- The Hunter’s Book of OSINT
- HTTP Tools
- Unfurl: break down URLs to their components
- OSINT Tools | GitHub Curated Reference
- awesome-osint
- Yelp Threat Intel
- CertStream
- r3con1z3r
- Gotanda OSINT
- List of supported engines
- Hawk
- OSINT Online Services
- RiskIQ
The Hunter’s Book of OSINT
URLHaus
URLHaus
URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.
mthcht/ThreatHunting-Keywords
mthcht/ThreatHunting-Keywords
This List can be valuable for ThreatHunters, SOC and CERT teams for static analysis on SIEM as it assists in identifying threat actors (or redteamers 😆) using default configurations from renowned exploitation tools in logs.
zer0condition/mhydeath
zer0condition/mhydeath
Abusing mhyprotect (not mhyprot2) to kill AVs / EDRs / XDRs / Protected Processes.
Modules: Install a backdoor
Modules: Install a backdoor
Run powerpwn --help to get all available commands.
rasta-mouse/SCMUACBypass
rasta-mouse/SCMUACBypass
SCMUACBypass
BushidoUK/Breach-Report-Collection
BushidoUK/Breach-Report-Collection
Breach Report Collection A collection of companies that disclose adversary TTPs after they have been breached Useful for analysis of intrusions launched by adversaries with measurable effects and impact Organization Breach Date Adversary Source Coinbase February 2023 0ktapus (suspected) coinbase.
t3l3machus/Villain
t3l3machus/Villain
Villain is a Windows & Linux backdoor generator and multi-session handler that allows users to connect with sibling servers (other machines running Villain) and share their backdoor sessions, handy for working as a team.
Elastic Container
Elastic Container
Stand up simple Elastic containers with Kibana, Fleet, and the Detection Engine. Requirements are minimal: *NIX or macOS, Docker, jq, and Git.
dfir-dd/dfir-toolkit
dfir-dd/dfir-toolkit
DFIR Toolkit Table of contents Installation Overview of timelining tools Tools cleanhive evtx2bodyfile evtxanalyze evtxscan evtxcat evtxls es4forensics hivescan ipgrep lnk2bodyfile mactime2 mft2bodyfile ntdsextract2 pol_export procbins regdump regls regview ts2date usnjrnl_dump Overview of timelini
mxrch/GHunt
mxrch/GHunt
GHunt (v2) is an offensive Google framework, designed to evolve efficiently. It's currently focused on OSINT, but any use related with Google is possible. It will automatically use venvs to avoid dependency conflicts with other projects.
Decompiler Explorer
Decompiler Explorer
Your file must be less than 2MB in size.
ACE-Responder/RogueSliver
ACE-Responder/RogueSliver
This tool is for educational purposes only.
MrEmpy/Mantra
MrEmpy/Mantra
The tool in question was created in Go and its main objective is to search for API keys in JavaScript files and HTML pages. It works by checking the source code of web pages and script files for strings that are identical or similar to API keys.
0xthirteen/MoveKit
0xthirteen/MoveKit
Movekit is an extension of built in Cobalt Strike lateral movement by leveraging the execute_assembly function with the SharpMove and SharpRDP .NET assemblies. The aggressor script handles payload creation by reading the template files for a specific execution type.
wddadk/Offensive-OSINT-Tools
wddadk/Offensive-OSINT-Tools
This repository consists of tools/links that a expert can use during Pentest/RedTeam. If the tool performs multiple functions, for example collecting subdomains and URLs, it will be listed in two places. Search Engines for Investigation Domains/IP Addresses.
foxlox/GIUDA
foxlox/GIUDA
Scenario: you are Local Administrator and there is a logged User you want to Impersonate! Goal: From Local Admin to Domain Admin with Kerberos TGS Required: Local Administrator and a Domain Admin Logged (or Disconnected). In this guide the Domain Admin User is CALIPENDULA\fagiolo
{"payload":{"allShortcutsEnabled":false,"fileTree":{"":{"items":[{"name":"README.md","path":"README.md","contentType":"file"},{"name":"dumper.ps1","path":"dumper.ps1","contentType":"file"},{"name":"injector.ps1","path":"injector.
Name already in use
Name already in use
Threat Hunting query in Microsoft 365 Defender, XDR. Provide out-of-the-box KQL hunting queries - App, Email, Identity and Endpoint. - KQL/KQL-Effective-Use at main · LearningKijo/KQL
Lissy93/web-check
Lissy93/web-check
Get info on a websites SSL certs, domain, headers, cookies, DNS records, technologies used, performance, hostnames, crawl rules, server info and more Often when I'm looking into a website, there's several things I always check first.
