Awesome
Security lists for SOC/DFIR detections
Threat Hunting:
<details>- Windows Services Searches
- User-Agents Searches
- DNS Over HTTPS Searches
- Suspicious TLDs Searches
- HijackLibs Searches
- Phishing & DNSTWIST Searches
- Browsers extensions Searches
- C2 hiding in plain sigh
- HTML Smuggling artifacts
- PSEXEC & similar tools Searches
- Time Slipping detection
- Suspicious Named pipes
My Detection Lists
- ๐ Lists: https://github.com/mthcht/awesome-lists/tree/main/Lists
- ๐ต๏ธโโ๏ธ ThreatHunting Guides: https://mthcht.medium.com/list/threat-hunting-708624e9266f
- ๐ฐ Suspicious Named pipes: suspicious_named_pipe_list.csv
- ๐ Suspicious TLDs (updated automatically): [suspicious_TLDs]
- ๐ Suspicious ASNs (updated automatically): [suspicious ASNs]
- ๐ง Suspicious Windows Services: suspicious_windows_services_names_list.csv
- โฒ๏ธ Suspicious Windows Tasks: suspicious_windows_tasks_list.csv
- ๐ช Suspicious destination port: suspicious_ports_list.csv
- ๐ก๏ธ Suspicious Firewall rules: suspicious_windows_firewall_rules_list.csv
- ๐ Suspicious User-agent: suspicious_http_user_agents_list.csv
- ๐ Suspicious USB Ids: suspicious_usb_ids_list.csv
- ๐ข Suspicious MAC address: suspicious_mac_address_list.csv
- ๐ Suspicious Hostname: suspicious_hostnames_list.csv
- ๐ Suspicious Browser Extensions: Browser Extensions
- ๐ง Microsoft App IDs List - BEC Detection microsoft_apps_list.csv
- ๐งฎ Metadata Executables: executables_metadata_informations_list.csv
- ๐ธ๏ธ DNS over HTTPS server list: dns_over_https_servers_list.csv
- ๐ Hijacklibs (updated automatically): hijacklibs_list.csv
- ๐ TOR Nodes Lists (updated automatically): [TOR]
- ๐ ๏ธ LOLDriver List (updated automatically): loldrivers_only_hashes_list.csv
- ๐ ๏ธ Malicious Bootloader List (updated automatically): malicious_bootloaders_only_hashes_list.csv
- ๐ Malicious SSL Certificates List (updated automatically): ssl_certificates_malicious_list.csv
- ๐ฅ๏ธ RMM detection: [RMM]
- ๐ค๐ Important Roles and groups for AD/EntraID/AWS: [permissions]
- ๐ป๐ Ransomware known file extensions: ransomware_extensions_list.csv
- ๐ป๐ Ransomware known file name ransom notes: ransomware_notes_list.csv
- ๐ Windows ASR rules: windows_asr_rules.csv
- ๐ DNSTWIST Lists (updated automatically): DNSTWIST Default Domains + script
- ๐ VPN IP address Lists (updated automatically):
- ๐ก๏ธ NordVPN: nordvpn_ips_list.csv
- ๐ก๏ธ ProtonVPN: protonvpn_ip_list.csv
- ๐ข Companies IP Range Lists (updated automatically): Default Lists + script / Microsoft
- ๐ GeoIP services Lists: ip_location_sites_list.csv
- ๐งฌ Yara rules: Threat Hunting yara rules
- ๐งฌ Offensive Tools detection patterns: offensive_tool_keywords.csv
- ๐งฌ Greyware Tools detection patterns: greyware_tool_keyword.csv
- ๐งฌ AV signatures keywords: signature_keyword.csv
- ๐งฌ Microsoft Defender AV signatures lists: [Defender]
- ๐งฌ ClamAV signatures lists: [ClamAV]
- ๐ Others correlation Lists: [Others]
- ๐ Lists i need to finish: [todo]
I regularly update most of these lists after each tool i analyze in my detection keywords project
Other Lists
DFIR
- ๐ฅ EricZimmerman Tools ๐ฅ
- dfir-orc
- dfir-orc-config
- Splunk4DFIR
- dfiq
- Mind maps
- arfifacts List - DFIRArtifactMuseum
- arfifacts List - ForensicArtifacts
- Autopsy
- SleuthKit
- [OS] SIFT Workstation
