Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jipegit/dfir-ioc-ut
DFIR IoC Unit Testing
https://github.com/jipegit/dfir-ioc-ut
cybersecurity dfir ioc threat-hunting threat-sharing unit-testing
Last synced: about 1 month ago
JSON representation
DFIR IoC Unit Testing
- Host: GitHub
- URL: https://github.com/jipegit/dfir-ioc-ut
- Owner: jipegit
- License: apache-2.0
- Created: 2019-11-01T08:46:23.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2020-07-27T09:33:01.000Z (over 4 years ago)
- Last Synced: 2024-08-05T17:35:55.331Z (4 months ago)
- Topics: cybersecurity, dfir, ioc, threat-hunting, threat-sharing, unit-testing
- Language: Python
- Homepage:
- Size: 186 KB
- Stars: 6
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - jipegit/dfir-ioc-ut - DFIR IoC Unit Testing (Python)
README
# DFIR IOC Unit testing
DFIR-IOC-ut provides an easy way to customize a (virtual) machine with common *system* artifacts to test Indicators Of Compromise.
It may help your team with different use cases:
* IOC validation
* Threat Hunting simulation
* Security product (AV/EDR) testing| | Windows | Linux | macOS |
|---|---------|--------|-------|
| File | X | X | X |
| Directory | X | X | X |
| Registry Key | X | | |
| Service | X | | |
| Scheduled task | X | | |
| Mutex | X | | |
| Semaphore | X | | |# Output
![Screenshot](https://github.com/jipegit/dfir-ioc-ut/blob/master/resources/dfir_ioc_ut_run.png)
# Supported types
You can create the following artifacts depending on the platform of your target (virtual) machine:
* unix_directory
```
- type: unix_directory
directory: /tmp/malwaredir
```
* win_directory
```
- type: win_directory
directory: c:\malicious\path
```
* unix_filepath
```
- type: unix_filepath
file_path: /tmp/malpath/malware
```
* win_filepath
```
- type: win_filepath
file_path: C:\Windows\toto\malware.exe
```
* type: win_mutex
```
- type: win_mutex
mutex_name: malware_mutex
```
* type: win_semaphore
```
- type: win_semaphore
semaphore_name: malware_semaphore
```
* type: win_task
```
- type: win_task
task_name: evil_task_name
task_exe_path: C:\Windows\toto\malware.exe
task_schedule: ONSTART
```
* win_service
```
- type: win_service
service_name: evil_service_name
service_display_name: evil_service_display_name
service_description: evil_service_description
service_exe_path: C:\Windows\toto\malware.exe
```
* win_regkey
```
- type: win_regkey
key: HKEY_LOCAL_MACHINE
subkey: Software\Microsoft\Windows\CurrentVersion\Run
data_name: malware
data_value: C:\Windows\toto\malware.exe
data_type: REG_SZ
```See. sample.yaml for examples.
# Requirements
* PyYAML
* pywin32# Author
Jean-Philippe Teissier - @Jipe_
# License
Apache License Version 2.0