mirror of
https://github.com/meirwah/awesome-incident-response.git
synced 2024-12-23 22:29:23 -05:00
Merge https://github.com/meirwah/awesome-incident-response into original_master
This commit is contained in:
commit
9bb926c970
42
README.md
42
README.md
@ -7,7 +7,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an
|
||||
## Contents
|
||||
|
||||
- [Adversary Emulation](#adversary-emulation)
|
||||
- [All in one tools](#all-in-one-tools)
|
||||
- [All-In-One Tools](#all-in-one-tools)
|
||||
- [Books](#books)
|
||||
- [Communities](#communities)
|
||||
- [Disk Image Creation Tools](#disk-image-creation-tools)
|
||||
@ -24,18 +24,18 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an
|
||||
- [Other Tools](#other-tools)
|
||||
- [Playbooks](#playbooks)
|
||||
- [Process Dump Tools](#process-dump-tools)
|
||||
- [Sandboxing/reversing tools](#sandboxingreversing-tools)
|
||||
- [Sandboxing/Reversing Tools](#sandboxingreversing-tools)
|
||||
- [Scanner Tools](#scanner-tools)
|
||||
- [Timeline Tools](#timeline-tools)
|
||||
- [Videos](#videos)
|
||||
- [Windows Evidence Collection](#windows-evidence-collection)
|
||||
|
||||
## IR tools Collection
|
||||
## IR Tools Collection
|
||||
|
||||
### Adversary Emulation
|
||||
|
||||
* [APTSimulator](https://github.com/NextronSystems/APTSimulator) - Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.
|
||||
* [Atomic Red Team (ART)](https://github.com/redcanaryco/atomic-red-team) - Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.
|
||||
* [Atomic Red Team (ART)](https://github.com/redcanaryco/atomic-red-team) - Small and highly portable detection tests mapped to the MITRE ATT&CK Framework.
|
||||
* [AutoTTP](https://github.com/jymcheong/AutoTTP) - Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers.
|
||||
* [Blue Team Training Toolkit (BT3)](https://www.bt3.no/) - Software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level.
|
||||
* [Caldera](https://github.com/mitre/caldera) - Automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project.
|
||||
@ -45,7 +45,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an
|
||||
* [Red Team Automation (RTA)](https://github.com/endgameinc/RTA) - RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
|
||||
* [RedHunt-OS](https://github.com/redhuntlabs/RedHunt-OS) - Virtual machine for adversary emulation and threat hunting.
|
||||
|
||||
### All in one Tools
|
||||
### All-In-One Tools
|
||||
|
||||
* [Belkasoft Evidence Center](https://belkasoft.com/ec) - The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.
|
||||
* [CimSweep](https://github.com/PowerShellMafia/CimSweep) - Suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
|
||||
@ -72,7 +72,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an
|
||||
### Books
|
||||
|
||||
* [Applied Incident Response](https://www.amazon.com/Applied-Incident-Response-Steve-Anson/dp/1119560268/) - Steve Anson's book on Incident Response.
|
||||
* [DFIR intro](https://medium.com/@sroberts/introduction-to-dfir-d35d5de4c180/) - By Scott J. Roberts.
|
||||
* [Introduction to DFIR](https://medium.com/@sroberts/introduction-to-dfir-d35d5de4c180/) - By Scott J. Roberts.
|
||||
* [Incident Response & Computer Forensics, Third Edition](https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684/) - The definitive guide to incident response.
|
||||
* [Intelligence-Driven Incident Response](https://www.amazon.com/Intelligence-Driven-Incident-Response-Outwitting-Adversary-ebook-dp-B074ZRN5T7/dp/B074ZRN5T7) - By Scott J. Roberts, Rebekah Brown.
|
||||
* [Operator Handbook: Red Team + OSINT + Blue Team Reference](https://www.amazon.com/Operator-Handbook-Team-OSINT-Reference/dp/B085RR67H5/) - Great reference for incident responders.
|
||||
@ -81,7 +81,8 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an
|
||||
### Communities
|
||||
|
||||
* [augmentd](http://augmentd.co/) - Community driven site providing a list of searches that can be implemented in and executed with a variety of common security tools.
