- HASSH: HASSH is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of a small MD5 fingerprint.
- JA3: JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way.
- osquery: osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework.Available for Linux, macOS, Windows and FreeBSD.
- Palantir osquery Configuration: A repository for using osquery for incident detection and response
- Google's GRR: GRR Rapid Response: remote live forensics for incident response
- MITRE ATT&CK Navigator: he ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel.
- MITRE ATT&CK™: MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
- MITRE Cyber Analytics Repository: The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model.
- HELK: A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.
- Mordor Gates: The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. The pre-recorded data is categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework.
- Sysmon - DFIR: A curated list of resources for learning about deploying, managing and hunting with Microsoft Sysmon. Contains presentations, deployment methods, configuration file examples, blogs and additional github repositories.
- sysmon-config: Sysmon configuration file template with default high-quality event tracing
- sysmon-modular: A repository of sysmon configuration modules
- Sysmon Threat Intelligence Configuration: Advanced Sysmon configuration, Installer & Auto Updater with high-quality event tracing
- ThreatHunting App For Splunk: A Splunk app mapped to MITRE ATT&CK to guide your threat hunts
- Flare: Flare is a network analytic framework designed for data scientists, security researchers, and network professionals.
- RedHunt: Virtual Machine for Adversary Emulation and Threat Hunting by RedHunt Labs
- Oriana: Oriana is a threat hunting tool that leverages a subset of Windows events to build relationships, calculate totals and run analytics. The results are presented in a Web layer to help defenders identify outliers and suspicious behavior on corporate environments.
- Detection Lab: Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices
- DeepBlueCLI: DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs
- Bro-Osquery: This extension adds a Bro interface to the host monitor osquery, enabling the network monitor Bro to subscribe to changes from hosts as a continous stream of events.
- Zeek: Zeek is a powerful network analysis framework that is much different from the typical IDS you may know
- suricata: Suricata is a free and open source, mature, fast and robust network threat detection engine.
- Sigma:Sigma is a generic and open signature format that allows you to describe relevant log events in a straight forward manner.
- Splunk Boss of the SOC version 2 dataset: A sample security dataset and CTF platform for information security professionals, researchers, students, and enthusiasts.
- Samples of Security Related Data
- EKTotal: EKTotal is an integrated analysis tool that can automatically analyze the traffic of Drive-by Download attacks.
- E-Mail Header Analyzer: E-Mail header analyzer is a tool written in flask for parsing email headers and converting them to a human readable format.
- Dradis:Dradis CE is an extensible, cross-platform, open-source reporting framework for generating one-click reports that’ll save you hours on every project
- Memhunter:Automated hunting of memory-resident malware at scale
- BLUESPAWN:BLUESPAWN helps blue teams monitor Windows systems in real-time against active attackers by detecting anomalous activity
- PcapXray: A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction
- LOLBAS: The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.
- AIL framework: AIL is a modular framework to analyze potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams.
- EKFiddle: A framework based on the Fiddler web debugger to analyze malicious web traffic.
- RITA: RITA is an open-source framework for network traffic analysis.
- Atomic Red Team: Small and highly portable detection tests based on MITRE's ATT&CK.
- OwlH: an Open Source project to Visualize and Manage Suricata, Zeek & Moloch life cycles
- TRAM: Threat Report ATT&CK™ Mapping (TRAM) is a tool to aid analyst in mapping finished reports to ATT&CK.
- IntelMQ: IntelMQ is a solution for IT security teams (CERTs & CSIRTs, SOCs, abuse departments, etc.) for collecting and processing security feeds (such as log files) using a message queuing protocol.
- Redline: Redline, FireEye's premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.
- ATT&CK™-Tools ATT&CK™ View is a planning tool that helps defenders in designing an adversary emulation plans based on MITRE™ ATT&CK™ framework in a structured approach
-The Empire (3.0): Empire 3.0 is a PowerShell and Python 3.x post-exploitation framework.