My curated list of awesome links, resources and tools on infosec related topics
Go to file
2021-01-24 23:43:09 +07:00
.github/workflows Add new whitelist and remove dupe 2020-12-14 14:03:54 +07:00
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md 2017-12-14 15:43:06 +07:00
cover.png Update: README.md with cover photo 2019-10-15 23:18:12 +07:00
LICENSE Initial commit 2017-11-09 23:11:18 +07:00
Offensive.md Add aeverj/NimShellCodeLoader to Execution section 2021-01-20 20:43:57 +07:00
README.md Add ahmedkhlief/APT-Hunter to DFIR section 2021-01-24 23:43:09 +07:00

My Infosec Awesome


Update Nov 18, 2020: Offensive Bookmark.md has been created based on my need to map bookmarks (and tools) that practice tactics and techniques for offensive operations with MITRE ATT&CK Enterprise Matrix. The Post Exploitation section on README.md is now migrate to the new page. I will update the new page with my personal bookmark soon.


This repository is created as an online bookmark for useful links, resources and tools in infosec field which serve my needs to have a searchable page to look further.

Adversary Simulation & Emulation

Link Description
alphasoc/flightsim A utility to generate malicious network traffic and evaluate controls
Attack Simulatorin Office 365 Simulate realistic attacks on Office 365 environment
Blue Team Training Toolkit Blue Team Training Toolkit (BT3) is designed for network analysis training sessions, incident response drills and red team engagements
Coalfire-Research/Red-Baron Automate creating resilient, disposable, secure and agile infrastructure for Red Teams
Cyb3rWard0g/Invoke-ATTACKAPI A PowerShell script to interact with the MITRE ATT&CK Framework via its own API
Cyb3rWard0g/mordor Re-play Adversarial Techniques
chryzsh/DarthSidious Building an Active Directory domain and hacking it
d3vzer0/reternal-quickstart Repo containing docker-compose files and setup scripts without having to clone the individual reternal components
ElevenPaths/ATTPwn ATTPwn is a computer security tool designed to emulate adversaries.
endgameinc/RTA RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK
fireeye/capa capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
fireeye/capa-rules Standard collection of rules for capa: the tool for enumerating the capabilities of programs
FSecureLABS/leonidas Automated Attack Simulation in the Cloud, complete with detection use cases.
jymchoeng/AutoTTP Automated Tactics Techniques & Procedures
mdsecactivebreach/CACTUSTORCH CACTUSTORCH: Payload Generation for Adversary Simulations
microsoft/restler-fuzzer RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MiladMSFT/ThreatHunt ThreatHunt is a PowerShell repository that allows you to train your threat hunting skills.
mitre/caldera An automated adversary emulation system
NextronSystems/APTSimulator A toolset to make a system look as if it was the victim of an APT attack
n0dec/MalwLess Test blue team detections without running any attack
OTRF/SimuLand Cloud Templates and scripts to deploy mordor environments
praetorian-code/purple-team-attack-automation Praetorian's public release of our Metasploit automation of MITRE ATT&CK™ TTPs
scythe-io/community-threats The GitHub of Adversary Emulation Plans in JSON. Share SCYTHE threats with the community. #ThreatThursday adversary emulation plans are shared here.
TryCatchHCF/DumpsterFire "Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events.
ReconInfoSec/adversary-emulation-map Creates an ATT&CK Navigator map of an Adversary Emulation Plan
redcanaryco/atomic-red-team Small and highly portable detection tests based on MITRE's ATT&CK.
redcanaryco/AtomicTestHarnesses Public Repo for Atomic Test Harness
redcanaryco/chain-reactor Chain Reactor is an open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints.
redhuntlabs/RedHunt-OS Virtual Machine for Adversary Emulation and Threat Hunting
SpiderLabs/sheepl Sheepl : Creating realistic user behaviour for supporting tradecraft development within lab environments
splunk/attack_range A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
swimlane/soc-faker A python package for use in generating fake data for SOC and security automation.
uber-common/metta An information security preparedness tool to do adversarial simulation.
Unfetter Unfetter is a project designed to help network defenders, cyber security professionals, and decision makers identify and analyze defensive gaps in a more scalable and repeatable way

Application Security

Link Description
aboul3la/Sublist3r Fast subdomains enumeration tool for penetration testers
Acheron-VAF/Acheron Acheron is a RESTful vulnerability assessment and management framework built around search and dedicated to terminal extensibility.
ambionics/phpggc PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically.
anchore/grype A vulnerability scanner for container images and filesystems
appsecco/spaces-finder A tool to hunt for publicly accessible DigitalOcean Spaces
anatshri/svn-extractor Simple script to extract all web resources by means of .SVN folder exposed over network.
aquasecurity/kube-hunter Hunt for security weaknesses in Kubernetes clusters
brannondorsey/dns-rebind-toolkit A front-end JavaScript toolkit for creating DNS rebinding attacks.
BishopFox/h2csmuggler HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
Bug Bounty Recon Bug Bounty Recon (bbrecon) is a Recon-as-a-Service for bug bounty hunters and security researchers. The API aims to provide a continuously up-to-date map of the Internet "safe harbor" attack surface, excluding out-of-scope targets.
chvancooten/BugBountyScanner A Bash script and Docker image for Bug Bounty reconnaissance. Intended for headless use.
danmar/cppcheck static analysis of C/C++ code
dstotijn/hetty Hetty is an HTTP toolkit for security research. It aims to become an open source alternative to commercial software like Burp Suite Pro, with powerful features tailored to the needs of the infosec and bug bounty community.
doyensec/inql InQL - A Burp Extension for GraphQL Security Testing
facebook/pyre-check/ Performant type-checking for python.
google/atheris Atheris is a coverage-guided Python fuzzing engine. It supports fuzzing of Python code, but also native extensions written for CPython. Atheris is based off of libFuzzer. When fuzzing native code, Atheris can be used in combination with Address Sanitizer or Undefined Behavior Sanitizer to catch extra bugs.
HunterSuite HunterSuite is the next generation offensive security suite. It will automate all the tedious tasks during a test just with few clicks. If you are a penetration tester, red teamer, bug bounty hunter, or you work as an offensive security engineer, you will love what HunterSuite has to offer.
IlluminateJs IlluminateJs is a static javascript analysis engine (a deobfuscator so to say) aimed to help analyst understand obfuscated and potentially malicious JavaScript Code.
ismailtasdelen/xss-payload-list Cross Site Scripting ( XSS ) Vulnerability Payload List
jonluca/Anubis Subdomain enumeration and information gathering tool
LanikSJ/dfimage Reverse-engineer a Dockerfile from a Docker image.
mazen160/bfac BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.
microsoft/onefuzz A self-hosted Fuzzing-As-A-Service platform
mindedsecurity/JStillery Advanced JS Deobfuscation via Partial Evaluation.
mwrlabs/dref DNS Rebinding Exploitation Framework
nccgroup/whalescan Whalescan is a vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container
NetSPI/AutoDirbuster Automatically run and save Dirbuster scans for multiple IPs
NetSPI/PowerUpSQL PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
nccgroup/singularity A DNS rebinding attack framework
OWASP/wstg The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
OWASP Zed Attack Proxy Project The OWASP Zed Attack Proxy (ZAP) is one of the worlds most popular free security tools and is actively maintained by hundreds of international volunteers
Public WWW Source Code Search Engine
pumasecurity/puma-scan Puma Scan is a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications.
pwntester/ysoserial.net Deserialization payload generator for a variety of .NET formatters
RedTeamPentesting/monsoon Fast HTTP enumerator
RhinoSecurityLabs/IPRotate_Burp_Extension Extension for Burp Suite which uses AWS API Gateway to rotate your IP on every request.
RhinoSecurityLabs/SleuthQL Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
Snyk Continuously find & fix vulnerabilities in your dependencies
s0md3v/XSStrike Most advanced XSS detection suite
subfinder/subfinder SubFinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.
wallarm/gotestwaf Go Test WAF project, a tool to test different WAF detects for apps and APIs
wagiro/BurpBounty Burp Bounty (Scan Check Builder in BApp Store) is a extension of Burp Suite that allows you, in a quick and simple way, to improve the active and passive scanner by means of personalized rules through a very intuitive graphical interface.
wpdc Detect malicious dependencies, magecart, malvertising, and more on your web properties!
Yelp/detect-secrets An enterprise friendly way of detecting and preventing secrets in code.

