Awesome

Security lists for SOC/DFIR detections

Threat Hunting:

• ThreatHunting keywords Site
• ThreatHunting keywords Lists
• ThreatHunting Yara rules

ThreatHunting searches

• Windows Services Searches
• User-Agents Searches
• DNS Over HTTPS Searches
• Suspicious TLDs Searches
• HijackLibs Searches
• Phishing & DNSTWIST Searches
• Browsers extensions Searches
• C2 hiding in plain sigh
• HTML Smuggling artifacts
• PSEXEC & similar tools Searches
• Time Slipping detection
• Suspicious Named pipes

My Detection Lists

• 📋 Lists: https://github.com/mthcht/awesome-lists/tree/main/Lists
• 🕵️‍♂️ ThreatHunting Guides: https://mthcht.medium.com/list/threat-hunting-708624e9266f
• 🚰 Suspicious Named pipes: suspicious_named_pipe_list.csv
• 🌐 Suspicious TLDs (updated automatically): [suspicious_TLDs]
• 🌐 Suspicious ASNs (updated automatically): [suspicious ASNs]
• 🔧 Suspicious Windows Services: suspicious_windows_services_names_list.csv
• ⏲️ Suspicious Windows Tasks: suspicious_windows_tasks_list.csv
• 🚪 Suspicious destination port: suspicious_ports_list.csv
• 🛡️ Suspicious Firewall rules: suspicious_windows_firewall_rules_list.csv
• 🆔 Suspicious User-agent: suspicious_http_user_agents_list.csv
• 📇 Suspicious USB Ids: suspicious_usb_ids_list.csv
• 🔢 Suspicious MAC address: suspicious_mac_address_list.csv
• 📛 Suspicious Hostname: suspicious_hostnames_list.csv
• 🌐 Suspicious Browser Extensions: Browser Extensions
• 📧 Microsoft App IDs List - BEC Detection microsoft_apps_list.csv
• 🧮 Metadata Executables: executables_metadata_informations_list.csv
• 🕸️ DNS over HTTPS server list: dns_over_https_servers_list.csv
• 📚 Hijacklibs (updated automatically): hijacklibs_list.csv
• 🌐 TOR Nodes Lists (updated automatically): [TOR]
• 🛠️ LOLDriver List (updated automatically): loldrivers_only_hashes_list.csv
• 🛠️ Malicious Bootloader List (updated automatically): malicious_bootloaders_only_hashes_list.csv
• 📜 Malicious SSL Certificates List (updated automatically): ssl_certificates_malicious_list.csv
• 🖥️ RMM detection: [RMM]
• 👤🔑 Important Roles and groups for AD/EntraID/AWS: [permissions]
• 💻🔒 Ransomware known file extensions: ransomware_extensions_list.csv
• 💻🔒 Ransomware known file name ransom notes: ransomware_notes_list.csv
• 📝 Windows ASR rules: windows_asr_rules.csv
• 🌐 DNSTWIST Lists (updated automatically): DNSTWIST Default Domains + script
• 🌍 VPN IP address Lists (updated automatically):
  • 🛡️ NordVPN: nordvpn_ips_list.csv
  • 🛡️ ProtonVPN: protonvpn_ip_list.csv
• 🏢 Companies IP Range Lists (updated automatically): Default Lists + script / Microsoft
• 📍 GeoIP services Lists: ip_location_sites_list.csv
• 🧬 Yara rules: Threat Hunting yara rules
• 🧬 Offensive Tools detection patterns: offensive_tool_keywords.csv
• 🧬 Greyware Tools detection patterns: greyware_tool_keyword.csv
• 🧬 AV signatures keywords: signature_keyword.csv
• 🧬 Microsoft Defender AV signatures lists: [Defender]
• 🧬 ClamAV signatures lists: [ClamAV]
• 🔗 Others correlation Lists: [Others]
• 📋 Lists i need to finish: [todo]

I regularly update most of these lists after each tool i analyze in my detection keywords project