|
||||
* [Sans DFIR mailing list](https://lists.sans.org/mailman/listinfo/dfir) - Mailing list by SANS for DFIR.
|
||||
* [Digital Forensics Discord Server](https://discordapp.com/invite/JUqe9Ek) - Community of 8,000+ working professionals from Law Enforcement, Private Sector, and Forensic Vendors. Additionally, plenty of students and hobbyists! Guide [here](https://aboutdfir.com/a-beginners-guide-to-the-digital-forensics-discord-server/).
|
||||
* [SANS DFIR mailing list](https://lists.sans.org/mailman/listinfo/dfir) - Mailing list by SANS for DFIR.
|
||||
* [Slack DFIR channel](https://dfircommunity.slack.com) - Slack DFIR Communitiy channel - [Signup here](https://start.paloaltonetworks.com/join-our-slack-community).
|
||||
|
||||
### Disk Image Creation Tools
|
||||
@ -112,7 +113,6 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an
|
||||
* [DFTimewolf](https://github.com/log2timeline/dftimewolf) - A framework for orchestrating forensic collection, processing and data export.
|
||||
* [DFIRTrack](https://github.com/dfirtrack/dfirtrack) - Incident Response tracking application handling one or more incidents via cases and tasks with a lot of affected systems and artifacts.
|
||||
* [Fast Incident Response (FIR)](https://github.com/certsocietegenerale/FIR/) - Cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike.
|
||||
* [KAPE](https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape) - A triage tool that finds the most prevalent digital artifacts and then parses them quickly. Great and thorough when time is of the essence.
|
||||
* [RTIR](https://www.bestpractical.com/rtir/) - Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker.
|
||||
* [Sandia Cyber Omni Tracker (SCOT)](https://github.com/sandialabs/scot) - Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user.
|
||||
* [Shuffle](https://github.com/frikky/Shuffle) - A general purpose security automation platform focused on accessibility.
|
||||
@ -131,13 +131,13 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an
|
||||
* [CCF-VM](https://github.com/rough007/CCF-VM) - CyLR CDQR Forensics Virtual Machine (CCF-VM): An all-in-one solution to parsing collected data, making it easily searchable with built-in common searches, enable searching of single and multiple hosts simultaneously.
|
||||
* [Digital Evidence & Forensics Toolkit (DEFT)](http://www.deftlinux.net/) - Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit (DART) for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection.
|
||||
* [NST - Network Security Toolkit](https://sourceforge.net/projects/nst/files/latest/download?source=files) - Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional.
|
||||
* [PALADIN](https://sumuri.com/software/paladin/) - Modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included.
|
||||
* [PALADIN](https://sumuri.com/software/paladin/) - Modified Linux distribution to perform various forensics task in a forensically sound manner. It comes with many open source forensics tools included.
|
||||
* [Security Onion](https://github.com/Security-Onion-Solutions/security-onion) - Special Linux distro aimed at network security monitoring featuring advanced analysis tools.
|
||||
* [SANS Investigative Forensic Toolkit (SIFT) Workstation](http://digital-forensics.sans.org/community/downloads) - Demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.
|
||||
|
||||
### Linux Evidence Collection
|
||||
|
||||
* [FastIR Collector Linux](https://github.com/SekoiaLab/Fastir_Collector_Linux) - FastIR for Linux collects different artefacts on live Linux and records the results in csv files.
|
||||
* [FastIR Collector Linux](https://github.com/SekoiaLab/Fastir_Collector_Linux) - FastIR for Linux collects different artifacts on live Linux and records the results in CSV files.
|
||||
|
||||
### Log Analysis Tools
|
||||
|
||||
@ -145,7 +145,9 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an
|
||||
* [APT Hunter](https://github.com/ahmedkhlief/APT-Hunter) - APT-Hunter is Threat Hunting tool for windows event logs.
|
||||
* [Beagle](https://github.com/yampelo/beagle) - Incident response and digital forensics tool which transforms security logs and data into graphs.
|
||||
* [Event Log Explorer](https://eventlogxp.com/) - Tool developed to quickly analyze log files and other data.