Binary Analysis

Link Description
avast-tl/retdec RetDec is a retargetable machine-code decompiler based on LLVM
binvis.io visual analysis of binary files
blackberry/pe_tree Python module for viewing Portable Executable (PE) files in a tree-view using pefile and PyQt5. Can also be used with IDA Pro to dump in-memory PE files and reconstruct imports.
carbonblack/binee Binee: binary emulation environment
bootleg/ret-sync ret-sync is a set of plugins that helps to synchronize a debugging session (WinDbg/GDB/LLDB/OllyDbg2/x64dbg) with IDA/Ghidra disassemblers.
Cisco-Talos/GhIDA GhIDA is an IDA Pro plugin that integrates the Ghidra decompiler in IDA.
Cisco-Talos/Ghidraaas Ghidraaas is a simple web server that exposes Ghidra analysis through REST APIs. The project includes three Ghidra plugins to analyze a sample, get the list of functions and to decompile a function.
Comsecuris/gdbghidra gdbghidra - a visual bridge between a GDB session and GHIDRA
Comsecuris/gdbida gdbida - a visual bridge between a GDB session and IDA Pro's disassembler
Cutter Free and Open Source RE Platform powered by radare2
DarthTon/Blackbone Windows memory hacking library
dr4k0nia/Unscrambler Universal unpacker and fixer for a number of modded ConfuserEx protections
endgameinc/xori Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode
enkomio/shed .NET runtine inspector. Shed - Inspect .NET malware like a Sir
flare-emu flare-emu marries a supported binary analysis framework, such as IDA Pro or Radare2, with Unicorns emulation framework to provide the user with an easy to use and flexible interface for scripting emulation tasks.
fireeye/flare-floss FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware.
fireeye/speakeasy Speakeasy is a portable, modular, binary emulator designed to emulate Windows kernel and user mode malware.
forrest-orr/moneta Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs
FuzzySecurity/Fermion Fermion, an electron wrapper for Frida & Monaco.
GHIDRA A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission
Go Reverse Engineering Toolkit A Reverse Engineering Tool Kit for Go, Written in Go.
grimm-co/GEARSHIFT GEARSHIFT is a tool that performs structure recovery for a specified function within a stripped binary. It also generates a fuzz harness that can be used to call functions in a shared object (.so) or dynamically linked library (.dll) file.
guelfoweb/peframe PEframe is a open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
hasherezade/hollows_hunter A process scanner detecting and dumping hollowed PE modules.
hasherezade/hook_finder a small tool for investigating inline hooks (and other in-memory code patches)
hzqst/unicorn_pe Unicorn PE is an unicorn based instrumentation project designed to emulate code execution for windows PE files.
Kaitai Struct Kaitai Struct is a declarative language used to describe various binary data structures, laid out in files or in memory: i.e. binary file formats, network stream packet formats, etc.
LIEF Library to Instrument Executable Formats
Microsoft/binskim A binary static analysis tool that provides security and correctness results for Windows portable executables
Microsoft/ProcDump-for-Linux A Linux version of the ProcDump Sysinternals tool
mxmssh/drltrace Drltrace is a library calls tracer for Windows and Linux applications
NASA-SW-VnV/ikos IKOS (Inference Kernel for Open Static Analyzers) is a static analyzer for C/C++ based on the theory of Abstract Interpretation
nsacyber/BAM The Binary Analysis Metadata tool gathers information about Windows binaries to aid in their analysis.
nccgroup/WindowsMemPageDelta A Microsoft Windows service to provide telemetry on Windows executable memory page changes to facilitate threat detection
pierrezurek/Signsrch tool for searching signatures inside files, extremely useful in reversing engineering for figuring or having an initial idea of what encryption/compression algorithm is used for a proprietary protocol or file. it can recognize tons of compression, multimedia and encryption algorithms and many other things like known strings and anti-debugging code which can be also manually added since it's all based on a text signature file read at runtime and easy to modify.
Pinitor An API Monitor Based on Pin
pygore Python library for analyzing Go binaries
qilingframework/qiling Qiling Advanced Binary Emulation Framework
rizin Free and Open Source Reverse Engineering Framework
secretsquirrel/recomposer Randomly changes Win32/64 PE Files for 'safer' uploading to malware and sandbox sites.
shellcode.run A sandbox, for shellcode - run your shellcode blobs online with no hassle and receive a comprehensive report.
taviso/loadlibrary Porting Windows Dynamic Link Libraries to Linux
utkonos/lst2x64dbg Extract labels from IDA, Ghidra, Binary Ninja, and Relyze files and export x64dbg database. Including radare2 main address.
Veles New open source tool for binary data analysis
VisUAL A highly visual ARM emulator
Wenzel/checksec.py Checksec tool in Python, Rich output. Based on LIEF
williballenthin/python-idb Pure Python parser and analyzer for IDA Pro database files (.idb).