Other Lists

DFIR

• 🔥 EricZimmerman Tools 🔥
• dfir-orc
• dfir-orc-config
• Splunk4DFIR
• dfiq
• Mind maps
• arfifacts List - DFIRArtifactMuseum
• arfifacts List - ForensicArtifacts
• Autopsy
• SleuthKit
• [OS] SIFT Workstation
• [OS] Remnux
• [OS] sof-elk
• [OS] tsurugi
• [OS] DEFT
• [OS] Flare VM
• PSBits
• Yara - Threat Hunting + TH
• Yara - Forge
• capa
• Malcontent
• [Event parser] evtx
• [Event Parser] procmon-parser
• [Event Parser] Linux - MasterParser
• [EVTX] Hayabusa
• [EVTX] WELA
• [EVTX] chainsaw
• [EVTX] APTHunter
• [EVTX / Auditd] Zircolite
• werejugo
• ADTimeline
• PersistenceSniper
• [O365] Logs - Microsoft-Analyzer-Suite
• Logon Tracer
• Timeline Plaso
• Timeline TimeSketch
• regripper
• hollows hunter
• PE sieve
• RdpCacheStitcher
• Searching strings - ripgrep
• Searching strings - Recoll
• Kape
• Kape Files
• More Kape ressources
• VolatileDataCollector
• Velociraptor
• TZ tools
• Nirsoft tools
• [memory] MemDump
• [memory] MemProcFS
• [memory] MemProcFS-Analyzer
• [memory] avml
• [memory] WinPmem
• [memory] Volatility
• [Image Mount] FTK Imager
• [Image Mount] OSFMount
• [Network] Network Miner
• [Network] Wireshark
• [Network] xplico
• [Carving] PhotoRec
• [Carving] Bulk Extractor
• Didier Stevens tools
• [memory] Lime
• Windows artifacts
• [Linux] UAC
• lists - aboutdfir.com
• Monitoring - Osquery
• [IR Guide] OpenProject

IOC Feeds/Blacklists:

• ABUSE.CH BLACKLISTS
• Block Lists
• DNS Block List
• Phishing Block List
• Binary Defense IP Block List
• C2IntelFeeds
• Volexity TI
• Open Source TI
• C2 Tracker
• Unit42 IOC
• Sekoia IOC
• Unit42 Timely IOC
• Unit42 Articles IOC
• ThreatFOX IOC
• Zscaler ThreatLabz IOC
• Zscaler ThreatLabz Ransomware notes
• experiant.ca
• Sophos lab IOC
• ESET Research IOC
• ExecuteMalware IOC
• Cisco Talos IOC
• Elastic Lab IOC
• Blackorbid APT Report IOC
• AVAST IOC
• Zimperium IOC
• DoctorWeb IOC
• BlackLotusLab IOC
• prodaft IOC
• Pr0xylife DarkGate IOC
• Pr0xylife Latrodectus IOC
• Pr0xylife WikiLoader IOC
• Pr0xylife SSLoad IOC
• Pr0xylife Pikabot IOC
• Pr0xylife Matanbuchus IOC
• Pr0xylife QakBot IOC
• Pr0xylife IceID IOC
• Pr0xylife Emotet IOC
• Pr0xylife BumbleBee IOC
• Pr0xylife Gozi IOC
• Pr0xylife NanoCore IOC
• Pr0xylife NetWire IOC
• Pr0xylife AsyncRAT IOC
• Pr0xylife Lokibot IOC
• Pr0xylife RemcosRAT IOC
• Pr0xylife nworm IOC
• Pr0xylife AZORult IOC
• Pr0xylife NetSupportRAT IOC
• Pr0xylife BitRAT IOC
• Pr0xylife BazarLoader IOC
• Pr0xylife SnakeKeylogger IOC
• Pr0xylife njRat IOC
• Pr0xylife Vidar IOC
• Pr0xylife Warmcookie IOC
• Cloud Intel IOC
• SpamHaus drop.txt
• UrlHaus_misp
• UrlHaus
• vx-underground - Great Resource for Samples and Intelligence Reports
• Ransomware.live

Github

More github lists: https://github.com/mthcht?tab=stars&user_lists_direction=asc&user_lists_sort=name

SIEM/SOC related:

• EDR Telemetry
• PurpleTeam Scripts
• Awesome-SOC
• Threat-Hunting with Splunk
• Detection Lists

TI TTP/Framework/Model/Trackers

• Tools used by ransomware groups - @BushidoToken
• Tools used by Russian APT
• Tools associated with groups (partial)
• Techniques - MITRE ATT&CK
• Tactics - MITRE ATT&CK
• Groups & Operations Naming conventions matrix
• Mitigation - MITRE ATT&CK
• ATT&CK matrix navigator
• All MITRE data in xlsx format
• Tools used by threat actor groups - MITRE ATT&CK
• atomic-red-team
• redcanary Threat Detection report
• The-Unified-Kill-Chain
• TTP pyramid
• Pyramid of pain
• Cyber Kill chain
• MITRE D3FEND
• MITRE CAPEC
• MITRE CAR
• MITRE PRE-ATT&CK Techniques
• APTMAP
• 🔥ALL TI Reports🔥
• 🔥ALL TI Reports searches🔥

Investigation

TI checks

• Virustotal

• SpamHaus

• AbuseIPDB

• Malwarebazaar

• emailrep

• cloudfare scan

• shodan

• Onyphe

• Censys

• cybergordon (reputation check)