|
||||
* [Event Log Observer](https://lizard-labs.com/event_log_observer.aspx) - View, analyze and monitor events recorded in Microsoft Windows event logs with this GUI tool.
|
||||
* [Kaspersky CyberTrace](https://support.kaspersky.com/13850) - Threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) activities in the workflow of their existing security operations.
|
||||
* [Log Parser Lizard](https://lizard-labs.com/log_parser_lizard.aspx) - Execute SQL queries against structured log data: server logs, Windows Events, file system, Active Directory, log4net logs, comma/tab separated text, XML or JSON files. Also provides a GUI to Microsoft LogParser 2.2 with powerful UI elements: syntax editor, data grid, chart, pivot table, dashboard, query manager and more.
|
||||
* [Lorg](https://github.com/jensvoid/lorg) - Tool for advanced HTTPD logfile security analysis and forensics.
|
||||
* [Logdissect](https://github.com/dogoncouch/logdissect) - CLI utility and Python API for analyzing log files and other data.
|
||||
* [LogonTracer](https://github.com/JPCERTCC/LogonTracer) - Tool to investigate malicious Windows logon by visualizing and analyzing Windows event log.
|
||||
@ -176,7 +178,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an
|
||||
* [Belkasoft Live RAM Capturer](http://belkasoft.com/ram-capturer) - Tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system.
|
||||
* [Linux Memory Grabber](https://github.com/halpomeranz/lmg/) - Script for dumping Linux memory and creating Volatility profiles.
|
||||
* [Magnet RAM Capture](https://www.magnetforensics.com/free-tool-magnet-ram-capture/) - Free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows.
|
||||
* [OSForensics](http://www.osforensics.com/) - Tool to acquire live memory on 32bit and 64bit systems. A dump of an individual process’s memory space or physical memory dump can be done.
|
||||
* [OSForensics](http://www.osforensics.com/) - Tool to acquire live memory on 32-bit and 64-bit systems. A dump of an individual process’s memory space or physical memory dump can be done.
|
||||
|
||||
### OSX Evidence Collection
|
||||
|
||||
@ -203,10 +205,10 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an
|
||||
* [Hindsight](https://github.com/obsidianforensics/hindsight) - Internet history forensics for Google Chrome/Chromium.
|
||||
* [Hostintel](https://github.com/keithjjones/hostintel) - Pull intelligence per host.
|
||||
* [imagemounter](https://github.com/ralphje/imagemounter) - Command line utility and Python package to ease the (un)mounting of forensic disk images.
|
||||
* [Kansa](https://github.com/davehull/Kansa/) - Modular incident response framework in Powershell.
|
||||
* [Munin](https://github.com/Neo23x0/munin) - Online hash checker for Virustotal and other services.
|
||||
* [Kansa](https://github.com/davehull/Kansa/) - Modular incident response framework in PowerShell.
|
||||
* [Munin](https://github.com/Neo23x0/munin) - Online hash checker for VirusTotal and other services.
|
||||
* [PowerSponse](https://github.com/swisscom/PowerSponse) - PowerSponse is a PowerShell module focused on targeted containment and remediation during security incident response.
|
||||
* [PyaraScanner](https://github.com/nogoodconfig/pyarascanner) - Very simple multithreaded many-rules to many-files YARA scanning Python script for malware zoos and IR.
|
||||
* [PyaraScanner](https://github.com/nogoodconfig/pyarascanner) - Very simple multi-threaded many-rules to many-files YARA scanning Python script for malware zoos and IR.
|
||||
* [rastrea2r](https://github.com/rastrea2r/rastrea2r) - Allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X.
|
||||
* [RaQet](https://raqet.github.io/) - Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system.
|
||||
* [Raccine](https://github.com/Neo23x0/Raccine) - A Simple Ransomware Protection
|
||||
@ -235,7 +237,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an
|
||||
* [Microsoft ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) - Dumps any running Win32 processes memory image on the fly.
|
||||
* [PMDump](http://www.ntsecurity.nu/toolbox/pmdump/) - Tool that lets you dump the memory contents of a process to a file without stopping the process.