Cloud Security

Link Description
0xsha/CloudBrute A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode). The outcome is useful for bug bounty hunters, red teamers, and penetration testers alike.
Alfresco/prowler Tool for AWS security assessment, auditing and hardening. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark.
andresriancho/nimbostratus Tools for fingerprinting and exploiting Amazon cloud infrastructures
asecure.cloud A free repository of customizable AWS security configurations and best practices
asecurityteam/spacecrab Bootstraps an AWS account with everything you need to generate, mangage, and distribute and alert on AWS honey tokens. Made with breakfast roti by the Atlassian security team.
awslabs/aws-security-benchmark Open source demos, concept and guidance related to the AWS CIS Foundation framework.
Azure/Stormspotter Azure Red Team tool for graphing Azure and Azure Active Directory objects
BishopFox/smogcloud Find cloud assets that no one wants exposed
bridgecrewio/cdkgoat CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository. CdkGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
bridgecrewio/cfngoat Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
carnal0wnage/weirdAAL WeirdAAL [AWS Attack Library] wiki!
cisagov/Sparrow Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.
cloudquery/cloudquery cloudquery transforms your cloud infrastructure into queryable SQL tables for easy monitoring, governance and security.
cloudsploit/scans AWS security scanning checks
cr0hn/festin FestIn is a tool for discovering open S3 Buckets starting from a domains.
CrowdStrike/CRT This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard to find permissions and configuration settings in order to assist organizations in securing these environments.
cyberark/SkyArk SkyArk is a cloud security tool, helps to discover, assess and secure the most privileged entities in AWS
cyberark/SkyWrapper SkyWrapper helps to discover suspicious creation forms and uses of temporary tokens in AWS
dagrz/aws_pwn A collection of AWS penetration testing junk
disruptops/cred_scanner A simple file-based scaner to look for potential AWS accesses and secret keys in files
duo-labs/cloudtracker CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
duo-labs/cloudmapper CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
endgameinc/varna Varna: Quick & Cheap AWS CloudTrail Monitoring with Event Query Language (EQL)
eth0izzle/bucket-stream Find interesting Amazon S3 Buckets by watching certificate transparency logs.
FishermansEnemy/bucket_finder Amazon bucket brute force tool
glen-mac/goGetBucket A penetration testing tool to enumerate and analyse Amazon S3 Buckets owned by a domain.
google/cloud-forensics-utils Python library to carry out DFIR analysis on the Cloud
hausec/PowerZure PowerShell framework to assess Azure security
kromtech/s3-inspector Tool to check AWS S3 bucket permissions
jordanpotti/AWSBucketDump Security Tool to Look For Interesting Files in S3 Buckets
jordanpotti/CloudScraper CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.
lyft/metadataproxy A proxy for AWS's metadata service that gives out scoped IAM credentials from STS
MindPointGroup/cloudfrunt A tool for identifying misconfigured CloudFront domains
nccgroup/aws-inventory Discover resources created in an AWS account
nccgroup/PMapper A tool for quickly evaluating IAM permissions in AWS.
nccgroup/s3_objects_check Whitebox evaluation of effective S3 object permissions, in order to identify publicly accessible objects.
nccgroup/Scout2 Security auditing tool for AWS environments
nccgroup/ScoutSuite Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments
Netflix-Skunkworks/diffy Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix's Security Intelligence and Response Team (SIRT).
Netflix/security_monkey Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations.
NetSPI/aws_consoler A utility to convert your AWS CLI credentials into AWS console access.
NotSoSecure/cloud-service-enum This script allows pentesters to validate which cloud tokens (API keys, OAuth tokens and more) can access which cloud service.
prevade/cloudjack Route53/CloudFront Vulnerability Assessment Utility
pumasecurity/serverless-prey Serverless Functions for establishing Reverse Shells to Lambda, Azure Functions, and Google Cloud Functions
random-robbie/slurp Enumerate S3 buckets via certstream, domain, or keywords
RhinoSecurityLabs/pacu Rhino Security Labs' AWS penetration testing toolkit
RiotGames/cloud-inquisitor Enforce ownership and data security within AWS
sa7mon/S3Scanner Scan for open S3 buckets and dump
salesforce/cloudsplaining Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet
sendgrid/krampus The original AWS security enforcer™
SecurityFTW/cs-suite Cloud Security Suite - One stop tool for auditing the security posture of AWS infrastructure.
spacesiren/spacesiren A honey token manager and alert system for AWS.
swimlane/CLAW A packer utility to create and capture DFIR Image for use AWS & Azure
theflakes/reg_hunter Blueteam operational triage registry hunting/forensic tool
ThreatResponse/margaritashotgun Remote Memory Acquisition Tool for AWS
ThreatResponse/aws_ir Python installable command line utiltity for mitigation of host and key compromises.
toniblyx/prowler Tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark 1.1
widdix/aws-s3-virusscan Antivirus for Amazon S3 buckets

Courses

Link Description
specterops/at-ps Adversary Tactics - PowerShell Training

Cryptography

Link Description
CERTCC/keyfinder A tool for analyzing private (and public) key files, including support for Android APK files.
CertDB Internet-wide search engine for digital certificates
Ciphey/Ciphey Automatically decode encryptions without a key, decode encodings, and crack hashes
corkami/pocs Proof of Concepts (PE, PDF...)
mpgn/BEAST-PoC Poc of BEAST attack against SSL/TLS
mpgn/Padding-oracle-attack Padding oracle attack against PKCS7
mpgn/poodle-PoC Poodle (Padding Oracle On Downgraded Legacy Encryption) attack
salesforce/ja3 JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way.

Data Sets

Link Description
BOTS 1.0 Dataset The BOTS 1.0 dataset records two attacks perpetrated by a fictitious hacktivist group called po1s0n1vy targeting Wayne Corp of Batman mythology. There are many comic book references in the data; from heroes and villains to “Batmans” street addresses. Not only does the dataset have many different types of data—everything from Sysmon to Suricata—but there are even file hashes that can be found in Virustotal.com and domains/IPs to hunt for in OSINT tools like PassiveTotal and Robtex!
DataPlane.org DataPlane.org is a community-powered Internet data, feeds, and measurement resource for operators, by operators. We provide reliable and trustworthy service at no cost.
Google Dataset Search Google Dataset Search
SecRepo.com - Samples of Security Related Data Finding samples of various types of Security related can be a giant pain. This is my attempt to keep a somewhat curated list of Security related data I've found, created, or was pointed to. If you perform any kind of analysis with any of this data please let me know and I'd be happy to link it from here or host it here. Hopefully by looking at others research and analysis it will inspire people to add-on, improve, and create new ideas.
splunk/attack_data A Repository of curated datasets from various attacks