- [OS] Remnux
- [OS] sof-elk
- [OS] tsurugi
- [OS] DEFT
- [OS] Flare VM
- PSBits
- Yara - Threat Hunting + TH
- Yara - Forge
- capa
- Malcontent
- [Event parser] evtx
- [Event Parser] procmon-parser
- [Event Parser] Linux - MasterParser
- [EVTX] Hayabusa
- [EVTX] WELA
- [EVTX] chainsaw
- [EVTX] APTHunter
- [EVTX / Auditd] Zircolite
- werejugo
- ADTimeline
- PersistenceSniper
- [O365] Logs - Microsoft-Analyzer-Suite
- Logon Tracer
- Timeline Plaso
- Timeline TimeSketch
- regripper
- hollows hunter
- PE sieve
- RdpCacheStitcher
- Searching strings - ripgrep
- Searching strings - Recoll
- Kape
- Kape Files
- More Kape ressources
- VolatileDataCollector
- Velociraptor
- TZ tools
- Nirsoft tools
- [memory] MemDump
- [memory] MemProcFS
- [memory] MemProcFS-Analyzer
- [memory] avml
- [memory] WinPmem
- [memory] Volatility
- [Image Mount] FTK Imager
- [Image Mount] OSFMount
- [Network] Network Miner
- [Network] Wireshark
- [Network] xplico
- [Carving] PhotoRec
- [Carving] Bulk Extractor
- Didier Stevens tools
- [memory] Lime
- Windows artifacts
- [Linux] UAC
- lists - aboutdfir.com
- Monitoring - Osquery
- [IR Guide] OpenProject
IOC Feeds/Blacklists:
<details>- ABUSE.CH BLACKLISTS
- Block Lists
- DNS Block List
- Phishing Block List
- Binary Defense IP Block List
- C2IntelFeeds
- Volexity TI
- Open Source TI
- C2 Tracker
- Unit42 IOC
- Sekoia IOC
- Unit42 Timely IOC
- Unit42 Articles IOC
- ThreatFOX IOC
- Zscaler ThreatLabz IOC
- Zscaler ThreatLabz Ransomware notes
- experiant.ca
- Sophos lab IOC
- ESET Research IOC
- ExecuteMalware IOC
- Cisco Talos IOC
- Elastic Lab IOC
- Blackorbid APT Report IOC
- AVAST IOC
- Zimperium IOC
- DoctorWeb IOC
- BlackLotusLab IOC
- prodaft IOC
- Pr0xylife DarkGate IOC
- Pr0xylife Latrodectus IOC
- Pr0xylife WikiLoader IOC
- Pr0xylife SSLoad IOC
- Pr0xylife Pikabot IOC
- Pr0xylife Matanbuchus IOC
- Pr0xylife QakBot IOC
- Pr0xylife IceID IOC
- Pr0xylife Emotet IOC
- Pr0xylife BumbleBee IOC
- Pr0xylife Gozi IOC
- Pr0xylife NanoCore IOC
- Pr0xylife NetWire IOC
- Pr0xylife AsyncRAT IOC
- Pr0xylife Lokibot IOC
- Pr0xylife RemcosRAT IOC
- Pr0xylife nworm IOC
- Pr0xylife AZORult IOC
- Pr0xylife NetSupportRAT IOC
- Pr0xylife BitRAT IOC
- Pr0xylife BazarLoader IOC
- Pr0xylife SnakeKeylogger IOC
- Pr0xylife njRat IOC
- Pr0xylife Vidar IOC
- Pr0xylife Warmcookie IOC
- Cloud Intel IOC
- SpamHaus drop.txt
- UrlHaus_misp
- UrlHaus
- vx-underground - Great Resource for Samples and Intelligence Reports
- Ransomware.live
Github
<details>More github lists: https://github.com/mthcht?tab=stars&user_lists_direction=asc&user_lists_sort=name
</details>SIEM/SOC related:
<details> </details>TI TTP/Framework/Model/Trackers
<details>- Tools used by ransomware groups - @BushidoToken
- Tools used by Russian APT
- Tools associated with groups (partial)
- Techniques - MITRE ATT&CK
- Tactics - MITRE ATT&CK
- Groups & Operations Naming conventions matrix
- Mitigation - MITRE ATT&CK
- ATT&CK matrix navigator
- All MITRE data in xlsx format
- Tools used by threat actor groups - MITRE ATT&CK
- atomic-red-team
- redcanary Threat Detection report
- The-Unified-Kill-Chain
- TTP pyramid
- Pyramid of pain
- Cyber Kill chain
- MITRE D3FEND
- MITRE CAPEC
- MITRE CAR
- MITRE PRE-ATT&CK Techniques
- APTMAP
- ๐ฅALL TI Reports๐ฅ
