Incident Response

Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.

Small and highly portable detection tests mapped to the MITRE ATT&CK Framework.

Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers.

Automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) project.

Modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations.

Information security preparedness tool to do adversarial simulation.

Lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility.

RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.

Virtual machine for adversary emulation and threat hunting.

Bitscout by Vitaly Kamluk helps you build your fully-trusted customizable LiveCD/LiveUSB image to be used for remote digital forensics (or perhaps any other task of your choice). It is meant to be transparent and monitorable by the owner of the system, forensically sound, customizable and compact.

Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container. This makes Acquire an excellent tool to, among others, speedup the process of digital forensic triage. It uses Dissect to gather that information from the raw disk, if possible.

The artifactcollector project provides a software that collects forensic artifacts on systems.

Computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. Because of ignoring the file system structure, the program distinguishes itself in terms of speed and thoroughness.

Streamlined list of parsers to quickly analyze a forensic image file (dd, E01, .vmdk, etc) and output nine reports.

The CyLR tool collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host.

Digital Forensics Artifact Repository

Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.

Command line utility (that works with or without Amazon EC2 instances) to parallelize remote memory acquisition.

Acquire, triage and investigate remote evidence via portable iSCSI readonly access

UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.

A free SOAR system that helps to automate alert handling and incident response processes.

A framework for orchestrating forensic collection, processing and data export.

Incident Response tracking application handling one or more incidents via cases and tasks with a lot of affected systems and artifacts.

Cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike.

Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user.

A general purpose security automation platform focused on accessibility.

Lightweight investigation notebook that allows security researchers the ability to register and retrieve indicators related to their research.

Digital Forensics Artifact Knowledge Base

Windows Events Attack Samples

Windows Registry Knowledge Base

CyLR CDQR Forensics Virtual Machine (CCF-VM): An all-in-one solution to parsing collected data, making it easily searchable with built-in common searches, enable searching of single and multiple hosts simultaneously.

Special Linux distro aimed at network security monitoring featuring advanced analysis tools.

FastIR for Linux collects different artifacts on live Linux and records the results in CSV files.

Fast memory acquisition open source tool for Linux written in Rust. Generate full memory crash dumps of Linux machines.

AppCompatProcessor has been designed to extract additional value from enterprise-wide AppCompat / AmCache data beyond the classic stacking and grepping techniques.

APT-Hunter is Threat Hunting tool for windows event logs.

Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows event logs.

Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan.

Tool for advanced HTTPD logfile security analysis and forensics.

CLI utility and Python API for analyzing log files and other data.

Tool to investigate malicious Windows logon by visualizing and analyzing Windows event log.

Generic signature format for SIEM systems already containing an extensive ruleset.

Serverless, real-time log data analysis framework, capable of ingesting custom data sources and triggering alerts using user-defined logic.

SysmonSearch makes Windows event log analysis more effective and less time consuming by aggregation of event logs.

Windows Event Log Analyzer aims to be the Swiss Army knife for Windows event logs.

A standalone and fast SIGMA-based detection tool for EVTX or JSON.

A portable volatile memory acquisition tool for Linux.

Web interface for the Volatility Memory Forensics Framework.

Advanced memory analysis for Windows x64 with nested hypervisor support.

Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD.

MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.

MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system.

Orochi is an open source framework for collaborative forensic memory dump analysis.

Advanced memory forensics framework.

The volatile memory extraction framework (successor of Volatility)

Automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation.

Malware Memory Footprint Analysis based on Volatility.

Script for dumping Linux memory and creating Volatility profiles.

Script for dumping Linux memory and creating Volatility profiles.

Plugin based forensics framework for quick mac triage that works on live machines, disk images or individual artifact files.

Free Mac OS X computer forensics tool.

OSX Auditor offshoot for live response.

Collection of Event ID resources useful for Digital Forensics and Incident Response.

A curated list of awesome forensic analysis tools and resources.

Tool collection

Collective list of public JSON APIs for use in security.

DFIR tool developed by Netflix's SIRT that allows an investigator to quickly scope a compromise across cloud instances (Linux instances on AWS, currently) during an incident and efficiently triaging those instances for followup actions by showing differences against a baseline.

Python DNS crawler for finding identical domain names under different TLDs.

Pull intelligence per file hash.

Threat Hunting platform.

Internet history forensics for Google Chrome/Chromium.

Pull intelligence per host.

Command line utility and Python package to ease the (un)mounting of forensic disk images.

Modular incident response framework in PowerShell.

MFT directory tree reconstruction & record info.

Online hash checker for VirusTotal and other services.

PowerSponse is a PowerShell module focused on targeted containment and remediation during security incident response.

Very simple multi-threaded many-rules to many-files YARA scanning Python script for malware zoos and IR.

Allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X.

A Simple Ransomware Protection

Packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It's ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic.

Threat hunter based on osquery and Salt Open (SaltStack) that can issue ad-hoc or distributed queries without the need for osquery's tls plugin. sqhunter allows you to query open network sockets and check them against threat intelligence sources.

Sysmon configuration file template with default high-quality event tracing

A repository of sysmon configuration modules

Extended traceroute to support the activities of CSIRT (or CERT) operators. Usually CSIRT team have to handle incidents based on IP addresses received. Created by Computer Emergency Response Center Luxembourg.

AWS IR Runbook Samples meant to be customized per each entity using them. The three samples are: "DoS or DDoS attack", "credential leakage", and "unintended access to an Amazon S3 bucket".

Counteractive PLaybooks collection.

A collection of Cyber Incident Response Playbook Battle Cards

Incident Response Methodologies by CERT Societe Generale.

Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on GitHub.

Phantom Community Playbooks for Splunk but also customizable for other use.

Playbook to aid the development of techniques and hypothesis for hunting campaigns.

detects capabilities in executable files. You run it against a PE, ELF, .NET module, or shellcode file and it tells you what it thinks the program can do.

Malware Configuration And Payload Extraction.

Open Source Highly configurable sandboxing tool.

Heavily modified Cuckoo fork developed by community.

Python library to control a cuckoo-modified sandbox.

Free and Open Source Reverse Engineering Platform powered by rizin.

Software Reverse Engineering Framework.

Static analysis framework that automates the process of extracting key characteristics from a number of different file formats.

Reverse engineering framework and command-line toolset.

UNIX-like reverse engineering framework and command-line toolset

A machine learning tool that ranks strings based on their relevance for malware analysis.

Python based binary analysis and management framework, that works well with Cuckoo and YARA.

Open source visualization library and command line tools for logs (Cuckoo, Procmon, more to come).

Simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI.

Simple YARA-based IOC scanner written in Go

Free IR scanner for scanning endpoint with yara rules and other indicators(IOCs).

Framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows.

DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artifacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on GitHub.

Tool that collects different artifacts on live Windows systems and records the results in csv files. With the analyses of these artifacts, an early compromise can be detected.

Tool for exploration and tracing of the Windows kernel.

Collecting the most valuable artifacts for forensics or incident response investigations.

Invoke-LiveResponse is a live response tool for targeted collection.

Incident Response Triage - Windows Evidence Collection for Forensic Analysis.

PowerShell-based triage and threat hunting for Windows.

Fast incident overview on live Windows systems.

Live disk forensics platform, using PowerShell.

PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.

Open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.

Platform developed to build easily a detailed timeline of an incident.

PHP Web app by Etsy for managing postmortems.

A Python-based backend engine for the tool log2timeline.

Open source tool for collaborative forensic timeline analysis.