| Name | Site | Tags | Pricing | Description |
|---|---|---|---|---|
AccessData FTK Imager | disk image creationlive memory acquisition | Free | Forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems. | |
AChoir | artifact collectionwindowsacquisition | Free | Framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows. | |
AMAaaS | sandboxapk analysisandroidsaas | Free | Android Malware Analysis as a Service, executed in a native Android environment. | |
anlyz.io | file analysisurl analysissaas | Free | Malware sandbox to analyze file and url with a main dashboard and search features! | |
Any Run | sandboxsaas | FreeCommercial | Malware hunting with live access to the
heart of an incident Watch the epidemic as if it was on your computer, but in a more convenient and secure way, with a variety of monitoring features. | |
AppCompatProcessor | logparsingosxlinux | FreeBeta | AppCompatProcessor has been designed to extract additional value from enterprise-wide AppCompat / AmCache data beyond the classic stacking
and grepping techniques. | |
Appliance for Digital Investigation and Analysis (ADIA) | linux distributionall-in-oneforensics | Free | VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available. | |
APTSimulator | adversary emulation | Free | APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised. In contrast to other adversary simulation tools, APT Simulator is deisgned to make the application as simple as possible. You don't need to run a web server, database or any agents on set of virtual machines. Just download the prepared archive, extract and run the contained Batch file as Administrator. Running APT Simulator takes less than a minute of your time. | |
artifactcollector | artifact collection | Free | The artifactcollector project provides a software that collects forensic artifacts on systems. These artifacts can be used in forensic investigations to understand attacker behavior on compromised computers. | |
Atomic Red Team | adversary emulation | Free | Atomic Red Team allows every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries (all mapped to Mitre's ATT&CK). | |
ATT&CK Evaluations | solutions evaluations | Free | ||
ATT&CK Simulator | adversary emulation | Free | This project provides a set of tooling for repeatedly executing and detecting adversary techniques. | |
Attack Data by Splunk | adversary emulationsplunk | Free | A Repository of curated datasets from various attacks to:
- Easily develop detections without having to build an environment from scratch or simulate an attack.
- Test detections, specifically Splunks Security Content
- Replay/inject into streaming pipelines for validating your detections in your production SIEM | |
Aurora Incident Response | reportingsirp | Free | Incident Response Documentation made easy. Developed by Incident Responders for Incident Responders. Aurora brings "Spreadsheet of Doom" used in the SANS FOR508 class to the next level. Having led many cases and taught so many students how to do IR right, I realized, that many struggle with keeping control over all the findings. That does not only prevent them from seeing what they already have, but even less so what they are missing. | |
Autopsy | all-in-oneforensicsanalyticsartifact collectionartifact analysis | Free | Autopsy® is an easy to use, GUI-based program that allows you to efficiently analyze hard drives and smart phones. It has a plug-in architecture that allows you to find add-on modules or develop custom modules in Java or Python. | |
AutoTTP | adversary emulation | Free | Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers & so on can be tedious. I toyed with the idea of making it easier to script Empire (or any frameworks/products/toolkits that provide APIs like Metasploit (RPC), Cobalt-Strike & so on) using IDE like Visual Studio Code (or equivalent). So I started to design AutoTTP. This is still very much work in progress. Test with Empire 2.2. | |
AVML | live memory acquisitionlinux | Free | A portable volatile memory acquisition tool for Linux. | |
Belkasoft Evidence Center X | all-in-oneforensics | Commercial | The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps. | |
Belkasoft Live RAM Capturer | live memory acquisitionwindows | Free | Tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system. | |
Bitscout | disk image creation | Free | Bitscout is customizable live OS constructor tool written entirely in bash. It's main purpose is to help you quickly create own remote forensics bootable disk image. | |
Blue Team Training Toolkit (BT3) | adversary emulation | Free | Blue Team Training Toolkit (BT3) is software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level. BT3 has been created by Juan J. Güelfo, security expert and founder of Encripto. | |
bulk_extractor | artifact collection | Free | Computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. Because of ignoring the file system structure, the program distinguishes itself in terms of speed and thoroughness. | |
Cado Cloud Collector | acquisitioncloudawsec2instance imaging | Free | Cado Cloud Collector is a free solution to make forensic imaging of AWS EC2 instances a whole lot easier. | |
Cado Host | acquisitioncloudinstance imagingartifact collection | Free | Cado Host is a solution to acquire forensic artefacts from systems, into cloud storage. This enables you to perform a quick triage investigation of the target system. | |
Cado Live | acquisitionclouddisk image creationinstance imaging | Free | Cado Live is an all in one solution to forensically image local system drives into the cloud. | |
Caldera | adversary emulation | Free | Full documentation, training and use-cases can be found here.
