#Dfir
Showing 60 of 107 repositories tagged #dfir, ranked by stars
List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
A curated list of tools for incident response
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
Automate the creation of a lab environment complete with security tooling and logging best practices
IntelOwl: manage your Threat Intelligence at scale
Loki - Simple IOC and YARA Scanner
Rapidly Search and Hunt through Windows Forensic Artefacts
Collaborative forensic timeline analysis
Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
Investigate malicious Windows logon by visualizing and analyzing Windows event log
Digital Forensics Guide. Learn all about Digital Forensics, Computer Forensics, Mobile device Forensics, Network Forensics, and Database Forensics.
Educational, CTF-styled labs for individuals interested in Memory Forensics
VirusTotal Wanna Be - Now with 100% more Hipster
A curated knowledge base to build, run and mature a SOC (including CSIRT).
You didn't think I'd go and leave the blue team out, right?
KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.
Awesome Security lists for SOC/CERT/CTI
Open source security data lake for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS
UAC is a powerful and extensible incident response tool designed for forensic investigators, security analysts, and IT professionals. It automates the collection of artifacts from a wide range of Unix-like systems, including AIX, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris.
Beagle is an incident response and digital forensics tool which transforms security logs and data into graphs.
Malcom - Malware Communications Analyzer
A DFIR tool written in Python.
Extract and aggregate threat intelligence.
A collection of resources for Threat Hunters
Historical Windows temporal memory-state research artifact for studying time-bound memory observations, validation limits, and defensive visibility.
Digital Forensics Investigation Platform
A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs
Repository for threat hunting and detection queries, etc. for Defender for Endpoint and Microsoft Sentinel in KQL(Kusto Query Language).
A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365
Automation and Scaling of Digital Forensics Tools
MasterParser is a powerful DFIR tool designed for analyzing and parsing Linux logs
Documentation and scripts to properly enable Windows event logs.
Windows应急响应工具---Hawkeye(鹰眼)。集Windows日志分析,进程扫描,主机信息于一体的综合应急响应分析工具
A simple application that extracts your IoCs from garbage input and checks their reputation using multiple CTI services.
The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.
:no_entry: (DEPRECATED) Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response.
Living Off the Orchard: macOS Binaries (LOOBins) is designed to provide detailed information on various built-in "living off the land" macOS binaries and how they can be used by threat actors for malicious purposes.
swap_digger is a tool used to automate Linux swap analysis during post-exploitation or forensics. It automates swap extraction and searches for Linux user credentials, web forms credentials, web forms emails, http basic authentication, Wifi SSID and keys, etc.
Extracted Yara rules from Windows Defender mpavbase and mpasbase
A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
Documentation and Sharing Repository for ThreatPinch Lookup Chrome & Firefox Extension
CLI tools for forensic investigation of Windows artifacts
RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.
With EmailAnalyzer you can analyze your suspicious emails. You can extract headers, links, and hashes from the .eml file and you can generate reports.
A portable OSINT Swiss Army Knife for DFIR/OSINT professionals 🕵️ 🕵️ 🕵️
PowerShell module for Office 365 and Azure log collection
A curated list of tools for incident response. With repository stars⭐ and forks🍴
Curated Windows event log Sigma rules used in Hayabusa and Velociraptor.
The official repo for a project involving a crowdsourced DFIR book. The main purpose of this book is to give anyone interested an opportunity to write a chapter of a book to get their name out there, get a publication on their resume with an actual ISBN number, and ideally lower the bar for people to contribute something back to the DFIR Community. Want to write a chapter? Let me know and let's make it happen!
Threat Hunting & Incident Investigation with Osquery
Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter Notebook with improved scoring algorithm.
Unprotect is a collaborative platform dedicated to uncovering and documenting malware evasion techniques. We invite you to join us in this exciting journey and add your expertise to our collective efforts. By contributing, you’ll help strengthen the project and push the boundaries of what we can achieve together.
KQL Queries. Microsoft Defender, Microsoft Sentinel
Wireless ADB, over the internet; not just local Wi-Fi. An encrypted, censorship-resistant mesh VPN making remote forensics and network monitoring seamless.
Suzaku (朱雀) is a sigma-based threat hunting and fast forensics timeline generator for cloud logs.
A really good DFIR automation for collecting and analyzing evidence designed for cybersecurity professionals.
Tools for the Computer Incident Response Team :computer:
Build AI-powered security tools. 50+ hands-on labs covering ML, LLMs, RAG, threat detection, DFIR, and red teaming. Includes Colab notebooks, Docker environment, and CTF challenges.
Visually inspect and force decode YARA and regex matches found in both binary and text data with colors. Lots of colors.
Cross-platform incident response toolkit. 28 pre-built use cases, single binary, zero install. Memory, disk, network, and cloud collection with automated timeline generation.