- ๐ฅALL TI Reports searches๐ฅ
Investigation
TI checks
<details>Sandbox
<details> </details>Data manipulation
<details>- jsoncrack
- Grok debugger
- JS deobfuscator
- cyberchef
- PCAP online analyzer
- Hash calculator
- regex101
- CyberChef
- Javascript Deobfuscator
- JSONViewer
- TextMechanic
- UrlEncode.org
- TextFixer
- RegExr
- TextUtils
- TextCompactor
- Pretty Diff
- XML Tree
- Online XML Formatter and Beautifier
- XML Escape Tool
- DiffChecker
- CSVJSON
- HTML Formatter
- Text Tool
- String Manipulation Tool
- unshorten it
- urlunscrambler
- longurl
- Message Header
- MXToolbox EmailHeaders
- Email Header Analyzer
- Email Header Analysis
- Gitlab dashboard from Excel
- OPENAI
- uncoder
- DeHashed
Detection Resources
<details>- Detection Lists
- MITRE techniques
- MITRE Updates
- MITRE D3fend
- MITRE Navigator
- MITRE Datasources
- GTFOBIN
- LOLBAS
- LOTS
- LOLRMM
- loldrivers
- LOLRMM
- LOLESXI
- WTFBIN
- Sigma
- Splunk Rules
- Elastic Rules
- DFIR-Report Sigma-Rules
- JoeSecurity Sigma-Rules
- mdecrevoisier Sigma-Rules
- P4T12ICK Sigma-Rules
- tsale Sigma-Rules
- list of detections resources
- detection engineering resources
- Defender Resource
- awesome-threat-detection
Security News
<details>- CERT-FR
- CERT FR Alerts
- CERT FR Avis
- NIST CVEs
- JPCERT
- CISA news
- thedfirreport Feed
- Splunk Research Blog
- Unit42 Feed
- DFIR weekly sumary - thisweekin4n6
- Google Threat Intelligence
- Sekoi Blog
- akamai Feed
- Elastic Blog
- Checkpoint research Feed
- Cisco Talos
- Crowdstrike
- Hexacorn Blog
- Infostealers Hub News Feed
- simone kraus Blog
- Michael Haag Blog
- EricaZelic Blog
- Adam Chester Blog Feed
- Mauricio Velazco Blog
- Clรฉment Notin Feed
- tenable Blog
- horizon3 Feed
- NCC Group Research
- SpecterOps Feed
- Redcanary Feed
- Sophos Research Feed
- virusbulletin
- Offensive Research - DSAS by INJECT
- HackerNews Feed
- Bleepingcomputer Feed
- detect.fyi
- DFIR Podcasts
- DFIR weekly news
- sans blog
- Detection engineering weekly
Youtube/Twitch channels
<details>- DFIR - 13cubed videos
- DFIR - SANS videos
- DFIR - MyDFIR
- DFIR - DFIRScience
- Malware Analysis - jstrosch
- Malware Analysis - cyberraiju
- Malware Analysis - Botconf
- DFIR - BlackPerl
- Malware Analysis - malwareanalysisforhedgehogs
- DFIR - BlueMonkey4n6
- DFIR - binaryzone
- Detection Engineering - Splunk - atomicsonafriday
- Exploitation - HackerSploit
- DFIR - TheTaggartInstitute
- Malware Analysis - JohnHammond
- [Malware Analysis - https://youtube.com/@invokereversing]
- Exploitation - Defcon Talks + https://media.defcon.org/
- Exploitation - Alh4zr3d - twitch
- Exploitation - Alh4zr3d - youtube
- Exploitation - incodenito
- Malware Analysis - MalwareTechBlog
- Exploitation - LiveOverflow
- Malware Analysis - neoeno
- Malware Analysis - AzakaSekai
- CTI - bushidotoken
- CTI - @TLP_R3D
- Windows Internal - @mrexodia
- !!! Exploitation - ippsec
Podcasts
<details>- darknetdiaries
- risky.biz
- cloud.withgoogle.com
- Internet Storm Center sans podcast
- 7 minutes security Podcast
- hacking-humans
- CISO series
- Splunk Atomic on Friday
- NolimitSecu (FR)
- HacknSpeak (FR)
- Radio CSIRT (FR)
Training
<details>DFIR
-
13cubed - Investigating Windows Endpoints 13cubed.com -windows endpoints
-
13cubed - Investigating Windows Memory 13cubed.com -windows memory