|
||||
|
||||
### Sandboxing / Reversing Tools
|
||||
### Sandboxing/Reversing Tools
|
||||
|
||||
* [AMAaaS](https://amaaas.com/index.php/AMAaaS/dashboard) - Android Malware Analysis as a Service, executed in a native Android environment.
|
||||
* [Any Run](https://app.any.run/) - Interactive online malware analysis service for dynamic and static research of most types of threats using any environment.
|
||||
@ -249,7 +251,7 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an
|
||||
* [Intezer](https://analyze.intezer.com/#/) - Intezer Analyze dives into Windows binaries to detect micro-code similarities to known threats, in order to provide accurate yet easy-to-understand results.
|
||||
* [Joe Sandbox (Community)](https://www.joesandbox.com/) - Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities; providing comprehensive and detailed analysis reports.
|
||||
* [Mastiff](https://github.com/KoreLogicSecurity/mastiff) - Static analysis framework that automates the process of extracting key characteristics from a number of different file formats.
|
||||
* [Metadefender Cloud](https://www.metadefender.com) - Free threat intelligence platform providing multiscanning, data sanitization and vulnerability assesment of files.
|
||||
* [Metadefender Cloud](https://www.metadefender.com) - Free threat intelligence platform providing multiscanning, data sanitization and vulnerability assessment of files.
|
||||
* [Radare2](https://github.com/radareorg/radare2) - Reverse engineering framework and command-line toolset.
|
||||
* [Reverse.IT](https://www.reverse.it/) - Alternative domain for the Hybrid-Analysis tool provided by CrowdStrike.
|
||||
* [Rizin](https://github.com/rizinorg/rizin) - UNIX-like reverse engineering framework and command-line toolset
|
||||
@ -282,15 +284,17 @@ Digital Forensics and Incident Response (DFIR) teams are groups of people in an
|
||||
|
||||
* [AChoir](https://github.com/OMENScan/AChoir) - Framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows.
|
||||
* [Crowd Response](http://www.crowdstrike.com/community-tools/) - Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats.
|
||||
* [DFIR ORC](https://dfir-orc.github.io/) - DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on [GitHub](https://github.com/DFIR-ORC/dfir-orc).
|
||||
* [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector) - Tool that collects different artefacts on live Windows systems and records the results in csv files. With the analyses of these artefacts, an early compromise can be detected.
|
||||
* [DFIR ORC](https://dfir-orc.github.io/) - DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artifacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on [GitHub](https://github.com/DFIR-ORC/dfir-orc).
|
||||
* [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector) - Tool that collects different artifacts on live Windows systems and records the results in csv files. With the analyses of these artifacts, an early compromise can be detected.
|
||||
* [Fibratus](https://github.com/rabbitstack/fibratus) - Tool for exploration and tracing of the Windows kernel.
|
||||
* [Hoarder](https://github.com/muteb/Hoarder) - Collecting the most valuable artifacts for forensics or incident response investigations.
|
||||
* [IREC](https://binalyze.com/products/irec-free/) - All-in-one IR Evidence Collector which captures RAM Image, $MFT, EventLogs, WMI Scripts, Registry Hives, System Restore Points and much more. It is FREE, lightning fast and easy to use.
|
||||
* [Invoke-LiveResponse](https://github.com/mgreen27/Invoke-LiveResponse) - Invoke-LiveResponse is a live response tool for targeted collection.
|
||||
* [IOC Finder](https://www.fireeye.com/services/freeware/ioc-finder.html) - Free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only. No longer maintained. Only fully supported up to Windows 7 / Windows Server 2008 R2.
|
||||
* [IRTriage](https://github.com/AJMartel/IRTriage) - Incident Response Triage - Windows Evidence Collection for Forensic Analysis.
|
||||
* [MEERKAT](https://github.com/TonyPhipps/Meerkat) - PowerShell-based triage and threathunting for Windows.
|
||||
* [KAPE](https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape) - Kroll Artifact Parser and Extractor (KAPE) by Eric Zimmerman. A triage tool that finds the most prevalent digital artifacts and then parses them quickly. Great and thorough when time is of the essence.
|
||||
* [LOKI](https://github.com/Neo23x0/Loki) - Free IR scanner for scanning endpoint with yara rules and other indicators(IOCs).