Digital Forensics and Incident Response

Link Description
$I File Parser Free Forensics Tool \$I File Parser
activecm/BeaKer Beacon Kibana Executable Report. Aggregates Sysmon Network Events With Elasticsearch and Kibana
ahmedkhlief/APT-Hunter APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity
AlienVault OSSIM AlienVault OSSIM: The Worlds Most Widely Used Open Source SIEM
andreafortuna/autotimeliner Automagically extract forensic timeline from volatile memory dump
ANSSI-FR/bits_parser Extract BITS jobs from QMGR queue and store them as CSV records
ANSSI-FR/bmc-tools RDP Bitmap Cache Parser
bfuzzy/auditd-attack A Linux Auditd rule set mapped to MITRE's Attack Framework
Broctets-and-Bytes/Darwin This script is designed to be run against a mounted image, live system, or device in target disk mode. The script automates the collection of key files for MacOS investigations.
bromiley/olaf Office365 Log Analysis Framework: OLAF is a collection of tools, scripts, and analysis techniques dealing with O365 Investigations.
carmaa/inception Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.
chrisandoryan/Nethive-Project Restructured and Collaborated SIEM and CVSS Infrastructure. Presented at Blackhat Asia Arsenal 2020.
coinbase/dexter Forensics acquisition framework designed to be extensible and secure
ComodoSecurity/openedr Open EDR public repository
CrowdStrike/automactc AutoMacTC: Automated Mac Forensic Triage Collector
CrowdStrike/Forensics Scripts and code referenced in CrowdStrike blog posts
cryps1s/DARKSURGEON DARKSURGEON is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense.
cyb3rfox/Aurora-Incident-Response Incident Response Documentation made easy. Developed by Incident Responders for Incident Responders
Cyb3rWard0g/HELK A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.
Cyber Analytics Repository The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model.
CyberDefenseInstitute/CDIR CDIR (Cyber Defense Institute Incident Response) Collector - live collection tool based on oss tool/library
davehull/Kansa A Powershell incident response framework
deepalert/deepalert Serverless SOAR (Security Orchestration, Automation and Response) framework for automatic inspection and evaluation of security alert
DFIR ORC DFIR ORC, where ORC stands for “Outil de Recherche de Compromission” in French, is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. It can also embed external tools and their configurations.
DG Wingman DG Wingman is a free community Windows tool designed to aid in the collection of forensic evidence in order to properly investigate and scope an intrusion.
draios/sysdig Linux system exploration and troubleshooting tool with first class support for containers
drego85/meioc Extracting IoC data from eMail
DFIRKuiper/Kuiper Kuiper is a digital investigation platform that provides a capabilities for the investigation team and individuals to parse, search, visualize collected evidences (evidences could be collected by fast traige script like Hoarder).
fireeye/ARDvark ARDvark parses the Apple Remote Desktop (ARD) files to pull out application usage, user activity, and filesystem listings.
fireeye/SilkETW SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection.
fireeye/ThreatPursuit-VM Threat Pursuit Virtual Machine (VM): A fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly.
ForensicArtifacts/artifacts Digital Forensics Artifact Repository
frikky/Shuffle Shuffle: A general purpose security automation platform platform. We focus on accessibility for all.
gleeda/memtriage Allows you to quickly query a Windows machine for RAM artifacts
google/docker-explorer A tool to help forensicate offline docker acquisitions
google/GiftStick 1-Click push forensics evidence to the cloud
google/grr GRR is a python client (agent) that is installed on target systems, and python server infrastructure that can manage and talk to clients.
google/rekall The Rekall Framework is a completely open collection of tools, implemented in Python under the Apache and GNU General Public License, for the extraction and analysis of digital artifacts computer systems.
google/turbinia Automation and Scaling of Digital Forensics Tools
Graylog Built to open standards, Graylogs connectivity and interoperability seamlessly collects, enhances, stores, and analyzes log data.
hunters-forge/API-To-Event A repo to document API functions mapped to security events across diverse platforms
hunters-forge/OSSEM Open Source Security Events Metadata (OSSEM)
Kaspersky IR's Artifacts Collector Kaspersky IR's Artifacts Collector
Hibernation Recon The tools and techniques used for many years to analyze Microsoft Windows® hibernation files have left digital forensics experts in the dark… until now!
Invoke-IR/ACE The Automated Collection and Enrichment (ACE) platform is a suite of tools for threat hunters to collect data from many endpoints in a network and automatically enrich the data. The data is collected by running scripts on each computer without installing any software on the target. ACE supports collecting from Windows, macOS, and Linux hosts.
jimtin/IRCoreForensicFramework Powershell 7 (Powershell Core)/ C# cross platform forensic framework. Built by incident responders for incident responders.
JPCERTCC/LogonTracer Investigate malicious Windows logon by visualizing and analyzing Windows event log
JPCERTCC/SysmonSearch Investigate suspicious activity by visualizing Sysmon's event log
IllusiveNetworks-Labs/HistoricProcessTree An Incident Response tool that visualizes historic process execution evidence (based on Event ID 4688 - Process Creation Event) in a tree view.
intezer/linux-explorer Easy-to-use live forensics toolbox for Linux endpoints
Invoke-IR/PowerForensics PowerForensics provides an all in one platform for live disk forensic analysis
Live Response Collection - Cedarpelta Live Response Collection - Cedarpelta
log2timeline/plaso log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them.
MAGNET App Simulator MAGNET App Simulator lets you load application data from Android devices in your case into a virtual environment, enabling you to view and interact with the data as the user would have seen it on their own device.
MalwareSoup/MitreAttack Python wrapper for the Mitre ATT&CK framework API
markbaggett/srum-dump A forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet.
markbaggett/werejugo Identifies physical locations where a laptop has been based upon wireless profiles and wireless data recorded in event logs
miriamxyra/EventList EventList is a tool to help improving your Audit capabilities and to help to build your Security Operation Center.
mitre-attack/bzar A set of Zeek scripts to detect ATT&CK techniques.
mozilla/audit-go Linux Audit Plugin for heka written using netlink Protocol in golang and Lua
mozilla/mig Distributed & real time digital forensics at the speed of the cloud
mozilla/MozDef MozDef: The Mozilla Defense Platform
nannib/Imm2Virtual This is a GUI (for Windows 64 bit) for a procedure to virtualize your EWF(E01), DD(Raw), AFF disk image file without converting it, directly with VirtualBox, forensically proof.
Netflix/dispatch All of the ad-hoc things you're doing to manage incidents today, done for you, and much more!
nshalabi/SysmonTools Utilities for Sysmon (Sysmon View and Sysmon Shell)
NXLog The modern open source log collector.
omenscan/achoir Windows Live Artifacts Acquisition Script
omenscan/achoirx ReWrite of AChoir in Go for Cross PlatformReWrite of AChoir in Go for Cross Platform
orlikoski/CyLR CyLR - Live Response Collection Tool
OSSEC Open Source HIDS SECurity
philhagen/sof-elk Configuration files for the SOF-ELK VM, used in SANS FOR572
polylogyx/PolyMon PolyLogyx Monitoring Agent (PolyMon) is a Windows software that leverages the osquery tool and the PolyLogyx Extension to osquery, to provide a view into detailed information about process creations, network connections, file system changes and many other activities on the system.
ptresearch/AttackDetection The Attack Detection Team searches for new vulnerabilities and 0-days, reproduces it and creates PoC exploits to understand how these security flaws work and how related attacks can be detected on the network layer. Additionally, we are interested in malware and hackers TTPs, so we develop Suricata rules for detecting all sorts of such activities.
PUNCH-Cyber/stoq An open source framework for enterprise level automated analysis.
ROCK NSM Response Operation Collection Kit - An open source Network Security Monitoring platform.
salesforce/bro-sysmon Bro-Sysmon enables Bro to receive Windows Event Logs. This provide a method to associate Network Monitoring and Host Monitoring. The work was spurred by the need to associate JA3 and HASSH fingerprints with the application on the host. The example below shows the hostname, Process ID, connection information, JA3 fingerprints, Application Path, and binary hashes.
salesforce/jarm JARM is an active Transport Layer Security (TLS) server fingerprinting tool.
sans-blue-team/DeepBlueCLI DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs
Security Onion Peel back the layers of your enterprise
SecurityRiskAdvisors/TALR Threat Alert Logic Repository (TALR) - A public repository for the collection and sharing of detection rules in platform agnostic formats. Collected rules are appended with STIX required fields for simplified sharing over TAXII servers.
SekoiaLab/fastir_artifacts Live forensic artifacts collector
SekoiaLab/Fastir_Collector This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.
shellster/DCSYNCMonitor Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events.
SIEMonster SIEMonster is an Affordable Security Monitoring Software Soulution
Sigma Rules Repository Mirror Sigma rules repository mirror and translations
slackhq/go-audit go-audit is an alternative to the auditd daemon that ships with many distros
s0md3v/Orbit Blockchain Transactions Investigation Tool
refractionPOINT/limacharlie LC is an Open Source, cross-platform (Windows, MacOS, Linux ++), realtime Endpoint Detection and Response sensor. The extra-light sensor, once installed on a system provides Flight Data Recorder type information (telemetry on all aspects of the system like processes, DNS, network IO, file IO etc).
RomanEmelyanov/CobaltStrikeForensic Toolset for research malware and Cobalt Strike beacons
The Sleuth Kit sleuthkit.org is the official website for The Sleuth Kit®, Autopsy®, and other open source digital investigation tools. From here, you can find documents, case studies, and download the latest versions of the software.
thewhiteninja/ntfstool Forensics tool for NTFS (parser, mft, bitlocker, deleted files)
THIBER-ORG/userline Query and report user logons relations from MS Windows Security Events
trustedsec/SysmonCommunityGuide TrustedSec Sysinternals Sysmon Community Guide
ufrisk/LeechCore LeechCore - Physical Memory Acquisition Library & The LeechAgent Remote Memory Acquisition Agent
Uncoder.io Uncoder.IO is the online translator for SIEM saved searches, filters, queries, API requests, correlation and Sigma rules to help SOC Analysts, Threat Hunters and SIEM Engineers
USN Analytics USN Analytics is a tool that specializes in USN Journal ($UsnJrnl:$J) analysis
VSCMount Volume shadow copies mounter tool
Wazuh Open Source Host and Endpoint Security
williballenthin/EVTXtract EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.
williballenthin/INDXParse Tool suite for inspecting NTFS artifacts
williballenthin/process-forest process-forest is a tool that processes Microsoft Windows EVTX event logs that contain process accounting events and reconstructs the historical process heirarchies.
yampelo/beagle Beagle is an incident response and digital forensics tool which transforms security logs and data into graphs.
zodiacon/ProcMonXv2 Procmon-like tool that uses Event Tracing for Windows (ETW) instead of a kernel driver to provide event information.

