Browsing category
DeTT&CT aims to assist blue teams using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage and threat actor behaviours. All of which can help, in different ways, to get more resilient against attacks targeting your organisation. The DeTT&CT framework consists of a Python tool, YAML administration files and scoring tables […]
The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Turn paper tabletop exercises into controlled “live fire” range events. […]
SysmonX is an open-source, community-driven, and drop-in replacement version of Sysmon that provides a modularized architecture with the purpose of enabling the infosec community to: Extend the Sysmon data collection sources and create new security events Extend the Sysmon ability to correlate events. Effectively enabling new logical operations between events and the creation of advanced […]
ADRecon provides a holistic picture of the current state of AD environment. This tool can be used by Blue Team, Purple Team, Red Team, System Administrators or just security professional to extract and combines various artifacts out of an AD environment. The information can be presented in a specially formatted Microsoft Excel report that includes […]
nightHawkResponse is a custom built application for asynchronus forensic data presentation on an Elasticsearch backend. This application is designed to ingest a Mandiant Redline “collections” file and give flexibility in search/stack and tagging. The application was born out of the inability to control multiple investigations (or hundreds of endpoints) in a single pane of glass. […]
Cyber Triage is an Incident response framework that will investigate remote systems and endpoint by pushing a collection of tools over the network. This will help in collecting relevant data, and analyzing it for malware and suspicious activity. Collection tool properties: Runs on all Microsoft versions starting from Windows XP and newer. No installation Requirement […]
Mozilla Investigator MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security. What is this? MIG is composed of agents installed on all systems of an infrastructure that are be queried in […]
The Cyberprobe project is an open-source distributed architecture for real-time monitoring of networks against attack. The software consists of two components: a probe, which collects data packets and forwards it over a network in standard streaming protocols. a monitor, which receives the streamed packets, decodes the protocols, and interprets the information. These components can be […]
Cortex tries to solve a common problem frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics, and incident response: how to analyze observables they have collected, at scale, by querying a single tool instead of several? Cortex, an open source, and free software have been created by TheHive Project for this very purpose. Observables, such as […]
LogonTracer uses PageRank and ChangeFinder to detect malicious hosts and accounts from the event log. This tool can visualize the following event id related to Windows logon based on this research. 4624: Successful logon 4625: Logon failure 4768: Kerberos Authentication (TGT Request) 4769: Kerberos Service Ticket (ST Request) 4776: NTLM Authentication 4672: Assign special privileges Install Requirements The following […]
As its name suggests, the main function of a SIEM is Event management. The SIEM solution once implemented completely & effectively will have complete visibility over an organization’s network. This helps administrators, SIEM operators to monitor network activity in their infrastructure. But interestingly, one can categorize various assets(network devices & services) so that the monitoring […]
Archery is an opensource vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities. Archery uses popular opensource tools to perform comprehensive scaning for web application and network. It also performs web application dynamic authenticated scanning and covers the whole applications by using selenium. The developers can also utilize […]
Cyphon is a big data platform that aggregates, standardizes, and enhances data for easier analysis. Many businesses rely on emails to manage alert notifications, which leaves their networks susceptible to overlooked incidents, alert fatigue and knowledge drain. Cyphon closes gaps in data management by collecting detailed information from a variety of sources – including email, […]
The Sandia Cyber Omni Tracker (SCOT) is a cyber security incident response management system and knowledge base. Designed by cyber security incident responders, SCOT provides a new approach to manage security alerts, analyze data for deeper patterns, coordinate team efforts, and capture team knowledge. SCOT integrates with existing security applications to provide a consistent, easy […]