![DFIR Utilities](data:image/svg+xml,%3Csvg xmlns="http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg" width="2048" height="2048" viewBox="0 0 2048 2048"%3E%3Cpath fill="darkslategray" d="M256 586v876l645 368q-11 32-18 64t-13 66l-742-424V512L1024 0l896 512v384q-28-28-60-50t-68-43V586l-768-439l-768 439zm768 147L768 879v290l225 129q2 42 10 83t23 81l-2 1l-384-220V805l384-220l325 186q-35 14-68 31t-65 40l-192-109zm739 856q65 33 118 81t90 108t57 128t20 142h-128q0-79-30-149t-82-122t-123-83t-149-30q-80 0-149 30t-122 82t-83 123t-30 149h-128q0-73 20-141t57-129t90-108t118-81q-74-54-115-135t-42-174q0-79 30-149t82-122t122-83t150-30q79 0 149 30t122 82t82 123t30 149q0 92-41 173t-115 136zm-483-309q0 53 20 99t55 82t81 55t100 20q53 0 99-20t82-55t55-81t20-100q0-53-20-99t-55-82t-81-55t-100-20q-53 0-99 20t-82 55t-55 81t-20 100z"%2F%3E%3C%2Fsvg%3E)
Tools List
| Name | id | URL | Description | Tags | Github Stars | Github Last Commit |
|---|---|---|---|---|---|---|
1 | URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. | reputation-engineosint | ||||
3866913880 | This List can be valuable for ThreatHunters, SOC and CERT teams for static analysis on SIEM as it assists in identifying threat actors (or redteamers 😆) using default configurations from renowned exploitation tools in logs. | defensive-tradecraftgithub-repohunt-pipeline-2023threat-huntingthreat-hunting-ideastradecraft-tool | ||||
3924452988 | Abusing mhyprotect (not mhyprot2) to kill AVs / EDRs / XDRs / Protected Processes. | edr-evasiongithub-repooffensive-tradecrafttradecraft-tool | ||||
3932010482 | Run powerpwn --help to get all available commands. | azure-cloudgithub-repooffensive-tradecrafttactic-persistencetradecraft-tool | ||||
3930510823 | SCMUACBypass | cobalt-strikegithub-repokerberosoffensive-tradecrafttradecraft-tool | ||||
3856803752 | Breach Report Collection A collection of companies that disclose adversary TTPs after they have been breached Useful for analysis of intrusions launched by adversaries with measurable effects and impact Organization Breach Date Adversary Source Coinbase February 2023 0ktapus (suspected) coinbase. | defensive-tradecraftgithub-repointel-reportthreat-inteltradecraft-tool | ||||
3745253003 | Villain is a Windows & Linux backdoor generator and multi-session handler that allows users to connect with sibling servers (other machines running Villain) and share their backdoor sessions, handy for working as a team. | backdoorgithub-repokali-linuxlinuxoffensive-tradecrafttradecraft-tool | ||||
3293389854 | Stand up simple Elastic containers with Kibana, Fleet, and the Detection Engine. Requirements are minimal: *NIX or macOS, Docker, jq, and Git. | defensive-tradecraftdetection-labgithub-repolab-environmentthreat-huntingtradecraft-tool | ||||
3909256490 | DFIR Toolkit Table of contents Installation Overview of timelining tools Tools cleanhive evtx2bodyfile evtxanalyze evtxscan evtxcat evtxls es4forensics hivescan ipgrep lnk2bodyfile mactime2 mft2bodyfile ntdsextract2 pol_export procbins regdump regls regview ts2date usnjrnl_dump Overview of timelini | defensive-tradecraftdfiremail-forensicsgithub-repooffensive-tradecraftosintrecontradecraft-tool | ||||
3129562429 | GHunt (v2) is an offensive Google framework, designed to evolve efficiently. It's currently focused on OSINT, but any use related with Google is possible. It will automatically use venvs to avoid dependency conflicts with other projects. | defensive-tradecraftdfiremail-forensicsgithub-repooffensive-tradecraftosintrecontradecraft-tool | ||||
3659224908 | Your file must be less than 2MB in size. | defensive-tradecraftreverse-engineeringtradecraft-tool | ||||
3914031775 | This tool is for educational purposes only. | c2defensive-tradecraftgithub-reposliver-c2tradecraft-tool | ||||