Exploits

Link Description
externalist/exploit_playground Analysis of public exploits or my 1day exploits
FriendsOfPHP/security-advisories The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries. This database must not serve as the primary source of information for security issues, it is not authoritative for any referenced software, but it allows to centralize information for convenience and easy consumption.
gellin/TeamViewer_Permissions_Hook_V1 A proof of concept injectable C++ dll, that uses naked inline hooking and direct memory modification to change your TeamViewer permissions.
HASecuritySolutions/VulnWhisperer Create actionable data from your Vulnerability Scans
hasherezade/process_doppelganging My implementation of enSilo's Process Doppelganging (PE injection technique)
itm4n/UsoDllLoader Windows - Weaponizing privileged file writes with the Update Session Orchestrator service
jollheef/out-of-tree out-of-tree kernel {module, exploit} development tool
opencve/opencve CVE Alerting Platform
ScottyBauer/Android_Kernel_CVE_POCs A list of my CVE's with POCs
smgorelik/Windows-RCE-exploits The exploit samples database is a repository for **RCE** (remote code execution) exploits and Proof-of-Concepts for **WINDOWS**, the samples are uploaded for education purposes for red and blue teams.
Spajed/processrefund An attempt at Process Doppelgänging
spencerdodd/kernelpop Kernel privilege escalation enumeration and exploitation framework
tunz/js-vuln-db A collection of JavaScript engine CVEs with PoCs
victims/victims-cve-db This database contains information regarding CVE(s) that affect various language modules. We currently store version information corresponding to respective modules as understood by select sources.
VulnReproduction/LinuxFlaw This repo records all the vulnerabilities of linux software I have reproduced in my local workspace
xairy/kernel-exploits A bunch of proof-of-concept exploits for the Linux kernel

Hardening

Link Description
Security Technical Implementation Guides (STIGs) The Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems.
Strategies to Mitigate Cyber Security Incidents The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help technical cyber security professionals in all organisations mitigate cyber security incidents. This guidance addresses targeted cyber intrusions, ransomware and external adversaries with destructive intent, malicious insiders, 'business email compromise' and industrial control systems.
Windows Security Baseline A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Hardware