Sh1n0g1/z9
Sh1n0g1/z9
This tools detects the artifact of the PowerShell based malware from the eventlog of PowerShell logging. The JSON file can be visualized by viewer.html.
mvelazc0/BadZure
mvelazc0/BadZure
BadZure is a PowerShell script that leverages the Microsoft Graph SDK to orchestrate the setup of Azure Active Directory tenants, populating them with diverse entities while also introducing common security misconfigurations to create vulnerable tenants with multiple attack paths.
Red Siege Tools
Red Siege Tools
JPCERTCC/LogonTracer
JPCERTCC/LogonTracer
LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph.
LuemmelSec/Custom-BloodHound-Queries
LuemmelSec/Custom-BloodHound-Queries
Collection of custom BloodHound queries New Azure stuff MS Graph related
{"payload":{"allShortcutsEnabled":false,"fileTree":{"adversary_emulation/APT29/Emulation_Plan/Day 2/payloads":{"items":[{"name":"2016_United_States_presidential_election_-_Wikipedia.
mrwadams/takedown-gpt
mrwadams/takedown-gpt
This Streamlit app helps you draft takedown requests to domain registrars. Created by Matt Adams.
0xHossam/Killer
0xHossam/Killer
It's a AV/EDR Evasion tool created to bypass security tools for learning, until now the tool is FUD.
The dream
The dream
The purpose of this list is to track and compare tunneling solutions. This is primarily targeted toward self-hosters and developers who want to do things like exposing a local webserver via a public domain name, with automatic HTTPS, even if behind a NAT or other restricted network.
optiv/ScareCrow
optiv/ScareCrow
ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls).
FastFinder - Incident Response - Fast suspicious file finder
FastFinder - Incident Response - Fast suspicious file finder
FastFinder - Incident Response - Fast suspicious file finder What is this project designed for? FastFinder is a lightweight tool made for threat hunting, live forensics and triage on Windows Platform.
MHaggis/ShellSweep
MHaggis/ShellSweep
ShellSheep and it's suite of tools calculate the entropy of file contents to estimate the likelihood of a file being a webshell. High entropy indicates more randomness, which is a characteristic of encrypted or obfuscated codes often found in webshells.
Sq00ky/SMB-Session-Spoofing
Sq00ky/SMB-Session-Spoofing
________ _________ _____ _ _____ __ / ___| \/ || ___ \ / ___| (_) / ___| / _| \ `--.| . . || |_/ / \ `--. ___ ___ ___ _ ___ _ __ \ `--. _ __ ___ ___ | |_ ___ _ __ `--. \ |\/| || ___ \ `--. \/ _ \/ __/ __| |/ _ \| '_ \ `--.
Shell-Company/QRExfil
Shell-Company/QRExfil
This tool is a command line utility that allows you to convert any binary file into a QRcode GIF. The data can then be reassembled visually allowing exfiltration of data in air gapped systems.
onedrive_user_enum
onedrive_user_enum
In this instance, the username is 'lightmand' and the domain is 'acmecomputercompany.com'. If a user has logged into OneDrive, this path will exist and return a 403 status code. If they have not, or the user is invalid, it will return a 404.
MA - insights
MA - insights
AggressiveUser/AllForOne
AggressiveUser/AllForOne
AllForOne - Nuclei Template Collector 👤 Welcome to the "AllForOne" repository! 🚀 This repository contains a Python script that allows bug bounty hunters and security researchers to collect all Nuclei YAML templates from various public repositories, helping to streamline the process of download
PEASS-ng - Privilege Escalation Awesome Scripts SUITE new generation
PEASS-ng - Privilege Escalation Awesome Scripts SUITE new generation
Here you will find privilege escalation tools for Windows and Linux/Unix* and MacOS. These tools search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily.
Tidal Cyber
Tidal Cyber
Evaluate the security of your Active Directory.
Evaluate the security of your Active Directory.
All Rights Reserved. Semperis Inc. © 2021 IDENTITY RESILIENCE attracts industry experts committed to winning the battle against cybercriminals and the awful acts their illicit activities fund: narcotics, weapons, terrorism, human trafficking, and child exploitation.