3874709184 | The tool in question was created in Go and its main objective is to search for API keys in JavaScript files and HTML pages. It works by checking the source code of web pages and script files for strings that are identical or similar to API keys. | api-securitydefensive-tradecraftgithub-repooffensive-tradecrafttradecraft-tool | ||||
2866115939 | Movekit is an extension of built in Cobalt Strike lateral movement by leveraging the execute_assembly function with the SharpMove and SharpRDP .NET assemblies. The aggressor script handles payload creation by reading the template files for a specific execution type. | .netcobalt strikegithub-repooffensive-tradecraftthreat-hunting-ideastradecraft-tool | ||||
3878855094 | This repository consists of tools/links that a expert can use during Pentest/RedTeam. If the tool performs multiple functions, for example collecting subdomains and URLs, it will be listed in two places. Search Engines for Investigation Domains/IP Addresses. | defensive-tradecraftgithub-repooffensive-tradecraftosinttradecraft-tool | ||||
3906134084 | Scenario: you are Local Administrator and there is a logged User you want to Impersonate! Goal: From Local Admin to Domain Admin with Kerberos TGS Required: Local Administrator and a Domain Admin Logged (or Disconnected). In this guide the Domain Admin User is CALIPENDULA\fagiolo | active-directorygithub-repokerberosoffensive-tradecrafttradecraft-tool | ||||
3905594543 | {"payload":{"allShortcutsEnabled":false,"fileTree":{"":{"items":[{"name":"README.md","path":"README.md","contentType":"file"},{"name":"dumper.ps1","path":"dumper.ps1","contentType":"file"},{"name":"injector.ps1","path":"injector. | active-directorygithub-repokerberosoffensive-tradecrafttactic-cred-dumpingtradecraft-tool | ||||
3851019979 | Threat Hunting query in Microsoft 365 Defender, XDR. Provide out-of-the-box KQL hunting queries - App, Email, Identity and Endpoint. - KQL/KQL-Effective-Use at main · LearningKijo/KQL | azure-clouddata-exfiltrationdefensive-tradecraftgithub-repokqltradecraft-tool | ||||
3902553840 | Get info on a websites SSL certs, domain, headers, cookies, DNS records, technologies used, performance, hostnames, crawl rules, server info and more Often when I'm looking into a website, there's several things I always check first. | defensive-tradecraftgithub-repooffensive-tradecrafttradecraft-tool | ||||
3804421977 | This tools detects the artifact of the PowerShell based malware from the eventlog of PowerShell logging. The JSON file can be visualized by viewer.html. | defensive-tradecraftdeobfuscategithub-repopowershelltradecraft-tool | ||||
3902469158 | BadZure is a PowerShell script that leverages the Microsoft Graph SDK to orchestrate the setup of Azure Active Directory tenants, populating them with diverse entities while also introducing common security misconfigurations to create vulnerable tenants with multiple attack paths. | defensive-tradecraftgithub-repooffensive-tradecrafttradecraft-tool | ||||
3902110940 | defensive-tradecraftoffensive-tradecrafttradecraft-tool | |||||
1974988845 | LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. | defensive-tradecraftgithub-repotradecraft-tool | ||||
3853903502 | Collection of custom BloodHound queries New Azure stuff MS Graph related | aptattack-pathpkm-pocket-pipelineransomwaresummarize-article | ||||
3899656912 | {"payload":{"allShortcutsEnabled":false,"fileTree":{"adversary_emulation/APT29/Emulation_Plan/Day 2/payloads":{"items":[{"name":"2016_United_States_presidential_election_-_Wikipedia. | github-repooffensive-tradecrafttactic-cred-dumpingtradecraft-tool | ||||
3890838999 | This Streamlit app helps you draft takedown requests to domain registrars. Created by Matt Adams. | ai-llmdefensive-tradecraftgithub-repopythonstreamlittradecraft-tool | ||||
3843283896 | It's a AV/EDR Evasion tool created to bypass security tools for learning, until now the tool is FUD. | bloodhoundcyber-deceptionpkm-pocket-pipelinesummarize-articlethreat-hunting | ||||