|
||||
* [MEERKAT](https://github.com/TonyPhipps/Meerkat) - PowerShell-based triage and threat hunting for Windows.
|
||||
* [Panorama](https://github.com/AlmCo/Panorama) - Fast incident overview on live Windows systems.
|
||||
* [PowerForensics](https://github.com/Invoke-IR/PowerForensics) - Live disk forensics platform, using PowerShell.
|
||||
* [PSRecon](https://github.com/gfoss/PSRecon/) - PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
|
||||
|
22
README_ch.md
22
README_ch.md
@ -67,8 +67,12 @@ DFIR 团队是组织中负责安全事件响应(包括事件证据、影响修
|
||||
|
||||
### 书籍
|
||||
|
||||
* [Applied Incident Response](https://www.amazon.com/Applied-Incident-Response-Steve-Anson/dp/1119560268/) - Steve Anson 编写的应急响应应用指南
|
||||
* [Dfir intro](https://medium.com/@sroberts/introduction-to-dfir-d35d5de4c180/)) - 作者:Scott J. Roberts
|
||||
* [The Practice of Network Security Monitoring: Understanding Incident Detection and Response](http://www.amazon.com/gp/product/1593275099) - 作者:Richard Bejtlich
|
||||
* [Incident Response & Computer Forensics, Third Edition](https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684/) - 事件响应权威指南
|
||||
* [Intelligence-Driven Incident Response](https://www.amazon.com/Intelligence-Driven-Incident-Response-Outwitting-Adversary-ebook-dp-B074ZRN5T7/dp/B074ZRN5T7) - 作者:Scott J. Roberts、Rebekah Brown
|
||||
* [Operator Handbook: Red Team + OSINT + Blue Team Reference](https://www.amazon.com/Operator-Handbook-Team-OSINT-Reference/dp/B085RR67H5/) - 事件响应者的重要参考
|
||||
* [The Practice of Network Security Monitoring: Understanding Incident Detection and Response](http://www.amazon.com/gp/product/1593275099) - 作者:Richard Bejtlich
|
||||
|
||||
### 社区
|
||||
|
||||
@ -93,7 +97,7 @@ DFIR 团队是组织中负责安全事件响应(包括事件证据、影响修
|
||||
* [ir-rescue](https://github.com/diogo-fernan/ir-rescue) - *ir-rescue* 是一个 Windows 批处理脚本与一个 Unix Bash 脚本,用于在事件响应期在主机全面收集证据。
|
||||
* [Live Response Collection](https://www.brimorlabs.com/tools/) - BriMor 开发的 Live Response collection 是一个用于从 Windows、OSX、*nix 等操作系统中收集易失性数据的自动化工具。
|
||||
* [Margarita Shotgun](https://github.com/ThreatResponse/margaritashotgun) - 用于并行远程内存获取的命令行程序
|
||||
* [UAC](https://github.com/tclahr/uac) - 自动收集系统信息的 Shell 脚本,支持的系统包括:AIX、FreeBSD、Linux、macOS、NetBSD、Netscaler、OpenBSD 和 Solaris
|
||||
* [UAC](https://github.com/tclahr/uac) - UAC(Unix-like Artifacts Collector)是实时响应收集信息工具,支持的系统包括:AIX、FreeBSD、Linux、macOS、NetBSD、Netscaler、OpenBSD 和 Solaris
|
||||
|
||||
### 事件管理
|
||||
|
||||
@ -101,7 +105,7 @@ DFIR 团队是组织中负责安全事件响应(包括事件证据、影响修
|
||||
* [Cyphon](https://www.cyphon.io/) - Cyphon 通过一个单一的平台来组织一系列相关联的工作消除了事件管理的开销。它对事件进行收集、处理、分类。
|
||||
