Trending repositories for topic dfir

UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, O...

Documentation and scripts to properly enable Windows event logs.

MasterParser is a powerful DFIR tool designed for analyzing and parsing Linux logs

A repository of sysmon configuration modules

IntelOwl: manage your Threat Intelligence at scale

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.

A curated list of tools for incident response

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

Windows Events Attack Samples

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

Loki - Simple IOC and YARA Scanner

Automate the creation of a lab environment complete with security tooling and logging best practices

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

Extract and aggregate threat intelligence.

Digital Forensics Guide. Learn all about Digital Forensics, Computer Forensics, Mobile device Forensics, Network Forensics, and Database Forensics.

You didn't think I'd go and leave the blue team out, right?

Educational, CTF-styled labs for individuals interested in Memory Forensics

Your Everyday Threat Intelligence

Rapidly Search and Hunt through Windows Forensic Artefacts

Harness the power of Splunk for your investigations

UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, O...

Documentation and scripts to properly enable Windows event logs.

Convert a variety of log formats to CSV while enriching detected IPs with Geolocation, Domain, ASN, DNS and Threat Indicator matches.

MasterParser is a powerful DFIR tool designed for analyzing and parsing Linux logs

Extracted Yara rules from Windows Defender mpavbase and mpasbase

Handbook of windows forensic artifacts across multiple Windows version with interpretation tips and some examples. Work in progress!

PowerShell module for Office 365 and Azure log collection

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

Catalyst is an open source SOAR and ticket system that helps to automate alert handling and incident response processes

Extract and aggregate threat intelligence.

Collection of forensic tools

A repository of sysmon configuration modules

Timeline of Active Directory changes with replication metadata

Warning lists to inform users of MISP about potential false-positives or other information in indicators

Defanged Indicator of Compromise (IOC) Extractor.

DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.

IntelOwl: manage your Threat Intelligence at scale

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

WELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs! ゑ羅（ウェラ）

Digital Forensics Guide. Learn all about Digital Forensics, Computer Forensics, Mobile device Forensics, Network Forensics, and Database Forensics.

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.

UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, O...

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

A curated list of tools for incident response

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

A repository of sysmon configuration modules

IntelOwl: manage your Threat Intelligence at scale

MasterParser is a powerful DFIR tool designed for analyzing and parsing Linux logs

Rapidly Search and Hunt through Windows Forensic Artefacts

Loki - Simple IOC and YARA Scanner

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

Documentation and scripts to properly enable Windows event logs.

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

A curated list of tools for incident response. With repository stars⭐ and forks🍴

You didn't think I'd go and leave the blue team out, right?

Your Everyday Threat Intelligence

Windows Events Attack Samples

Harness the power of Splunk for your investigations

A curated list of tools for incident response. With repository stars⭐ and forks🍴

UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, O...

MasterParser is a powerful DFIR tool designed for analyzing and parsing Linux logs

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

Digital Forensics Guide. Learn all about Digital Forensics, Computer Forensics, Mobile device Forensics, Network Forensics, and Database Forensics.

Documentation and scripts to properly enable Windows event logs.

Convert a variety of log formats to CSV while enriching detected IPs with Geolocation, Domain, ASN, DNS and Threat Indicator matches.

Docker configurations for TheHive, Cortex and 3rd party tools

Extracted Yara rules from Windows Defender mpavbase and mpasbase

Curated Windows event log Sigma rules used in Hayabusa and Velociraptor.

(Sometimes partial) Python re-implementations of the technologies involved in reading various data sources in Chrome-esque applications.

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

Catalyst is an open source SOAR and ticket system that helps to automate alert handling and incident response processes

Timeline of Active Directory changes with replication metadata

Warning lists to inform users of MISP about potential false-positives or other information in indicators

Python 3 Script to parse out iTunes backups

A modern Python-3-based alternative to RegRipper

Handbook of windows forensic artifacts across multiple Windows version with interpretation tips and some examples. Work in progress!

Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part ...

MasterParser is a powerful DFIR tool designed for analyzing and parsing Linux logs

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

A curated list of tools for incident response

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

A curated list of awesome forensic analysis tools and resources

List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

IntelOwl: manage your Threat Intelligence at scale

Digital Forensics Guide. Learn all about Digital Forensics, Computer Forensics, Mobile device Forensics, Network Forensics, and Database Forensics.

Harness the power of Splunk for your investigations

A curated list of resources for DFIR through Microsoft Defender for Endpoint leveraging kusto queries, powershell scripts, tools such as KAPE and THOR Cloud and more.

Documentation and scripts to properly enable Windows event logs.

UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, O...

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

You didn't think I'd go and leave the blue team out, right?

