| Name/Link | Description/Purpose | Tags |
|---|---|---|
| Uber's SSH CA | A pam module that will authenticate a user based on them having an ssh certificate in their ssh-agent signed by a specified ssh CA. | Linux |
| Netflix's BLESS | An SSH Certificate Authority that runs as an AWS Lambda function and is used to sign SSH public keys. | AWS,Linux |
| SSH Cert Authority | An implementation of an SSH certificate authority/ | |
| Square's Sharkey | Sharkey is a service for managing certificates for use by OpenSSH | Linux |
| Google's IAP | Cloud Identity-Aware Proxy (Cloud IAP) controls access to your cloud applications running on Google Cloud Platform. Cloud IAP works by verifying a user’s identity and determining if that user should be allowed to access the application. | Google Cloud Platform |
| Google's Security Key | Enforce the use of security keys to help deter phishing | Various Sites |
| Microsoft LAPS | Win | |
| Yubico | ||
| DUO | DUO | |
| Google Authenticator | ||
| Google Push | ||
| Slack's securitybot | Slack | |
| Dropbox's securitybot | An open-source implementation of a distributed alerting chat bot | Slack, DUO |
| Powershell 5.0 | Contains enhanced logging capabilities, Default in Windows 10 | Win |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| AirBnB's StreamAlert | A serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define. | AWS |
| Yelp's Elastalert | A simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch. | |
| Windows Event Forwarding | A repository for using windows event forwarding for incident detection and response ref1 ref2 | Win |
| Example Sysmon config | Sysmon configuration file template with default high-quality event tracing | Win |
| Palantir's Windows Event Forwarding Guidance | Building blocks for organizations to rapidly evaluate and deploy WEF to a production environment, and centralize public efforts to improve WEF subscriptions and encourage adoption. | Win |
| clara | Serverless, real-time, ClamAV+Yara scanning for your S3 Buckets | AWS |
| bucket-antivirus-function | Serverless antivirus for cloud storage | AWS |
| Endgame's Varna | An AWS serverless cloud security tool that parses and alerts on CloudTrail logs using Event Query Language (EQL). | AWS |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| DropBox's Securitybot | An open-source implementation of a distributed alerting chat bot for Slack | |
| Slack | Write-up/tutorial | |
| Errbot | Cylance's Cybot |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| PagerDuty | PagerDuty is an agile incident management solution that integrates with ITOps and DevOps monitoring stacks to improve operational reliability and agility. | |
| The Hive | A Scalable, Open Source and Free Security Incident Response Platform | |
| ThreatResponse | A Free Open Source Security Suite for Hardening and Responding in AWS | AWS |
| Timesketch | An open source tool for collaborative forensic timeline analysis. | |
| MISP | Malware Information Sharing Platform (MISP) and Threat Sharing, is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threat about cyber security incidents analysis and malware analysis. | |
| FIR | FIR (Fast Incident Response) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents. | |
| Threat Note | Lightweight Investigation Notebook | usage examples |
| Netflix's Dispatch | Dispatch helps us effectively manage security incidents by deeply integrating with existing tools used throughout an organization (Slack, GSuite, Jira, etc.) |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| go-flashpaper | A simple go-based service for creating one time use links to text data or individual files. | |
| ownCloud | A self-hosted file sync and share server. | |
| GitLab | Git repository management, issue tracking, code review, an IDE, activity streams, wikis, and more. |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| Slack's go-audit | An alternative to the auditd daemon written in go | |
| DevAudit | Open-source, cross-platform, multi-purpose security auditing tool | Linux/Mac/Win |
| HardenTools | A collection of simple utilities designed to disable a number of "features" exposed by operating systems, and primary consumer applications. | Win |
| Process Tracking | Win | |
| PowerShell Enhanced Logging | Win | |
| Sysmon Config | Sysmon configuration file template with default high-quality event tracing | Win |
| Sysmon Queries | Write-up/turotial | Win |
| sysmon-modular | A repository of sysmon configuration modules | Win |
| WMI Monitor | Ceates a new Event Subscriber to monitor for newly created WMI Event Consumers and processes. | Win |
| WMIMon | A tool to monitor WMI activity on Windows | Win |
| Uproot | A Host Based Intrusion Detection System (HIDS) that leverages Permanent Windows Management Instrumentation (WMI) Event Susbcriptions to detect malicious activity on a network. | Win |
| Mozilla's SSH Scan | A SSH configuration and policy scanner | Linux/Mac |
| MacOS Security & Privacy Guide | Write-up/turorial | Mac |
| KnockKnock | A command line python script that displays persistent OS X binaries that are set to execute automatically at each boot. | Mac |
