RaQet - Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system.
    • Playbooks

      • Counteractive Playbooks - Counteractive PLaybooks collection.
      • IR Workflow Gallery - Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow consists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling. The workflows are online available or for download.
      • PagerDuty Incident Response Documentation - Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on [GitHub](https://github.com/PagerDuty/incident-response-docs).
    • Process Dump Tools

      • PMDump - Tool that lets you dump the memory contents of a process to a file without stopping the process.
    • Sandboxing/Reversing Tools

      • Any Run - Interactive online malware analysis service for dynamic and static research of most types of threats using any environment.
      • Cutter - Reverse engineering platform powered by Radare2.
      • Hybrid-Analysis - Free powerful online sandbox by CrowdStrike.
      • Intezer - Intezer Analyze dives into Windows binaries to detect micro-code similarities to known threats, in order to provide accurate yet easy-to-understand results.
      • Joe Sandbox (Community) - Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities; providing comprehensive and detailed analysis reports.
      • AMAaaS - Android Malware Analysis as a Service, executed in a native Android environment.
      • AMAaaS - Android Malware Analysis as a Service, executed in a native Android environment.
    • Videos

    • Windows Evidence Collection

      • DFIR ORC - DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artifacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on [GitHub](https://github.com/DFIR-ORC/dfir-orc).
      • KAPE - Kroll Artifact Parser and Extractor (KAPE) by Eric Zimmerman. A triage tool that finds the most prevalent digital artifacts and then parses them quickly. Great and thorough when time is of the essence.