Link Description
ufrisk/pcileech Direct Memory Access (DMA) Attack Software

Malware Analysis

Link Description
activecm/rita Real Intelligence Threat Analytics
adamkramer/rapid_env Rapid deployment of Windows environment (files, registry keys, mutex etc) to facilitate malware analysis
advanced-threat-research/IOCs Repository containing IOCs, MISP and Expert rules from our blogs
alexandreborges/malwoverview Malwoverview.py is a simple tool to perform an initial and quick triage on either a directory containing malware samples or a specific malware sample
APT Groups, Operations and Malware Search Engine APT Groups, Operations and Malware Search Engine
ashishb/android-malware Collection of android malware samples
AVCaesar AVCaesar is a malware analysis engine and repository
blackorbird/APT_REPORT Interesting apt report collection and some special ioc express
CapacitorSet/box-js A tool for studying JavaScript malware
CERT-Polska/drakvuf-sandbox DRAKVUF Sandbox - automated hypervisor-level malware analysis system
CERT-Polska/karton Distributed malware processing framework based on Python, Redis and MinIO.
CERT-Polska/mwdb-core Malware repository component for samples & static configuration with REST API interface.
CheckPointSW/showstopper ShowStopper is a tool for helping malware researchers explore and test anti-debug techniques or verify debugger plugins or other solutions that clash with standard anti-debug methods.
Contagio Malwarre dump
CriticalPathSecurity/Zeek-Intelligence-Feeds Zeek-Formatted Threat Intelligence Feeds
Cryptam Document Scanner Encrypted/obfuscated malicious document analyzer
cmu-sei/cyobstract A tool to extract structured cyber information from incident reports.
CRXcavator CRXcavator automatically scans the entire Chrome Web Store every 3 hours and produces a quantified risk score for each Chrome Extension based on several factors.
countercept/snake snake - a malware storage zoo
D4stiny/spectre A Windows kernel-mode rootkit that abuses legitimate communication channels to control a machine.
DAS MALWERK DAS MALWERK - your one stop shop for fresh malware samples
DoctorWebLtd/malware-iocs This repository contains Indicators of Compromise (IOCs) related to our investigations.
droidefense/engine Droidefense: Advance Android Malware Analysis Framework
ecstatic-nobel/Analyst-Arsenal Phishing kits hunting
EFForg/yaya Yet Another Yara Automaton - Automatically curate open source yara rules and run scans
eset/malware-ioc Indicators of Compromises (IOC) of our various investigations
FAME FAME Automates Malware Evaluation
fireeye/flashmingo Automatic analysis of SWF files based on some heuristics. Extensible via plugins.
fireeye/iocs FireEye Publicly Shared Indicators of Compromise (IOCs)
felixweyne/imaginaryC2 Imaginary C2 is a python tool which aims to help in the behavioral (network) analysis of malware. Imaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads.
FortyNorthSecurity/WMImplant This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
godaddy/procfilter A YARA-integrated process denial framework for Windows
ips-bph-framework BLACKPHENIX is an open source malware analysis automation framework composed of services, scripts, plug-ins, and tools and is based on a Command-and-Control (C&C) architecture
gen0cide/gscript Framework to rapidly implement custom droppers for all three major operating systems
glmcdona/Process-Dump Windows tool for dumping malware PE files from memory back to disk for analysis.
google/vxsig Automatically generate AV byte signatures from sets of similar binaries.
GoSecure/malboxes Builds malware analysis Windows VMs so that you don't have to.
GreatSCT/GreatSCT The project is called Great SCT (Great Scott). Great SCT is an open source project to generate application white list bypasses. This tool is intended for BOTH red and blue team
Have I Been Emotet Check if your email address or domain is involved in the Emotet malspam (name@domain.ext or domain.ext). Your address can be marked as a SENDER (FAKE or REAL), as a RECIPIENT or any combination of the three.
hasherezade/libpeconv/runpe RunPE (aka Process Hollowing) is a well known technique allowing to injecting a new PE into a remote processes, imprersonating this process. The given implementation works for PE 32bit as well as 64bit.
hasherezade/pe-sieve Scans a given process, searching for the modules containing in-memory code modifications. When found, it dumps the modified PE.
Hatching Triage Triage is our state-of-the-art malware analysis sandbox designed for cross-platform support (Windows, Android, Linux, and macOS), high-volume malware analysis capabilities, and configuration extraction for numerous malware families.
hegusung/AVSignSeek Tool written in python3 to determine where the AV signature is located in a binary/payload
hlldz/SpookFlare Loader, dropper generator with multiple features for bypassing client-side and network-side countermeasures.
Hybrid-Analysis Free Automated Malware Analysis Service
InQuest/ThreatIngestor An extendable tool to extract and aggregate IOCs from threat feeds.
IRIS-H IRIS-H is an online digital forensics tool that performs automated static analysis of files stored in a directory-based or strictly structured formats.
jgamblin/Mirai-Source-Code Leaked Mirai Source Code for Research/IoC Development Purposes.
jgamblin/JPCERTCC/MalConfScan Volatility plugin for extracts configuration data of known malware
JohnLaTwC/PyPowerShellXray Python script to decode common encoded PowerShell scripts
KasperskyLab/klara Klara project is aimed at helping Threat Intelligence researechers hunt for new malware using Yara.
katjahahn/PortEx Java library to analyse Portable Executable files with a special focus on malware analysis and PE malformation robustness
kevoreilly/CAPEv2 Malware Configuration And Payload Extraction
kirk-sayre-work/VBASeismograph A tool for detecting VBA stomping.
Koodous Koodous is a collaborative platform that combines the power of online analysis tools with social interactions between the analysts over a vast APKs repository.
LordNoteworthy/al-khaser Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
Mac Malware Mac Malware by Objective-See
marcosd4h/memhunter Live hunting of code injection techniques
Malc0de database Malc0de database
maliceio/malice Malice's mission is to be a free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company.
Malpedia The primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in order to foster meaningful and reproducible research.
MalShare A free Malware repository providing researchers access to samples, malicous feeds, and Yara results
MalwareBazaar Database MalwareBazaar is a project operated by abuse.ch. The purpose of the project is to collect and share malware samples, helping IT-security researchers and threat analyst protecting their constituency and customers from cyber threats.
MalwareCantFly/Vba2Graph Vba2Graph - Generate call graphs from VBA code, for easier analysis of malicious documents.
malwaredllc/byob BYOB (Build Your Own Botnet)
malwareinfosec/EKFiddle A framework based on the Fiddler web debugger to study Exploit Kits, malvertising and malicious traffic in general.
Malwaretiverse maltiverse - Connect the dots - The definitive IoC search engine
Malwares Malware SRC Database
Malware Static Analysis The following interface stands in front of a live engine which takes binary files and runs them against a pletora of hundreds YARA rules.
marcoramilli/PhishingKitTracker An extensible and freshly updated collection of phishingkits for forensics and future analysis topped with simple stats
matterpreter/DefenderCheck Identifies the bytes that Microsoft Defender flags on.
mindcollapse/MalwareMultiScan Self-hosted VirusTotal / MetaDefender wannabe with API, demo UI and Scanners running in Docker.
MinervaLabsResearch/Mystique Mystique may be used to discover infection markers that can be used to vaccinate endpoints against malware. It receives as input a malicious sample and automatically generates a list of mutexes that could be used to as "vaccines" against the sample
mitchellkrogza/Phishing.Database Phishing Domains, urls websites and threats database. We use the PyFunceble testing tool to validate the status of all known Phishing domains and provide stats to reveal how many unique domains used for Phishing are still active
mohamedaymenkarmous/alienvault-otx-api-html AlienVault OTX API-based project with HTML (pure HTML or mixed PNG screenshots) reports pages that looks like the real AlienVault OTX website
NavyTitanium/Fake-Sandbox-Artifacts This script allows you to create various artifacts on a bare-metal Windows computer in an attempt to trick malwares that looks for VM or analysis tools
nbeede/BoomBox Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant
nbulischeck/tyton Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+
Neo23x0/APTSimulator A toolset to make a system look as if it was the victim of an APT attack
Neo23x0/exotron Sandbox feature upgrade with the help of wrapped samples
nsmfoo/antivmdetection Script to create templates to use with VirtualBox to make vm detection harder
ntddk/virustream A script to track malware IOCs with OSINT on Twitter.
OALabs/BlobRunner Quickly debug shellcode extracted during malware analysis
OALabs/PyIATRebuild Automatically rebuild Import Address Table for dumped PE file. With python bindings!
oasis-open/cti-stix-generator OASIS Cyber Threat Intelligence (CTI) TC: A tool for generating STIX content for prototyping and testing.
ohjeongwook/PowerShellRunBox Dynamic PowerShell analysis framework
outflanknl/EvilClippy A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.
P4T12ICK/ypsilon Ypsilon is an Automated Security Use Case Testing Environment using real malware to test SIEM use cases in an closed environment. Different tools such as Ansible, Cuckoo, VirtualBox, Splunk and ELK are combined to determine the quality of a SIEM use case by testing any number of malware against a SIEM use case. Finally, a test report is generated giving insight to the quality of an use case.
pan-unit42/iocs Indicators from Unit 42 Public Reports
phage-nz/ph0neutria ph0neutria is a malware zoo builder that sources samples straight from the wild. Everything is stored in Viper for ease of access and manageability.
PwCUK-CTO/rtfsig A tool to help malware analysts signature unique parts of RTF documents
python-iocextract Advanced Indicator of Compromise (IOC) extractor
quarkslab/irma IRMA is an asynchronous & customizable analysis system for suspicious files.
quasar/QuasarRAT Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface, Quasar is the perfect remote administration solution for you.
rastrea2r/rastrea2r Collecting & Hunting for IOCs with gusto and style
SafeBreach-Labs/mkmalwarefrom Proof-of-concept two-stage dropper generator that uses bits from external sources
SentineLabs/SentinelLabs_RevCore_Tools The Windows Malware Analysis Reversing Core Tools
SEKOIA Dropper Analysis SEKOIA Dropper Analysis
SpamScope/spamscope Fast Advanced Spam Analysis Tool
SpiderLabs/IOCs-IDPS This repository will hold PCAP IOC data related with known malware samples (owner: Bryant Smith)
t4d/PhishingKitHunter Find phishing kits which use your brand/organization's files and image.
target/halogen Automatically create YARA rules from malicious documents.
ThisIsLibra/MalPull A CLI interface to search for a MD-5/SHA-1/SHA-256 hash on multiple malware databases and download the sample from the first hit
ThreatShare ThreatShare is an advanced threat tracker that publicly tracks command & control servers for malware.
tomchop/malcom Malcom - Malware Communications Analyzer
UNIT 42: Playbook Viewver Viewing PAN Unit 42's adversary playbook via web interface
UNPACME An automated malware unpacking service from OpenAnalysis
ytisf/theZoo A repository of LIVE malwares for your own joy and pleasure
VirusBay VirusBay is a web-based, collaboration platform that connects security operations center (SOC) professionals with relevant malware researchers
VirusShare VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of live malicious code
VX Vault VX Vault
zerofox-oss/phishpond Because phishtank was taken.. explore phishing kits in a contained environment!
zerosum0x0/smbdoor kernel backdoor via registering a malicious SMB handler