CALDERA™ is a cyber security framework designed to easily run autonomous breach-and-simulation exercises. It can also be used to run manual red-team engagements or automated incident response.
It is built on the MITRE ATT&CK™ framework and is an active research project at MITRE. | |
CAPEv2 | sandboxmalware analysis | Free | CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of malware analysis with the goal of extracting payloads and configuration from malware. This allows CAPE to detect malware based on payload signatures, as well as automating many of the goals of malware reverse engineering and threat intelligence. | |
Chain Reactor | adversary emulation | Free | Red Canary is launching a new open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints. | |
Cold Disk Quick Response | artifact collection | Free | Streamlined list of parsers to quickly analyze a forensic image file ( dd, E01, .vmdk, etc) and output nine reports. | |
Computer Aided INvestigative Environment (CAINE) | linux distributionforensicsall-in-one | Free | CAINE (Computer Aided INvestigative Environment) is an Italian GNU/Linux live distribution created as a Digital Forensics project. Currently the project manager is Nanni Bassetti (Bari - Italy). Contains numerous tools that help investigators during their analysis, including forensic evidence collection. CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface. | |
Cortex (TheHive Project) | cyber threat intelligence | Free | Cortex tries to solve a common problem frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics and incident response: how to analyze observables they have collected, at scale, by querying a single tool instead of several? | |
Cortex XSOAR (Demisto ) | soarsirp | Commercial | Palo Alto security orchestration, automation and response platform with full Incident lifecycle management and many integrations to enhance automations. | |
Crescendo | osxevent viewer | Free | Crescendo is a real time event viewer for macOS that uses the ESF to show process executions and forks, file events, share mounting events, kernel extension loads, and IPC event data. ESF provides a vast amount of data, but the goal was to just pick out the things that analysts would be interested in when analyzing a piece of malware or trying to understand how a process (or component) works. Just the right amount of data without being a firehose of events to the user : https://www.fireeye.com/blog/threat-research/2020/03/crescendo-real-time-event-viewer-for-macos.html | |
Crits | cyber threat intelligenceanalytics | Free | Web-based tool which combines an analytic engine with a cyber threat database. | |
Crowd Response | artifact collectionwindows | Free | Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats. | |
Cuckoo Sandbox | sandbox | FreeCommercial | Open Source Highly configurable sandboxing tool. | |
Cuckoo-modified | sandboxmalware analysis | FreeDeprecated | Heavily modified Cuckoo fork developed by community. | |
Cutter | reverse engineering framework | Free | Cutter is a free and open-source reverse engineering framework powered by radare2 . Its goal is making an advanced, customizable and FOSS reverse-engineering platform while keeping the user experience at mind. Cutter is created by reverse engineers for reverse engineers. | |
CyberCPR | sirp | CommercialFree | Community and commercial incident management tool with Need-to-Know
built in to support GDPR compliance while handling sensitive incidents. | |
CyberTriage | forensicsall-in-oneartifact analysis | FreeCommercial | Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. It’s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further. | |
CyLR | artifact collection | Free | The CyLR tool collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host. | |
Cyphon | sirpsoar | Free | Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents. | |
DetectionLab | detection toolsandboxwindowsactive directory | Free | This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts. | |
DFIR ORC | artifact collectionartifact analysiswindows | Free | .DFIR ORC, where ORC stands for “Outil de Recherche de Compromission” in French, is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. It can also embed external tools and their configurations. | |
DFIR-O365RC | artifact collectionlogo365 | Free | The DFIR-O365RC PowerShell module is a set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise investigations. | |
DFIRTrack | reportingsirp | Free | DFIRTrack (Digital Forensics and Incident Response Tracking application) is an open source web application mainly based on Django using a PostgreSQL database back end. | |
Diffy | awscloudartifact analysisartifact collection | Free | Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix's Security Intelligence and Response Team (SIRT).