* [Demisto](https://www.demisto.com/product/) - Demisto 免费的社区版提供全事件生命周期的管理,事件披露报告,团队任务分配与协作,以及众多增强自动化的系统集成(如 Active Directory, PagerDuty, Jira 等)。
|
||||
* [CORTEX XSOAR](https://www.paloaltonetworks.com/cortex/xsoar) - Paloalto SOAR 平台,带有事件生命周期管理和许多提高自动化水平的集成工具
|
||||
* [DFIRTrack](https://github.com/stuhli/dfirtrack) - 应急响应跟踪程序用于处理涉及许多受影响系统的重大事件,在 APT 的案例中经常会看到
|
||||
* [DFIRTrack](https://github.com/dfirtrack/dfirtrack) - 应急响应跟踪程序用于处理影响系统的事件
|
||||
* [FIR](https://github.com/certsocietegenerale/FIR/) - Fast Incident Response (FIR) 是一个网络安全事件管理平台,在设计时考虑了敏捷性与速度。其可以轻松创建、跟踪、报告网络安全应急事件并用于 CSIRT、CERT 与 SOC 等人员。
|
||||
* [KAPE](https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape) - 审核工具,用于查找最普遍的数字证据然后进行快速地解析,效率很高。
|
||||
* [RTIR](https://www.bestpractical.com/rtir/) - Request Tracker for Incident Response (RTIR) 对于安全团队来说是首要的开源事件处理系统,其与世界各地的十多个 CERT 与 CSIRT 合作,帮助处理不断增加的事件报告,RTIR 包含 Request Tracker 的全部功能。
|
||||
@ -126,12 +130,15 @@ DFIR 团队是组织中负责安全事件响应(包括事件证据、影响修
|
||||
### 日志分析工具
|
||||
|
||||
* [AppCompatProcessor](https://github.com/mbevilacqua/appcompatprocessor) - AppCompatProcessor 旨在从企业范围内的 AppCompat/AmCache 数据中提取信息
|
||||
* [APT Hunter](https://github.com/ahmedkhlief/APT-Hunter) - APT-Hunter 是用于 Windows 事件日志的威胁狩猎工具。
|
||||
* [Event Log Explorer](https://eventlogxp.com/) - 用于快速分析日志文件和其他数据的工具。
|
||||
* [Kaspersky CyberTrace](https://support.kaspersky.com/13850) - 将威胁数据与 SIEM 集成的分析工具,用户可以在现有安全运营和工作流中利用威胁情报进行安全监控与事件响应。
|
||||
* [Lorg](https://github.com/jensvoid/lorg) - 一个用 HTTPD 日志进行高级安全分析与取证的工具
|
||||
* [Logdissect](https://github.com/dogoncouch/logdissect) - 用于分析日志文件和其他数据的 CLI 实用程序和 Python API
|
||||
* [Sigma](https://github.com/Neo23x0/sigma) - 用于 SIEM 系统的通用签名格式,已包含了许多规则
|
||||
* [StreamAlert](https://github.com/airbnb/streamalert) - 实时日志分析框架,能够配置自定义数据源并使用用户自定义的逻辑触发警报
|
||||
* [SysmonSearch](https://github.com/JPCERTCC/SysmonSearch) - SysmonSearch 通过聚合事件日志使分析 Windows 事件日志的效率更高。
|
||||
* [Zircolite](https://github.com/wagga40/Zircolite) - 独立、快速基于 SIGMA 的 EVTX 或 JSON 检测工具。
|
||||
|
||||
### 内存分析工具
|
||||
|
||||
@ -141,7 +148,7 @@ DFIR 团队是组织中负责安全事件响应(包括事件证据、影响修
|
||||
* [MalConfScan](https://github.com/JPCERTCC/MalConfScan) - MalConfScan 是使用 Volatility 提取已知恶意软件配置信息的插件,Volatility 是用于事件响应与恶意软件分析的开源内存取证框架。该插件在内存中搜索恶意软件并提取配置信息,此外该工具具有列出恶意代码使用的字符串的功能。
|
||||
* [Memoryze](https://www.fireeye.com/services/freeware/memoryze.html) - 由 Mandiant 开发的 Memoryze 是一个免费的内存取证软件,可以帮助应急响应人员在内存中定位恶意部位, Memoryze 也可以分析内存镜像或者在正在运行的系统上把页面文件加入它的分析。
|
||||
* [Memoryze for Mac](https://www.fireeye.com/services/freeware/memoryze.html) - Memoryze for Mac 是 Memoryze 但仅限于 Mac,且功能较少。
|
||||