Rapidly Search and Hunt through Windows Forensic Artefacts

YARA signature and IOC database for my scanners and tools

Automate the creation of a lab environment complete with security tooling and logging best practices

A repository of sysmon configuration modules

VirusTotal Wanna Be - Now with 100% more Hipster

Harness the power of Splunk for your investigations

MasterParser is a powerful DFIR tool designed for analyzing and parsing Linux logs

A curated list of resources for DFIR through Microsoft Defender for Endpoint leveraging kusto queries, powershell scripts, tools such as KAPE and THOR Cloud and more.

Extracted Yara rules from Windows Defender mpavbase and mpasbase

yara detection rules for hunting with the threathunting-keywords project

A curated list of tools for incident response. With repository stars⭐ and forks🍴

Handbook of windows forensic artifacts across multiple Windows version with interpretation tips and some examples. Work in progress!

Documentation and scripts to properly enable Windows event logs.

A tool collection for filtering and visualizing logon events. Designed to help answering the "Cotton Eye Joe" question (Where did you come from where did you go) in Security Incidents and Threat Hunts

A cross platform forensic parser written in Rust!

UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, O...

(Sometimes partial) Python re-implementations of the technologies involved in reading various data sources in Chrome-esque applications.

Convert a variety of log formats to CSV while enriching detected IPs with Geolocation, Domain, ASN, DNS and Threat Indicator matches.

Curated Windows event log Sigma rules used in Hayabusa and Velociraptor.

LOKI2 - Simple IOC and YARA Scanner

Helm charts for running open source digital forensic tools in Kubernetes

A repo that contains recursive directory listings (using PowerShell) of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update. Use these CSVs to ...

A really good DFIR automation for collecting and analyzing evidence designed for cybersecurity professionals.

Awesome list of keywords and artifacts for Threat Hunting sessions

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

MasterParser is a powerful DFIR tool designed for analyzing and parsing Linux logs

Collection of forensic tools

A curated list of resources for DFIR through Microsoft Defender for Endpoint leveraging kusto queries, powershell scripts, tools such as KAPE and THOR Cloud and more.

CLI tools for forensic investigation of Windows artifacts

A tool collection for filtering and visualizing logon events. Designed to help answering the "Cotton Eye Joe" question (Where did you come from where did you go) in Security Incidents and Threat Hunts

A really good DFIR automation for collecting and analyzing evidence designed for cybersecurity professionals.

Extracted Yara rules from Windows Defender mpavbase and mpasbase

Convert a variety of log formats to CSV while enriching detected IPs with Geolocation, Domain, ASN, DNS and Threat Indicator matches.

Digital Forensics Incident Response and Detection engineering: Análisis forense de artefactos comunes y no tan comunes. Técnicas anti-forense y detección de técnicas utilizadas por actores maliciosos ...

yara detection rules for hunting with the threathunting-keywords project

Harness the power of Splunk for your investigations

Sigma detection rules for hunting with the threathunting-keywords project

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

A curated list of tools for incident response

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

A curated list of awesome forensic analysis tools and resources

List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.

MasterParser is a powerful DFIR tool designed for analyzing and parsing Linux logs

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

Rapidly Search and Hunt through Windows Forensic Artefacts

Digital Forensics Guide. Learn all about Digital Forensics, Computer Forensics, Mobile device Forensics, Network Forensics, and Database Forensics.

IntelOwl: manage your Threat Intelligence at scale

A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.

Loki - Simple IOC and YARA Scanner

YARA signature and IOC database for my scanners and tools

Collection of forensic tools

Open source security data lake for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS

A list of cyber-chef recipes and curated links

Automate the creation of a lab environment complete with security tooling and logging best practices

A repository of sysmon configuration modules

TheHive: a Scalable, Open Source and Free Security Incident Response Platform

Extracted Yara rules from Windows Defender mpavbase and mpasbase

KQL Queries. Microsoft 365 Defender, Microsoft Sentinel

Handbook of windows forensic artifacts across multiple Windows version with interpretation tips and some examples. Work in progress!

A curated list of resources for DFIR through Microsoft Defender for Endpoint leveraging kusto queries, powershell scripts, tools such as KAPE and THOR Cloud and more.

Digital Forensics Incident Response and Detection engineering: Análisis forense de artefactos comunes y no tan comunes. Técnicas anti-forense y detección de técnicas utilizadas por actores maliciosos ...

Awesome list of keywords and artifacts for Threat Hunting sessions

Collection of forensic tools

Sigma detection rules for hunting with the threathunting-keywords project

Memory Scaner

Helm charts for running open source digital forensic tools in Kubernetes

A cross platform forensic parser written in Rust!

Search Index Database Reporter

Python based tool to extract forensic info from EventTranscript.db (Windows Diagnostic Data)

A curated list of tools for incident response. With repository stars⭐ and forks🍴

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

Lua plugin to extract data from Wireshark and convert it into MISP format

Documentation and scripts to properly enable Windows event logs.

This page is a result of the ongoing hands-on research around advanced Linux attacks, detection and forensics techniques and tools.

PowerShell script to help Incident Responders discover potential adversary persistence mechanisms.

A script to convert a Cellebrite UFDR to the original file structure.