| Security Monkey | Monitors policy changes and alerts on insecure configurations in an AWS account | AWS |
| dockerscan | Docker security analysis & hacking tools | |
| DUO's Phinn | A toolkit to generate an offline Chrome extension to detect phishing attacks using a bespoke convolutional neural network. | Chrome |
| Windows Defender Exploit Guard | Windows Defender Exploit Guard is a new set of intrusion prevention capabilities that ships with the Windows 10 Fall Creators Update. The four components of Windows Defender Exploit Guard are designed to lock down the device against a wide variety of attack vectors and block behaviors commonly used in malware attacks, while enabling enterprises to balance their security risk and productivity requirements | Win |
| Unfetter | A Suite of open source tools leveraging the MITRE ATT&CK framework to help measure your security posture. | |
| Caldera | An automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks & maps to MIRE ATT&CK framework. , DetectionLab | |
| Uber's metta | A tool for basic adversarial simulation via MIRE ATT&CK framework. | |
| Endpoint isolation | Instructions for hardening via Windows firewall | Win |
| Dow Jones' Hammer | An AWS tool that identifies misconfigurations and insecure data exposures within most popular AWS resources, across all regions and accounts. | AWS |
| T-Mobile's PacBot | ||
| Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. | AWS | |
| DUO's CloudMapper | Helps you analyze your Amazon Web Services (AWS) environments. | AWS |
| DUO's CloudTracker | Helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies. | AWS |
| Scout2 | Security auditing tool for AWS environments. | AWS |
| ScoutSuite | Multi-Cloud Security Auditing Tool | AWS/Azure/GCP |
| DUO's Parliment | AWS IAM linting library | AWS |
| auth0's Repo Supervisor | Serverless tool that scans your code for security misconfiguration, search for passwords and secrets | SecretsDetection |
| DUO's Secret Bridge | Monitors Github for leaked secrets | SecretsDetection |
| AWS Lab's git-secrets | Prevents you from committing secrets and credentials into git repositories | SecretsDetection |
| Yelp's detect-secrets | An enterprise friendly way of detecting and preventing secrets in code. | SecretsDetection |
| Lyft's Cartography | A Python/Neo4j tool that exposes otherwise hidden dependency relationships between your service's assets so that you may validate assumptions about security risks. | AWS/GCP/GSuite |
| Salesforce's Cloudsplaining | An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet. | AWS |
| LambdaGuard | LambdaGuard is an AWS Lambda auditing tool designed to create asset visibility and provide actionable results. It provides a meaningful overview in terms of statistical analysis, AWS service dependencies and configuration checks from the security perspective. | AWS |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| DUO's IsThisLegit | A dashboard and Chrome extension that makes it easy to receive, analyze, and respond to phishing reports. | G-Suite |
| G-Suite tips | Various pointers, settings and addons related to G-Suite | G-Suite |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| UtilityBelt | A Python library for being a CND Batman. | |
| Malice | A free open source version of VirusTotal that anyone can use at any scale | |
| Threatstream's Bulk DNS Resolver | Lightning-fast high-performance bulk DNS resolution tool | |
| Threatstream's Symhash | A tool to create symbol table hashes for Mach-O executables (i.e. imphash for MacOS binaries). | Mac |
| Google's Santa | A binary whitelisting/blacklisting system for macOS. | |
| MITRE's Multiscanner | A modular file scanning/analysis framework | |
| Cortex | Analysis engine allowing querying of IP and email addresses, URLs, domain names, files or hashes, can be analyzed one by one or in bulk mode using a Web interface. | |
| Threat Intelligence | Curated list of Threat-Intelligence Feeds & Tools & Frameworks | |
| ActorTrackr | An open source web application for storing/searching/linking Actor related data. | Linux |
| APTnotes | A repository of publicly-available papers and blogs (sorted by year) related to malicious campaigns/activity/software that have been associated with vendor-defined APT (Advanced Persistent Threat) groups and/or tool-sets. | |
| awesome-iocs | A curated list of indicators of compromise (and a few IOC related tools) | |
| spiderfoot | AN open source intelligence automation tool. Its goal is to automate the process of gathering intelligence about a given target, which may be an IP address, domain name, hostname or network subnet. | |
| yeti | A platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository | |
| GOSINT | a project used for collecting, processing, and exporting high quality indicators of compromise (IOCs). | |
| Intel 471 [PDF] | Threat Intelligence Program Checklist | |
| PasteHunter | Scans PasteBin with YARA rules and puts results into ElasticSearch | |