* [Rekall](http://www.rekall-forensic.com/) - 用于从 RAM 中提取样本的开源工具
|
||||
* [Rekall](http://www.rekall-forensic.com/) - 用于从 RAM 中提取样本的开源工具。
|
||||
* [Responder PRO](http://www.countertack.com/responder-pro) - Responder PRO 是一个工业级的物理内存及自动化恶意软件分析解决方案
|
||||
* [Volatility](https://github.com/volatilityfoundation/volatility) - 高级内存取证框架
|
||||
* [VolatilityBot](https://github.com/mkorman90/VolatilityBot) - VolatilityBot 是一个自动化工具,帮助研究员减少在二进制程序提取解析阶段的手动任务,或者帮助研究人员进行内存分析调查的第一步
|
||||
@ -195,9 +202,13 @@ DFIR 团队是组织中负责安全事件响应(包括事件证据、影响修
|
||||
|
||||
### Playbooks
|
||||
|
||||
* [AWS Incident Response Runbook Samples](https://github.com/aws-samples/aws-incident-response-runbooks/tree/0d9a1c0f7ad68fb2c1b2d86be8914f2069492e21) - AWS IR Runbook Samples 旨在针对三个案例(DoS 或 DDoS 攻击、凭据泄漏、意外访问 Amazon S3 存储桶)进行定制。
|
||||
* [Counteractive Playbooks](https://github.com/counteractive/incident-response-plan-template/tree/master/playbooks) - Counteractive PLaybooks 集合
|
||||
* [GuardSIght Playbook Battle Cards](https://github.com/guardsight/gsvsoc_cirt-playbook-battle-cards) - 网络事件响应手册集合
|
||||
* [IRM](https://github.com/certsocietegenerale/IRM) - CERT Societe Generale 开发的事件响应方法论
|
||||
* [IR Workflow Gallery](https://www.incidentresponse.com/playbooks/) - 不同的通用事件响应工作流程,例如恶意软件爆发、数据窃取、未经授权的访问等,每个工作流程都有七个步骤:准备、检测、分析、遏制、根除、恢复、事后处理。
|
||||
* [PagerDuty Incident Response Documentation](https://response.pagerduty.com/) - 描述 PagerDuty 应急响应过程的文档,不仅提供了关于事件准备的信息,还提供了在此前与之后要做什么工作,源在 [GitHub](https://github.com/PagerDuty/incident-response-docs) 上。
|
||||
* [Phantom Community Playbooks](https://github.com/phantomcyber/playbooks) - Splunk 的 Phantom 社区手册
|
||||
|
||||
### 进程 Dump 工具
|
||||
|
||||
@ -225,10 +236,11 @@ DFIR 团队是组织中负责安全事件响应(包括事件证据、影响修
|
||||
* [Viper](https://github.com/viper-framework/viper) - Viper 是一个基于 Python 的二进制程序分析及管理框架,支持 Cuckoo 与 YARA
|
||||
* [Virustotal](https://www.virustotal.com) - Virustotal, Google 的子公司,一个免费在线分析文件/URL的厂商,可以分析病毒\蠕虫\木马以及其他类型被反病毒引擎或网站扫描器识别的恶意内容
|
||||
* [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Cuckoo、Procmon等日志的开源可视化库
|
||||
|
||||
* [Yomi](https://yomi.yoroi.company) - Yoroi 托管的免费多沙盒服务。
|
||||
|
||||
### 时间线工具
|
||||
|
||||
* [Aurora Incident Response](https://github.com/cyb3rfox/Aurora-Incident-Response) - 构建事件的详细时间表的平台
|
||||
* [Highlighter](https://www.fireeye.com/services/freeware/highlighter.html) - Fire/Mandiant 开发的免费工具,来分析日志/文本文件,可以对某些关键字或短语进行高亮显示,有助于时间线的整理
|
||||
* [Morgue](https://github.com/etsy/morgue) - 一个 Etsy 开发的 PHP Web 应用,可用于管理事后处理
|
||||
* [Plaso](https://github.com/log2timeline/plaso) - 一个基于 Python 用于 log2timeline 的后端引擎
|
||||
|
Loading…
Reference in New Issue
Block a user