Diffy allows a forensic investigator to quickly scope a compromise across cloud instances during an incident, and triage those instances for followup actions. Diffy is currently focused on Linux instances running within Amazon Web Services (AWS), but owing to our plugin structure, could support multiple platforms and cloud providers. | |
Doorman | remoteforensicsosxlinux | Free | osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness. | |
DumpsterFire | adversary emulation | Free | The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Turn paper tabletop exercises into controlled "live fire" range events. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts. | |
Dylib Hijack Scanner (Objective-See) | osxartifact analysishijacking scanner | Free | Dylib Hijack Scanner or DHS, is a simple utility that will scan your computer for applications that are either susceptible to dylib hijacking or have been hijacked.
The details behind this new OS X attack were presented at CanSecW, in a presentation titled, 'DLL Hijacking' on OS X? #@%& Yeah! | |
EZ Tools | artifact analysiswindows | Free | Incident Responders are on the front lines of intrusion investigations. Eric Zimmerman's Tools (EZ Tools) aim to support DFIR analysts in their quest to uncover the truth. | |
Falcon Crowdstrike Orchestrator | soarorchestratorwindows | Free | Extendable Windows-based application that provides workflow automation, case management and security response functionality. | |
Fast Incident Response (FIR) | sirp | Free | FIR (Fast Incident Response) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents.
FIR is for anyone needing to track cybersecurity incidents (CSIRTs, CERTs, SOCs, etc.). It was tailored to suit our needs and our team's habits, but we put a great deal of effort into making it as generic as possible before releasing it so that other teams around the world may also use it and customize it as they see fit. | |
FastIR Artifacts | artifact collectionwindowslinuxosx | Free | FastIR Artifacts is a forensic artifacts collector that can be used on a live host. FastIR Artifacts is focused on artifact collection, there is no parsing or analysis of the collected artifacts. | |
FastIR Collector Linux | linux artifact collection | Free | FastIR for Linux collects different artefacts on live Linux and records the results in csv files. | |
Fenrir | ioc scannerlinuxosx | Free | Simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI. | |
Fibratus | kernelwindowsartifact collection | Free | Fibratus is a tool which is able to capture the most of the Windows kernel activity - process/thread creation and termination, context switches, file system I/O, registry, network activity, DLL loading/unloading and much more. | |
fileintel | file analysiscyber threat intelligence | Free | Pull intelligence per file hash. | |
Firmware | file analysissaasfirmware | Beta | Firmware.RE is a free service that unpacks, scans and analyzes almost any firmware package and facilitates the quick detection of vulnerabilities, backdoors and all kinds of embedded malware.
Slowly but steady, we are working on some of most interesting firmwares so that you can benefit from ultimate embedded security. | |
Flare FakeNet NG | adversary emulation | Free | FakeNet-NG is a next generation dynamic network analysis tool for malware analysts and penetration testers. It is open source and designed for the latest versions of Windows (and Linux, for certain modes of operation). FakeNet-NG is based on the excellent Fakenet tool developed by Andrew Honig and Michael Sikorski : https://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-fakenet-ng.html | |
Fleetdm | remoteforensicslinuxosx | FreeDeprecated | State of the art host monitoring platform tailored for security experts. Leveraging Facebook's battle-tested osquery project, Fleetdm delivers continous updates, features and fast answers to big questions. | |
Gatewatcher Intelligence | artifact analysisfile analysismalware analysissaas | FreeCommercial | Malware analysis service provided by Gatewatcher | |
GetData Forensic Imager | disk image creation | Free | Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats. | |
Google Rapid Response (GRR) | forensicsremotewindowslinuxosxframeworkall-in-one | Free | Incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent. Besides the included Python API client, PowerGRR provides an API client library in PowerShell working on Windows, Linux and macOS for GRR automation and scripting. | |
GoSecure Responder PRO | malware analysislive memory acquisitionmemory analysis | Commercial | GoSecure Responder PRO leverages proprietary behavioral engine, Digital DNA, to obtain impact scoring, which helps users in malware analysis and other threat indicators to uncover root cause. The fundamental difference is Responder PRO delivers a consistently updated tool behavioral intelligence source, built on over 3000+ traits, to correlate the analysis performed on a single machine. | |