-
13cubed - Investigating Linux Devices 13cubed.com - linux
-
SANS: FOR500
-
SANS: FOR508
-
Defensive-security: Linux-live-forensics
-
@0gtweet - Forensic course: Mastering Windows Forensics
-
@DebugPrivilege : Forensic Debugging free course InsightEngineering
-
Challenges:
- @inversecos - APT Emulation Labs: xintra
- @TheDFIRReport : LABs with logs from the existing reports dfir-labs
- @ACEresponder: Courses with Detailed Explanations and Labs aceresponder.com
- @binaryz0ne: DFIR challenges with Datasets
SOC
-
tryhackme - SOC lvl 1
-
letsdefend.io @chrissanders88 - letsdefend.io
-
Constructing Defense constructingdefense.com
-
SANS: SANS555
-
Challenges:
- Splunk Boss Of The SOC - BOTS
- BOTS dataset v1
- BOTS dataset v2
- BOTS dataset v3
- Splunk Boss Of The SOC - BOTS
-
@TheDFIRReport : LABs with logs from the existing reports dfir-labs
-
@ACEresponder: Courses with Detailed Explanations and Labs aceresponder.com
-
@inversecos - APT Emulation Labs: xintra
Offensive
Challenges
RE / Malware Analysis / Deep Dive
</details>Books
<details>DFIR
- Practical Forensic Imaging
- Practical-Linux-Forensics-Digital-Investigators
- TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts - Free
- Forensic Artifacts - Microsoft GuideBook - free
- Eric Zimmerman Manual Tools - Free
- The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
- Applied Incident Response
- SANS FOR500 / FOR508 book
- Blue Team Handbook: Incident Response Edition
- Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
- Placing the Suspect Behind the Keyboard: DFIR Investigative Mindset
- Crafting the InfoSec Playbook: Security Monitoring and Incident
- Investigating Windows Systems
Malware Anaysis
- Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
- The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
- Evasive Malware: A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats
SOC
- Blue Team Handbook: SOC, SIEM, and Threat Hunting
- BTFM: Blue Team Field Manual
- PTFM: Purple Team Field Manual + PTFM: Purple Team Field Manual v2
- EDR - Introduction to endpoint security
- MITRE - 11 Strategies of a World-Class Cybersecurity Operations Center
- Big picture on running a SOC - Modern SOC
- Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
- SANS 555 book
Deep Dive
- Windows Internals Books
- How Linux Works
- Linux Device Drivers
- Understanding The Linux Virtual Memory Manager
- Linux insides
- Linux Ebpf
- Windows Security Internals
Exploitation
- Hacking Art Exploitation
- Hacker Playbook Practical Penetration Testing
- RTFM: Red Team Field Manual
- Red Team Development and Operations: A practical guide
- RTRM: Red Team Reference Manual
- POC||GTFO
Knowledge sites
<details>- DFIR - NTFS deepdive - ntfs.com
- DFIR - aboutdfir
- DFIR - Forensic Artifacts - microsoft GuideBook
- Malware Analysis - unprotect.it - Evasion techniques
- Exploitation - hacktricks
- Exploitation - PayloadsAllTheThings
- Exploitation - Red Team Notes
- DFIR - JPCERT Tools Analysis
- Exploitation - Red Team TTP
- Linux - EBPF docs
LAB
<details>- ludus
- GOAD
- flare-fakenet-ng
- flare-vm
- StratosphereLinuxIPS
- maltrail
- openbas
- LLM honeypot galah
- honeypot canary
- Respoter
- HEDnsExtractor
- iris-web
- JonMon
- OpenCTI
- Splunk Attack range