| pastemon | pastebin.com Content Monitoring Tool |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| Threat Hunting Project | Write-up/tutorial | |
| ThreatHunter-Playbook | Write-up/tutorial | |
| Scumblr | A web application that allows performing periodic syncs of data sources which helps you streamline proactive security through an intelligent automation framework to help you identify, track, and resolve security issues faster. | |
| Palantir's Alerting and Detection Strategies Framework | Building blocks for development of alerting strategies | |
| MITRE ATT&CK Matrix | Invoke-ATTACKAPI, Red Canary's Atomic Red Team, Cobalt Strick mapping | |
| HELK | Hunting ELK VM | |
| JP CERT's Hunting Lateral Movement |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| BRO | A powerful network analysis framework | |
| MITRE's ChopShop | Protocol Analysis/Decoder Framework |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| mac_apt | A framework for parsing Mac OSX artifacts from a dead disk | mac |
| ACE | Part of Invoke-IR | |
| PowerForensics | Part of Invoke-IR | |
| Plaso/Log2timeline | ||
| Velociraptor | A tool for collecting host based state information using Velocidex Query Language (VQL) queries | |
| forseti security | Terraform deployment scripts for open source incident response and digital forensics tools (Timesketch, Turbinia, GRR) | GCP |
| Google's GiftStick | Software to make a 1-Click bootable drive to push evidence to the cloud (incl. system firmware) | |
| Google's libcloudforensics | Python library to carry out DFIR analysis on the Cloud | GCP / AWS |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| FireEye's FLARE VM | A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc. | |
| AirBnB's BinaryAlert | Serverless, Real-time & Retroactive Malware Detection leveragingg YARA in AWS | |
| Malboxes | Builds malware analysis Windows virtual machines so that you don’t have to. | |
| Yelp's AMIRA | A service for automatically running the analysis on the OSXCollector output files. | |
| Cuckoo | An automated dynamic malware analysis system | |
| Cuckoo-modified | Aheavily modified version of Cuckoo Sandbox provided under the GPL by Optiv, Inc. | |
| Viper | Binary analysis and management framework | Malware Repo |
| Netflix's Fido | Fully Integrated Defense Operation (FIDO) is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. | |
| awesome-malware-analysis | A curated list of awesome malware analysis tools and resources | |
| FAME | Framework meant to facilitate analysis of malicious files, leveraging as much knowledge as possible in order to speed up and automate end-to-end analysis. (not a sandbox replacement) |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| GRR | ||
| OSQuery | extensions, kolide, osquery-python | Linux/Mac/Win |
| Heroku's Windmill | A TLS server that delivers configuration to osquery and also allows you to roll out new configs to small samples of servers to make sure that the new config does not cause problem before deploying to all machines. | |
| Endpoint Detection and Response (XLSX) | Spreadsheet comparing various endpoint solutions | |
| SysMon | A curated list of resources for learning about deploying, managing and hunting with Microsoft Sysmon. | |
| Carbon Black | Red Canary's CB utils | |
| Netflix's Stethoscope | A web application that collects information from existing device data sources (e.g., JAMF or LANDESK) on a given user’s devices and gives them clear and specific recommendations for securing their systems |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| doorman | An osquery fleet manager that allows administrators to remotely manage the osquery configurations retrieved by nodes. | Mac |
| Google's MacOps | Utilities, tools, and scripts for managing and tracking a fleet of Macintoshes in a corporate environment | Mac |
| munki | A set of tools that, used together with a webserver-based repository of packages and package metadata, can be used by OS X administrators to manage software installs (and in many cases removals) on OS X client machines. | Mac |
| fleet | A fleet manager for osquery | Linux/Mac/Win |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| Chocolatey | A Windows-based package management system with thousands of packages | Win |
| Terraform | ||
| Puppet | ||
| Chef |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| FireEye's Commando VM | A fully customized, Windows-based security distribution for penetration testing and red teaming. |
| Name/Link | Description/Purpose | Tags |
|---|---|---|
| CyberChef | A web app for encryption, encoding, compression and data analysis | |
| stoQ | A super-simple framework that allows cyber analysts to organize and automate repetitive, data-driven tasks | |
| YaraGuardian | Web UI for managing, editing etc. YARA rules | |
| awesome-security | A curated list of awesome software, libraries, documents, books, resources and cools stuffs about security. | |
| awesome-forensics | A curated list of awesome free forensic analysis tools and resources. | |
| Slack's Nebula | A scalable overlay networking tool with a focus on performance, simplicity and security |