ZeroMemoryEx/Blackout
ZeroMemoryEx/Blackout
Blackout leveraging gmer driver to effectively disabling or killing EDRs and AVs. the sample is sourced from loldrivers https://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/ usage Place the driver Blackout.sys in the same path as the executable Blackout.
ROADtools
ROADtools
ROADtools is a framework to interact with Azure AD. It currently consists of a library (roadlib) and the ROADrecon Azure AD exploration tool. ROADlib is a library that can be used to authenticate with Azure AD or to build tools that integrate with a database containing ROADrecon data.
grimlockx/ADCSKiller
grimlockx/ADCSKiller
ADCSKiller is a Python-based tool designed to automate the process of discovering and exploiting Active Directory Certificate Services (ADCS) vulnerabilities. It leverages features of Certipy and Coercer to simplify the process of attacking ADCS infrastructure.
BeaconEye
BeaconEye
BeaconEye scans running processes for active CobaltStrike beacons. When processes are found to be running beacon, BeaconEye will monitor each process for C2 activity.
https://github.com/rasta-mouse/ThreatCheck
https://github.com/rasta-mouse/ThreatCheck
Modified version of Matterpreter's DefenderCheck. Takes a binary as input (either from a file on disk or a URL), splits it until it pinpoints that exact bytes that the target engine will flag on and prints them to the screen.
Joker122402/MalDev
Joker122402/MalDev
This is where i will be storing all my malware based projects as i venture into the mystic and unknown. Ill eventually write a detailed explanation of each project in this repo so if there isnt one there when youre looking at it, ill get to it eventually.
last-byte/PersistenceSniper
last-byte/PersistenceSniper
PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. The script is also available on Powershell Gallery. Why writing such a tool, you might ask.
ImpersonateLoggedOnUser POCs
ImpersonateLoggedOnUser POCs
nettitude/ETWHash
nettitude/ETWHash
About ETWHash is a C# POC that is able to extract NetNTLMv2 hashes of incoming authentications via SMB, by consuming ETW events from the Microsoft-Windows-SMBServer provider {D48CE617-33A2-4BC3-A5C7-11AA4F29619E} Notes Administrative privileges required Usage Usage: EtwHash.
dead fake
dead fake
So, you want to learn how to send your own fake mail? It's extraordinarily easy to do, and requires no extra software installed on your PC at all. It can be done with Windows, Macintosh, Linux - any modern PC that has an internet connection will do it. There are a just a few simple steps.
ZeroMemoryEx/C2-Hunter
ZeroMemoryEx/C2-Hunter
C2-Hunter is a program designed for malware analysts to extract Command and Control (C2) traffic from malwares in real-time. The program uses a unique approach by hooking into win32 connections APIs.
kraken-ng/Kraken
kraken-ng/Kraken
Kraken Version • Requirements • Support • Install • Usage • Examples • Contributing • Bugs English • Spanish Version 1.0.0 - Version changelog Requirements In order to use the tool, the following requirements must first be satisfied: python3.8 (>= 3.
fr0gger/IATelligence
fr0gger/IATelligence
IATelligence is a Python script that extracts the Import Address Table (IAT) from a PE file and uses OpenAI's GPT-3 model to provide details about each Windows API imported by the file.
Reverse Engineer's Toolkit
Reverse Engineer's Toolkit
This is a collection of tools you may like if you are interested on reverse engineering and/or malware analysis on x86 and x64 Windows systems.
0
Arsenal-Image-Mounter
Arsenal-Image-Mounter
Arsenal Image Mounter mounts the contents of disk images as complete disks in Microsoft Windows.
0
HTTP Tools
Unfurl: break down URLs to their components
- 2D version: https://dfir.blog/unfurl/
- 3D version: https://dfir.blog/unfurl-3d/
OSINT Tools | GitHub Curated Reference
awesome-osint
- URL: https://github.com/jivoi/awesome-osint
9f8bb33d44ae4550bfcc863430453da8
4d57eb337670421badc9454452f63b63
We need to start with awesome-osint because it contains a great list of public threat intel resources. {.is-success}
Yelp Threat Intel
- URL: https://github.com/Yelp/threat_intel
6c55aac2f13f46ea97dfd80fd5dc8396
472c6f06e4654ab9a73c273cefbfb423
Amazing python tool that acts as a wrapper for useful APIs: Umbrella Investigate, VirusTotal API v2.0 and ShadowServer API
CertStream
- URL: https://github.com/huydhn/certstream-analytics
89d5cf81402f4cbda11bf90777e01c39
1ef1bcddff3f4c27aa0423e7380749a7
A great tool to perform analysis on domain strings: IDNA decoder, homoglyphs decoder, word segmentation, etc.
r3con1z3r
- URL: https://github.com/abdulgaphy/r3con1z3r
d9ba6c0324174266bfbda0239f1952b3
d0519dd580b441f793fb1a82aab2c030
This tool allows for quick an easy to read reports on specific domains. By default, it outputs a HTML file with plain text information on the domain.