• threatminer

• urlscan

• Apptotal (apps and extensions analysis)

• urlquery

• cloudfare scanner

• urlvoid

• urldna.io

• checkphish

• ipvoid

• mxtoolbox

• mxtoolbox mail header

• Microsoft TI

• pulsedive

• threatbook

• McAfee Threat Intelligence Exchange

• Kaspersky Security Network

• Microsoft Security Intelligence Report

• IBM X-Force Exchange

• AlienVault OTX

• greynoise

• whoxy

• url tiny-scan

• echotrail

• Malware-Traffic-Analysis (PCAP files)

• redhuntlabs

• whois domaintools

• ASN check bgp.he

• viewdns

• OUI mac address lookup

• xcyclopedia

• abuse.ch

• malware-traffic-analysis

• waybackmachine

• dnshistory

• asnlookup

• fofa.info

• SecurityTrail

• ZommEye

Sandbox

• Sandbox Anyrun
• triage
• capesandbox
• joesandbox
• filescan.io
• Sandbox HA
• virustotal
• threat zone
• vmray

Data manipulation

• jsoncrack
• Grok debugger
• JS deobfuscator
• cyberchef
• PCAP online analyzer
• Hash calculator
• regex101
• CyberChef
• Javascript Deobfuscator
• JSONViewer
• TextMechanic
• UrlEncode.org
• TextFixer
• RegExr
• TextUtils
• TextCompactor
• Pretty Diff
• XML Tree
• Online XML Formatter and Beautifier
• XML Escape Tool
• DiffChecker
• CSVJSON
• HTML Formatter
• Text Tool
• String Manipulation Tool
• unshorten it
• urlunscrambler
• longurl
• Message Header
• MXToolbox EmailHeaders
• Email Header Analyzer
• Email Header Analysis
• Gitlab dashboard from Excel
• OPENAI
• uncoder
• DeHashed

Detection Resources

• Detection Lists
• MITRE techniques
• MITRE Updates
• MITRE D3fend
• MITRE Navigator
• MITRE Datasources
• GTFOBIN
• LOLBAS
• LOTS
• LOLRMM
• loldrivers
• LOLRMM
• LOLESXI
• WTFBIN
• Sigma
• Splunk Rules
• Elastic Rules
• DFIR-Report Sigma-Rules
• JoeSecurity Sigma-Rules
• mdecrevoisier Sigma-Rules
• P4T12ICK Sigma-Rules
• tsale Sigma-Rules
• list of detections resources
• detection engineering resources
• Defender Resource
• awesome-threat-detection

Security News

• Twitter
• CERT-FR
• CERT FR Alerts
• CERT FR Avis
• NIST CVEs
• JPCERT
• CISA news
• thedfirreport Feed
• Splunk Research Blog
• Unit42 Feed
• DFIR weekly sumary - thisweekin4n6
• Google Threat Intelligence
• Sekoi Blog
• akamai Feed
• Elastic Blog
• Checkpoint research Feed
• Cisco Talos
• Crowdstrike
• Hexacorn Blog
• Infostealers Hub News Feed
• simone kraus Blog
• Michael Haag Blog
• EricaZelic Blog
• Adam Chester Blog Feed
• Mauricio Velazco Blog
• Clément Notin Feed
• tenable Blog
• horizon3 Feed
• NCC Group Research
• SpecterOps Feed
• Redcanary Feed
• Sophos Research Feed
• virusbulletin
• Offensive Research - DSAS by INJECT
• HackerNews Feed
• Bleepingcomputer Feed
• detect.fyi
• DFIR Podcasts
• DFIR weekly news
• sans blog
• Detection engineering weekly

Youtube/Twitch channels

• DFIR - 13cubed videos
• DFIR - SANS videos
• DFIR - MyDFIR
• DFIR - DFIRScience
• Malware Analysis - jstrosch
• Malware Analysis - cyberraiju
• Malware Analysis - Botconf
• DFIR - BlackPerl
• Malware Analysis - malwareanalysisforhedgehogs
• DFIR - BlueMonkey4n6
• DFIR - binaryzone
• Detection Engineering - Splunk - atomicsonafriday
• Exploitation - HackerSploit
• DFIR - TheTaggartInstitute
• Malware Analysis - JohnHammond
• [Malware Analysis - https://youtube.com/@invokereversing]
• Exploitation - Defcon Talks + https://media.defcon.org/
• Exploitation - Alh4zr3d - twitch
• Exploitation - Alh4zr3d - youtube
• Exploitation - incodenito
• Malware Analysis - MalwareTechBlog
• Exploitation - LiveOverflow
• Malware Analysis - neoeno
• Malware Analysis - AzakaSekai
• CTI - bushidotoken
• CTI - @TLP_R3D
• Windows Internal - @mrexodia
• !!! Exploitation - ippsec