Mobile Security

Link Description
ac-pm/Inspeckage Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)
AIR GO AIR GO detects obfuscation, vulnerabilities, open-source license issues, and malware by analyzing mobile apps and websites. It uses industry-leading technology to detect security threats and provide an improvement plan.
apkdetect Android malware analysis and classification platform
Apktool A tool for reverse engineering Android apk files
chaitin/passionfruit Simple iOS app blackbox assessment tool. Powered by frida.re and vuejs.
dpnishant/appmon AppMon is an automated framework for monitoring and tampering system API calls of native macOS, iOS and android apps. It is based on Frida.
Cycript Cycript allows developers to explore and modify running applications on either iOS or Mac OS X using a hybrid of Objective-C++ and JavaScript syntax through an interactive console that features syntax highlighting and tab completion
dmayer/idb idb is a tool to simplify some common tasks for iOS pentesting and research
Drozer Comprehensive security and attack framework for Android
frida/frida Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
iSECPartners/Android-SSL-TrustKiller Bypass SSL certificate pinning for most applications
KJCracks/Clutch Fast iOS executable dumper
linkedin/qark Tool to look for several security related Android application vulnerabilities
m0bilesecurity/RMS-Runtime-Mobile-Security Runtime Mobile Security (RMS) is a powerful web interface that helps you to manipulate Android Java Classes and Methods at Runtime
MobSF/Mobile-Security-Framework-MobSF Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing
mwrlabs/needle The iOS Security Testing Framework
nccgroup/house A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python.
nygard/class-dump Generate Objective-C headers from Mach-O files
pxb1988/dex2jar Tools to work with android .dex and java .class files
quark-engine/quark-engine An Obfuscation-Neglect Android Malware Scoring System
RealityNet/kobackupdec Huawei backup decryptor
sensepost/objection objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.
skylot/jadx Dex to Java decompiler
stefanesser/dumpdecrypted Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk. This tool is necessary for security researchers to be able to look under the hood of encryption.
swdunlop/AndBug Android Debugging Library
tcurdt/iProxy Let's you connect your laptop to the iPhone to surf the web.

Network Security

Link Description
Arkime Arkime (formerly Moloch) is a large scale, open source, indexed packet capture and search tool.
aol/moloch Moloch is an open source, large scale, full packet capturing, indexing, and database system
austin-taylor/flare An analytical framework for network traffic and behavioral analytics
certego/PcapMonkey PcapMonkey will provide an easy way to analyze pcap using the latest version of Suricata and Zeek.
crowdsecurity/crowdsec/ Crowdsec - An open-source, lightweight agent to detect and respond to bad behaviours. It also automatically benefits from our global community-wide IP reputation database.
blechschmidt/massdns A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
byt3bl33d3r/MITMf Framework for Man-In-The-Middle attacks
cisco/mercury Mercury: network metadata capture and analysis
dhoelzer/ShowMeThePackets Useful network monitoring, analysis, and active response tools used or mentioned in the SANS SEC503 course
DNSdumpster.com dns recon & research, find & lookup dns records
eldraco/domain_analyzer Analyze the security of any domain by finding all the information possible. Made in python.
fireeye/flare-fakenet-ng FakeNet-NG - Next Generation Dynamic Network Analysis Tool
infobyte/evilgrade Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it's own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.
joswr1ght/cowpatty coWPAtty: WPA2-PSK Cracking
joswr1ght/nm2lp Convert Windows Netmon Monitor Mode Wireless Packet Captures to Libpcap Format
michenriksen/aquatone AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.
nesfit/NetfoxDetective NFX Detective is a novel Network forensic analysis tool that implements methods for extraction of application content from communication using supported protocols.
NetworkScan Mon NetworkScan Monitor by Netlab 360
odedshimon/BruteShark BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files)
PacketTotal A free, online PCAP analysis engine
PolarProxy PolarProxy is a transparent SSL/TLS proxy created for incident responders and malware researchers. PolarProxy is primarily designed to intercept and decrypt TLS encrypted traffic from malware. PolarProxy decrypts and re-encrypts TLS traffic, while also saving the decrypted traffic in a PCAP file that can be loaded into Wireshark or an intrusion detection system (IDS).
sensepost/routopsy Routopsy is a toolkit built to attack often overlooked networking protocols. Routopsy currently supports attacks against Dynamic Routing Protocols (DRP) and First-Hop Redundancy Protocols (FHRP).
qeeqbox/chameleon Customizable honeypots for monitoring network traffic, bots activities and username\password credentials (DNS, HTTP Proxy, HTTP, HTTPS, SSH, POP3, IMAP, STMP, RDP, VNC, SMB, SOCKS5, Redis, TELNET, Postgres and MySQL)
USArmyResearchLab/Dshell An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.
WiGLE Maps and database of 802.11 wireless networks, with statistics, submitted by wardrivers, netstumblers, and net huggers.
WireEdit First-Of-A-Kind And The Only Full Stack WYSIWYG Pcap Editor
The ZMap Project The ZMap Project is a collection of open source tools that enable researchers to perform large-scale studies of the hosts and services that compose the public Internet.

Open-source Intelligence (OSINT)

