Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jipegit/dfir-ioc-ut

DFIR IoC Unit Testing
https://github.com/jipegit/dfir-ioc-ut

cybersecurity dfir ioc threat-hunting threat-sharing unit-testing

Last synced: 3 months ago
JSON representation

DFIR IoC Unit Testing

Host: GitHub
URL: https://github.com/jipegit/dfir-ioc-ut
Owner: jipegit
License: apache-2.0
Created: 2019-11-01T08:46:23.000Z (about 5 years ago)
Default Branch: master
Last Pushed: 2020-07-27T09:33:01.000Z (over 4 years ago)
Last Synced: 2024-05-08T01:34:07.254Z (6 months ago)
Topics: cybersecurity, dfir, ioc, threat-hunting, threat-sharing, unit-testing
Language: Python
Homepage:
Size: 186 KB
Stars: 6
Watchers: 3
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-hacking-lists - jipegit/dfir-ioc-ut - DFIR IoC Unit Testing (Python)

README

        # DFIR IOC Unit testing

DFIR-IOC-ut provides an easy way to customize a (virtual) machine with common *system* artifacts to test Indicators Of Compromise.

It may help your team with different use cases:

 * IOC validation

 * Threat Hunting simulation

 * Security product (AV/EDR) testing

|   | Windows | Linux  | macOS |

|---|---------|--------|-------|

| File  | X | X | X |

| Directory | X | X | X |

| Registry Key  | X |   |   |

| Service  | X |   |   |

| Scheduled task  | X |   |   |

| Mutex  | X |   |   |

| Semaphore  | X |   |   |

# Output

![Screenshot](https://github.com/jipegit/dfir-ioc-ut/blob/master/resources/dfir_ioc_ut_run.png)

# Supported types

You can create the following artifacts depending on the platform of your target (virtual) machine:

* unix_directory

``` 

- type: unix_directory

  directory: /tmp/malwaredir

```

* win_directory

```

- type: win_directory

  directory: c:\malicious\path

```

* unix_filepath

```

- type: unix_filepath

  file_path: /tmp/malpath/malware

```

* win_filepath

```

- type: win_filepath

  file_path: C:\Windows\toto\malware.exe

```

* type: win_mutex

```

- type: win_mutex

  mutex_name: malware_mutex

```

* type: win_semaphore

```

- type: win_semaphore

  semaphore_name: malware_semaphore

```

* type: win_task

```

- type: win_task

  task_name: evil_task_name

  task_exe_path: C:\Windows\toto\malware.exe

  task_schedule: ONSTART

```

* win_service

```

- type: win_service

  service_name: evil_service_name

  service_display_name: evil_service_display_name

  service_description: evil_service_description

  service_exe_path: C:\Windows\toto\malware.exe

```

* win_regkey

```

- type: win_regkey

  key: HKEY_LOCAL_MACHINE

  subkey: Software\Microsoft\Windows\CurrentVersion\Run

  data_name: malware

  data_value: C:\Windows\toto\malware.exe

  data_type: REG_SZ

```

See. sample.yaml for examples.

# Requirements

* PyYAML

* pywin32

# Author

Jean-Philippe Teissier - @Jipe_

# License

Apache License Version 2.0