Podcasts

• darknetdiaries
• risky.biz
• cloud.withgoogle.com
• Internet Storm Center sans podcast
• 7 minutes security Podcast
• hacking-humans
• CISO series
• Splunk Atomic on Friday
• NolimitSecu (FR)
• HacknSpeak (FR)
• Radio CSIRT (FR)

Training

DFIR

• 13cubed - Investigating Windows Endpoints 13cubed.com -windows endpoints

• 13cubed - Investigating Windows Memory 13cubed.com -windows memory

• 13cubed - Investigating Linux Devices 13cubed.com - linux

• SANS: FOR500

• SANS: FOR508

• Defensive-security: Linux-live-forensics

• @0gtweet - Forensic course: Mastering Windows Forensics

• @DebugPrivilege : Forensic Debugging free course InsightEngineering

• Challenges:

  • @inversecos - APT Emulation Labs: xintra
  • @TheDFIRReport : LABs with logs from the existing reports dfir-labs
  • @ACEresponder: Courses with Detailed Explanations and Labs aceresponder.com
  • @binaryz0ne: DFIR challenges with Datasets

SOC

• tryhackme - SOC lvl 1

• letsdefend.io @chrissanders88 - letsdefend.io

• Constructing Defense constructingdefense.com

• SANS: SANS555

• Xintra: Attacking and Defending Azure M365

• Challenges:

  • Splunk Boss Of The SOC - BOTS
    • BOTS dataset v1
    • BOTS dataset v2
    • BOTS dataset v3

• @TheDFIRReport : LABs with logs from the existing reports dfir-labs

• @ACEresponder: Courses with Detailed Explanations and Labs aceresponder.com

• @inversecos - APT Emulation Labs: xintra

Offensive

• OSCP - HTB
• OSCP - Course PEN200
• OSEP - Course PEN300

Challenges

• HackTheBox
• Pentestlab
• Root-Me
• TryHackMe
• Zenk-Security

RE / Malware Analysis / Deep Dive

• OpenSecurityTraining2

Books

DFIR

• Practical Forensic Imaging
• Practical-Linux-Forensics-Digital-Investigators
• TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts - Free
• Forensic Artifacts - Microsoft GuideBook - free
• Eric Zimmerman Manual Tools - Free
• The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
• Applied Incident Response
• SANS FOR500 / FOR508 book
• Blue Team Handbook: Incident Response Edition
• Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
• Placing the Suspect Behind the Keyboard: DFIR Investigative Mindset
• Crafting the InfoSec Playbook: Security Monitoring and Incident
• Investigating Windows Systems

Malware Anaysis

• Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
• The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
• Evasive Malware: A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats

SOC

• Blue Team Handbook: SOC, SIEM, and Threat Hunting
• BTFM: Blue Team Field Manual
• PTFM: Purple Team Field Manual + PTFM: Purple Team Field Manual v2
• EDR - Introduction to endpoint security
• MITRE - 11 Strategies of a World-Class Cybersecurity Operations Center
• Big picture on running a SOC - Modern SOC
• Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
• SANS 555 book

Deep Dive

• Windows Internals Books
• How Linux Works
• Linux Device Drivers
• Understanding The Linux Virtual Memory Manager
• Linux insides
• Linux Ebpf
• Windows Security Internals

Exploitation

• Hacking Art Exploitation
• Hacker Playbook Practical Penetration Testing
• RTFM: Red Team Field Manual
• Red Team Development and Operations: A practical guide
• RTRM: Red Team Reference Manual
• POC||GTFO

Knowledge sites

• DFIR - NTFS deepdive - ntfs.com
• DFIR - aboutdfir
• DFIR - Forensic Artifacts - microsoft GuideBook
• Malware Analysis - unprotect.it - Evasion techniques
• Exploitation - hacktricks
• Exploitation - PayloadsAllTheThings
• Exploitation - Red Team Notes
• DFIR - JPCERT Tools Analysis
• Exploitation - Red Team TTP
• Linux - EBPF docs

LAB

• ludus
• GOAD
• flare-fakenet-ng
• flare-vm
• StratosphereLinuxIPS
• maltrail
• openbas
• LLM honeypot galah
• honeypot canary
• Respoter
• HEDnsExtractor
• iris-web
• JonMon
• OpenCTI
• Splunk Attack range

Others

• Crontab check
• Subnet Calculator
• chmod calculator
• Epoch time converter
• cyberchef
• Chrome Addon for TI checks