3114680822 | The purpose of this list is to track and compare tunneling solutions. This is primarily targeted toward self-hosters and developers who want to do things like exposing a local webserver via a public domain name, with automatic HTTPS, even if behind a NAT or other restricted network. | github-repooffensive-tradecrafttradecraft-tool | ||||
3247509232 | ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). | github-repooffensive-tradecrafttechnique-dll-sideloadtradecraft-tool | ||||
3493575212 | FastFinder - Incident Response - Fast suspicious file finder What is this project designed for? FastFinder is a lightweight tool made for threat hunting, live forensics and triage on Windows Platform. | defensive-tradecraftgithub-repoioc-scannertradecraft-toolwebshell | ||||
3888494661 | ShellSheep and it's suite of tools calculate the entropy of file contents to estimate the likelihood of a file being a webshell. High entropy indicates more randomness, which is a characteristic of encrypted or obfuscated codes often found in webshells. | defensive-tradecraftgithub-repoioc-scannertradecraft-toolwebshell | ||||
3613938953 | ________ _________ _____ _ _____ __ / ___| \/ || ___ \ / ___| (_) / ___| / _| \ `--.| . . || |_/ / \ `--. ___ ___ ___ _ ___ _ __ \ `--. _ __ ___ ___ | |_ ___ _ __ `--. \ |\/| || ___ \ `--. \/ _ \/ __/ __| |/ _ \| '_ \ `--. | cyber-deceptiondefensive-tradecrafttactic-session-enumtradecraft-tool | ||||
3820737835 | This tool is a command line utility that allows you to convert any binary file into a QRcode GIF. The data can then be reassembled visually allowing exfiltration of data in air gapped systems. | offensive-tradecrafttactic-exfiltrationtechnique-data-encodingtradecraft-tool | ||||
2896377399 | In this instance, the username is 'lightmand' and the domain is 'acmecomputercompany.com'. If a user has logged into OneDrive, this path will exist and return a 403 status code. If they have not, or the user is invalid, it will return a 404. | azure-cloudgithub-repoo365offensive-tradecrafttradecraft-tool | ||||
3881540323 | defensive-tradecraftthreat-inteltradecraft-tool | |||||
3872092889 | AllForOne - Nuclei Template Collector 👤 Welcome to the "AllForOne" repository! 🚀 This repository contains a Python script that allows bug bounty hunters and security researchers to collect all Nuclei YAML templates from various public repositories, helping to streamline the process of download | defensive-tradecraftgithub-repooffensive-tradecraftpkm-pocket-pipelinetradecraft-tool | ||||
3878056427 | Here you will find privilege escalation tools for Windows and Linux/Unix* and MacOS. These tools search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily. | github-repooffensive-tradecraftpkm-pocket-pipelinetradecraft-tool | ||||
3768625149 | defensive-tradecraftelastic-stackkernelpkm-pocket-pipelineprocedure-syscallsprocess-telemetrysummarize-article | |||||
3857701478 | All Rights Reserved. Semperis Inc. © 2021 IDENTITY RESILIENCE attracts industry experts committed to winning the battle against cybercriminals and the awful acts their illicit activities fund: narcotics, weapons, terrorism, human trafficking, and child exploitation. | defensive-tradecraftelastic-stackkernelpkm-pocket-pipelineprocedure-syscallsprocess-telemetrysummarize-article | ||||
3873454857 | Blackout leveraging gmer driver to effectively disabling or killing EDRs and AVs. the sample is sourced from loldrivers https://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/ usage Place the driver Blackout.sys in the same path as the executable Blackout. | defensive-tradecraftelastic-stackkernelpkm-pocket-pipelineprocedure-syscallsprocess-telemetrysummarize-article | ||||