Gotanda OSINT
- URL: https://github.com/HASH1da1/Gotanda
d91e4db95fba491d954d7fa65ae4cbe2
ccaedf9241eb47cb87f70d7e42f77ce7
Gotanda is OSINT(Open Source Intelligence) Web Extension for Firefox/Chrome. This Web Extension could search OSINT information from some IOC in web page (IP, Domain, URL, SNS, etc.).
List of supported engines
Name | URL | Category |
Domain Tools | https://whois.domaintools.com/ | whois Lookup |
Security Trails | https://securitytrails.com/ | whois lookup |
whoisds | https://whoisds.com/ | whois lookup |
ThreatCrowd | https://www.threatcrowd.org/ | Domain, IPv4 |
AbuseIPDB | https://www.abuseipdb.com/ | IPv4 |
HackerTarget | https://hackertarget.com/ | IPv4 |
Censys | https://censys.io/ | IP, Domain |
Shodan | https://shodan.io/ | IP, Domain |
FOFA | https://fofa.so/ | IP, Domain |
VirusTotal | https://virustotal.com/ | IP, Domain, URL,Hash |
GreyNoise | https://viz.greynoise.io/ | IPv4 |
IPAlyzer | https://ipalyzer.com/ | IPv4 |
Tor Relay Search | https://metrics.torproject.org/ | IP,Domain |
Domain Watch | https://domainwat.ch/ | Domain, Email,whois lookup |
crt.sh | https://crt.sh/ | SSL-certificate |
SecurityHeaders | https://securityheaders.com/ | URL, Domain |
DNSlytics | https://dnslytics.com/ | IPv4,IPv6,ASN |
URLscan | https://urlscan.io/ | URL |
Ultratools | https://www.ultratools.com/ | IPv6 |
Wayback Machine | https://web.archive.org | URL |
aguse | https://www.aguse.jp/ | URL |
check-host | https://check-host.net/ | URL |
CIRCL | https://cve.circl.lu/ | CVE |
FortiGuard | https://fortiguard.com/ | CVE |
Sploitus | https://sploitus.com/ | CVE |
Vulmon | https://vulmon.com/ | CVE |
CXSecurity | https://cxsecurity.com/ | CVE |
Vulncode-DB | https://www.vulncode-db.com/ | CVE |
Malshare | https://malshare.com/ | MD5 Hash |
ThreatCrowd | https://www.threatcrowd.org/ | IP,Domain |
Hybrid Analysis | https://www.hybrid-analysis.com/ | hash |
Twitter | https://twitter.com/ | SNS, w/TimeLine |
Qiita | https://qiita.com | SNS |
GitHub | https://github.com | SNS |
Facebook | https://www.facebook.com/ | SNS, w/TimeLine |
Instagram | https://www.instagram.com/ | SNS |
LinkedIn | https://linkedin.com/ | SNS |
Pinterest | https://www.pinterest.jp | SNS |
reddit | https://www.reddit.com/ | SNS |
Hawk
- URL: https://github.com/T0pCyber/hawk
19c4579315a444008d3b9b3c18656587
4f000177045c4f49a4da92a1e4a78ff7
Powershell Based tool for gathering information related to O365 intrusions and potential Breaches.
The Hawk module has been designed to ease the burden on O365 administrators who are performing a forensic analysis in their organization.
It does NOT take the place of a human reviewing the data generated and is simply here to make data gathering easier.
OSINT Online Services
RiskIQ
Threat Intelligence Platform that allows you to connect multiple third party services and brings petabytes of internet intelligence directly to your fingertips. RiskIQ does offer a community edition which is free and allows you to gather information on different IOC either via the GUI or API. You can investigate threats by pivoting through attacker infrastructure data, understand your digital assets that are internet-exposed, and map and monitor your external attack surface.
- API Reference and Testing: https://api.riskiq.net.
Note: The API has two sections, the full RiskIQ platform section which uses an api_key and api_secret and the RiskIQ Community API section (aka PassiveTotal) where you can use your community account API base on user_name and api_key. The latter won’t work with the former.