Link Description
althonos/InstaLooter Another API-less Instagram pictures and videos downloader.
americanexpress/earlybird EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.
arch4ngel/peasant LinkedIn reconnaissance tool
byt3bl33d3r/WitnessMe Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
CellID Finder Find GSM base stations cell id coordinates
CellMapper Cellular Coverage and Tower Map
Certificate Search crt.sh | Certificate
danieleperera/onioningestor An extendable tool to Collect, Crawl and Monitor onion sites on tor network and index collected information on Elasticsearch
Dargle Dargle serves as a data aggregation platform for dark web domains. Hidden services on the dark web prove difficult to navigate, but by crawling the clear web, one can accumulate a directory of sorts for these hidden services.
dark.fail: Is a darknet site online? dark.fail: Is a darknet site online?
DomainBigData DomainBigData is a big database of domains and whois records
danieliu/play-scraper A web scraper to retrieve application data from the Google Play Store.
DataSploit/datasploit An #OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats.
felix83000/Watcher Watcher - Open Source Cybersecurity Threat Hunting Platform. Developed with Django & React JS.
Epieos Tools - Google Account Finder An online tool to retrieve sensitive information like google maps reviews, public photos, displayed name, usage of google services such as YouTube, Hangouts
FOFA Pro The Cyberspace Search Engine, Security Situation Awareness
GhostProject Database Lookup of 1.4 Billion Password Breach Compilation
GreyNoise Visualizer GreyNoise Visualizer
haccer/twint An advanced Twitter scraping & OSINT tool written in Python that doesn't use Twitter's API, allowing you to scrape a user's followers, following, Tweets and more while evading most API limitations.
I Know What You Download Torrent downloads and distributions for IP
ImmuniWeb Domain Security Test | Detect Dark Web Exposure, Phishing, Squatting and Trademark Infringement
IntelligenceX Search Tor, I2P, data leaks, public web.|
InQuest/omnibus The OSINT Omnibus
intelowlproject/IntelOwl Intel Owl: analyze files, domains, IPs in multiple ways from a single API at scale
iptv-org/iptv Collection of 8000+ publicly available IPTV channels from all over the world
jofpin/trape People tracker on the Internet: OSINT analysis and research tool.
lanrat/certgraph An open source intelligence tool to crawl the graph of certificate Alternate Names
LeakIX This project goes around the internet and finds services to index them.
Leak-Lookup Data Breach Search Engine
leapsecurity/InSpy A python based LinkedIn enumeration tool
loseys/Oblivion Data leak checker & OSINT Tool
megadose/holehe holehe allows you to check if the mail is used on different sites like twitter, instagram and will retrieve information on sites with the forgotten password function.
mxrch/ghunt GHunt is an OSINT tool to extract a lot of informations of someone's Google Account email.
nccgroup/scrying A tool for collecting RDP, web and VNC screenshots all in one place
ninoseki/mihari A helper to run OSINT queries & manage results continuously
OCCRP Data Search 102m public records and leaks from 179 sources
OpenCelliD OpenCelliD - Largest Open Database of Cell Towers & Geolocation - by Unwired Labs
OSINT.SH ALL IN ONE INFORMATION GATHERING TOOLS
OWASP/Amass In-depth Attack Surface Mapping and Asset Discovery
PaperMtn/gitlab-watchman Monitoring GitLab for sensitive data shared publicly
Pastebin dump collection Pastebin dump collection
Phonebook.cz Phonebook lists all domains, email addresses, or URLs for the given input domain.
s-rah/onionscan OnionScan is a free and open source tool for investigating the Dark Web.
same.energy Tweet Search Engine
SnusBase The longest standing data breach search engine.
sshell/reddit-analyzer find out when and where someone is posting to reddit
SpiderFoot SpiderFoot - Opensource Intelligence Automation
sundowndev/PhoneInfoga Advanced information gathering & OSINT framework for phone numbersAdvanced information gathering & OSINT framework for phone numbers
superhedgy/AttackSurfaceMapper AttackSurfaceMapper is a tool that aims to automate the reconnaissance process.
Recon-NG Recon-ng is a reconnaissance tool with an interface similar to Metasploit. Running recon-ng from the command line you enter a shell like environment where you can configure options, perform recon and output results to different report types.
WebBreacher/WhatsMyName This repository has the unified data required to perform user enumeration on various websites. Content is in a JSON file and can easily be used in other projects.
WhatsMyName Web This tool allows you to enumerate usernames across many websites
woj-ciech/kamerka Build interactive map of cameras from Shodan
woj-ciech/SocialPath Track users across social media platform
yogeshojha/rengine reNgine is an automated reconnaissance framework meant for information gathering during penetration testing of web applications. reNgine has customizable scan engines, which can be used to scan the websites, endpoints, and gather information.

Password Cracking and Wordlists

berzerk0/Probable-Wordlists Wordlists sorted by probability originally created for password generation and testing - make sure your passwords aren't popular!
byt3bl33d3r/SprayingToolkit Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient
f0cker/crackq CrackQ: A Python Hashcat cracking queue system
fireeye/gocrack GoCrack provides APIs to manage password cracking tasks across supported cracking engines.
sc0tfree/mentalist Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper.
trustedsec/hate_crack A tool for automating cracking methodologies through Hashcat from the TrustedSec team.
danielmiessler/SecLists SecLists is the security tester's companion. It is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.

Social Engineering

Link Description
AlteredSecurity/365-Stealer/ 365-Stealer is the tool written in python3 which steals data from victims office365 by using access_token which we get by phishing. It steals outlook mails, attachments, OneDrive files, OneNote notes and injects macros.
BiZken/PhishMailer Generate Professional Phishing Emails Fast And Easy
boxug/trape People tracker on the Internet: Learn to track the world, to avoid being traced.
dafthack/MailSniper MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.
drk1wi/Modlishka Modlishka. Reverse Proxy. Phishing NG.
certsocietegenerale/swordphish-awareness Swordphish is a plateform allowing to create and manage fake phishing campaigns.
curtbraz/Phishing-API Comprehensive Web Based Phishing Suite of Tools for Rapid Deployment and Real-Time Alerting!
Simple Email Reputation Illuminate the "reputation" behind an email address
fireeye/ReelPhish ReelPhish: A Real-Time Two-Factor Phishing Tool
gophish/gophish Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training
kgretzky/evilginx2 Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
Mailsploit TL;DR: Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters.
mdsecactivebreach/o365-attack-toolkit o365-attack-toolkit allows operators to perform an OAuth phishing attack and later on use the Microsoft Graph API to extract interesting information.
muraenateam/muraena Muraena is an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities.
Pretext Project Open-Source Collection of Social Engineering Pretexts
Raikia/UhOh365 A script that can see if an email address is valid in Office365 (user/email enumeration). This does not perform any login attempts, is unthrottled, and is incredibly useful for social engineering assessments to find which emails exist and which don't.
ring0lab/catphish Generate similar-looking domains for phishing attacks. Check expired domains and their categorized domain status to evade proxy categorization. Whitelisted domains are perfect for your C2 servers.
securestate/king-phisher Phishing Campaign Toolkit
thelinuxchoice/blackeye The most complete Phishing Tool, with 32 templates +1 customizable
thelinuxchoice/shellphish Phishing Tool for 18 social media: Instagram, Facebook, Snapchat, Github, Twitter, Yahoo, Protonmail, Spotify, Netflix, Linkedin, Wordpress, Origin, Steam, Microsoft, InstaFollowers, Gitlab, Pinterest
Undeadsec/EvilURL An unicode domain phishing generator for IDN Homograph Attack
UndeadSec/SocialFish Ultimate phishing tool. Socialize with the credentials
ustayready/CredSniper CredSniper is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens.

Vulnerable

Link Description
appsecco/VyAPI VyAPI - A cloud based vulnerable hybrid Android App
AutomatedLab/AutomatedLab AutomatedLab is a provisioning solution and framework that lets you deploy complex labs on HyperV and Azure with simple PowerShell scripts. It supports all Windows operating systems from 2008 R2 to 2016 including Nano Server and various products like AD, Exchange, PKI, IIS, etc.
avishayil/caponeme Repository demonstrating the Capital One breach on your AWS account
Azure/Convex Cloud Open-source Network Vulnerability Exploitation eXperience (CONVEX) spins up Capture The Flag environments in your Azure tenant for participants to play through.
Billy-Ellis/Exploit-Challenges A collection of vulnerable ARM binaries for practicing exploit development
bkerler/exploit_me Very vulnerable ARM application (CTF style exploitation tutorial)
bkimminich/juice-shop OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.
bridgecrewio/terragoat TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
clong/DetectionLab Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices
cliffe/SecGen SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques.
Lenas Reversing for Newbies Nice collection of tutorials aimed particularly for newbie reverse enginners...
google/google-ctf This repository lists most of the challenges used in the Google CTF 2017. The missing challenges are not ready to be open-sourced, or contain third-party code.
nccgroup/sadcloud A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure
OWASP/iGoat-Swift OWASP iGoat (Swift) - A Damn Vulnerable Swift Application for iOS
rapid7/hackazon A modern vulnerable web app
rewanth1997/Damn-Vulnerable-Bank Vulnerable Banking Application for Android
Reverse Engineering Welcome to the Reverse Engineering open course! This course is a journey into executable binaries and operating systems from 3 different angles: 1) Malware analysis, 2) Bug hunting and 3) Exploit writing. Both Windows and Linux x86/x86_64 platforms are under scope.
sagishahar/lpeworkshop Windows / Linux Local Privilege Escalation Workshop
SEED Labs Various labs from SEED Project
Vulnerable Docker VM Ever fantasized about playing with docker misconfigurations, privilege escalation, etc. within a container?