2952669086 | ROADtools is a framework to interact with Azure AD. It currently consists of a library (roadlib) and the ROADrecon Azure AD exploration tool. ROADlib is a library that can be used to authenticate with Azure AD or to build tools that integrate with a database containing ROADrecon data. | azure-addefensive-tradecraftoffensive-tradecrafttradecraft-tool | ||||
3868557298 | ADCSKiller is a Python-based tool designed to automate the process of discovering and exploiting Active Directory Certificate Services (ADCS) vulnerabilities. It leverages features of Certipy and Coercer to simplify the process of attacking ADCS infrastructure. | active-directoryoffensive-tradecrafttactic-ad-attacktradecraft-tool | ||||
3401593384 | BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity. | cobalt-strike-c2defensive-tradecrafttradecraft-tool | ||||
3141801589 | Modified version of Matterpreter's DefenderCheck. Takes a binary as input (either from a file on disk or a URL), splits it until it pinpoints that exact bytes that the target engine will flag on and prints them to the screen. | malware-analysisoffensive-tradecrafttactic-amsi-bypasstradecraft-tool | ||||
3861437257 | This is where i will be storing all my malware based projects as i venture into the mystic and unknown. Ill eventually write a detailed explanation of each project in this repo so if there isnt one there when youre looking at it, ill get to it eventually. | github-repooffensive-tradecraftprocedure-syscallstactic-process-injectiontradecraft-tool | ||||
3674562225 | PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. The script is also available on Powershell Gallery. Why writing such a tool, you might ask. | defensive-tradecraftgithub-repotactic-persistencetradecraft-tool | ||||
3859416704 | driver-controlgithub-repooffensive-tradecrafttradecraft-tool | |||||
3858610914 | About ETWHash is a C# POC that is able to extract NetNTLMv2 hashes of incoming authentications via SMB, by consuming ETW events from the Microsoft-Windows-SMBServer provider {D48CE617-33A2-4BC3-A5C7-11AA4F29619E} Notes Administrative privileges required Usage Usage: EtwHash. | github-repooffensive-tradecrafttool-adversarytradecraft-tool | ||||
27046762 | So, you want to learn how to send your own fake mail? It's extraordinarily easy to do, and requires no extra software installed on your PC at all. It can be done with Windows, Macintosh, Linux - any modern PC that has an internet connection will do it. There are a just a few simple steps. | offensive-tradecraftphishingtradecraft-tool | ||||
3787833242 | C2-Hunter is a program designed for malware analysts to extract Command and Control (C2) traffic from malwares in real-time. The program uses a unique approach by hooking into win32 connections APIs. | defensive-tradecraftgithub-repoioc-scannermemory-forensicstradecraft-tool | ||||
3814000165 | Kraken Version • Requirements • Support • Install • Usage • Examples • Contributing • Bugs English • Spanish Version 1.0.0 - Version changelog Requirements In order to use the tool, the following requirements must first be satisfied: python3.8 (>= 3. | azure-cloudcloud-attackscloud-forensicsemail-compromisemicrosoft-ualsummarize-article | ||||
3762553392 | IATelligence is a Python script that extracts the Import Address Table (IAT) from a PE file and uses OpenAI's GPT-3 model to provide details about each Windows API imported by the file. | defensive-tradecraftgithub-repoiatreverse-engineerthreat-huntingtoolstradecraft-tool | ||||
3279584999 | This is a collection of tools you may like if you are interested on reverse engineering and/or malware analysis on x86 and x64 Windows systems. | defensive-tradecraftgithub-reporeverse-engineeringtradecraft-tool | 0 | 0 | ||
445320361 | Arsenal Image Mounter mounts the contents of disk images as complete disks in Microsoft Windows. | defensive-tradecraftdfirgithub-repoimage-mountertradecraft-tool | 0 | 0 |