Guymager | disk image creation | Free | Free forensic imager for media acquisition on Linux. | |
HELK | analytics | Free | The Hunting ELK or simply the HELK is one of the first open source hunt platforms with advanced analytics capabilities such as SQL declarative language, graphing, structured streaming, and even machine learning via Jupyter notebooks and Apache Spark over an ELK stack. This project was developed primarily for research, but due to its flexible design and core components, it can be deployed in larger environments with the right configurations and scalable infrastructure. | |
Hindsight | internet history forensics | Free | Internet history forensics for Google Chrome/Chromium | |
hostintel | cyber threat intelligencehost analysis | Free | Pull intelligence per host. | |
Hybrid-Analysis | sandboxsaasmalware analysisartifact analysisurl analysis | Free | Free powerful online sandbox by CrowdStrike. | |
IBM X-Force | saasfile analysisurl analysisartifact search | Free | ||
ID Ransomware from MalwareHunterTeam | ransomwaresaas | Free | Upload a ransom note and/or sample encrypted file to identify the ransomware that has encrypted your data. | |
imagemounter | acquisitionmounting | Free | Command line utility and Python package to ease the (un)mounting of forensic disk images. | |
Inquest Deep File Inspection (DFI) | file analysissaasdeobfuscation | Free | A core facet to the InQuest solution is our Deep File Inspection (DFI) engine. Capable of recursively decompressing, decoding, deobfuscating, decompiling, deciphering, and more. We aim to automate and scale the reverse engineering skill-set of a typical SOC analyst. While not in full parity with our production engine, this InQuest Labs tool can identify and extract embedded logic, semantic context (including that embedded within images through OCR), and metadata. Additionally, artifacts such as URLs, domains, IPs, e-mail addresses, file names, and XMP IDs are extracted and searchable. Drag and drop one or more files to queue them for analysis. The current public release is limited to Microsoft and Open Office documents, spreadsheets, and presentations up to 15MB in size. In the future, we will expose lite versions of our Adobe PDF, Oracle Java, and Adobe Flash DFI shims. Read more in our Introduction to Deep File Inspection, dig deeper in our Walkthrough of a Common Malware Carrier, read more about InQuest, about DFI or contact us directly for a formal capabilities briefing. | |
Intezer | saassandboxmalware analysis | FreeCommercial | Automate your Security Operations and Incident Response with Genetic Malware Analysis. With Intezer Analyze, quickly analyze files and devices to immediately understand the What, Who, & How of a potential cyber incident, by identifying even the smallest pieces of code reuse. Join our free community edition now. | |
Invoke-Adversary | adversary emulation | Free | Invoke-Adversary is a PowerShell script that helps you to evaluate security products and monitoring solutions based on how well they detect advanced persistent threats. I was inspired to write this script after seeing APTSimulator excellent tool from Florian Roth. | |
ir-rescue | artifact collection | Free | Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response. | |
Joe Sandbox | sandboxsaas | FreeCommercial | ||
Kansa | artifact collectionartifact analysiswindows | Free | A modular incident response framework in Powershell. It's been tested in PSv2 / .NET 2 and later and works mostly without issue. | |
Kaspersky Data Feeds | cyber threat intelligencefeed | Free | ||
KextViewr (Objective-See) | osxartifact analysis | Free | View all modules on that are loaded in the OS kernel.
Modules that are loaded into the kernel are called kernel extension, or 'kexts.' They run at the OS's highest privilege level; ring-0. KextViewr displays all loaded kexts, along with their signing status, full path, VirusTotal detection ratios, and more! | |
KnockKnock (Objective-See) | osxartifact analysispersistence | Free | "Who's there?" See what's persistently installed on your Mac.
Malware installs itself persistently (scripts, commands, binaries, etc.) to ensure it is automatically executed each time a computer is restarted. KnockKnock uncovers persistently installed software in order to generically reveal such malware. | |
Kroll Artifact Parser and Extractor (KAPE) | artifact collectionwindows | Free | KAPE is an efficient and highly configurable triage program that will target essentially any device or storage location, find forensically useful artifacts, and parse them within a few minutes. | |
Kuiper | forensicsplatform | Free | Digital Forensics Investigation Platform - Kuiper is a digital investigation platform that provides a capabilities for the investigation team and individuals to parse, search, visualize collected evidences (evidences could be collected by fast triage script like Hoarder
). | |
Limacharlie | all-in-onesaaswindowsosxlinuxandroidiosforensics | CommercialFree | Endpoint security platform composed of a collection of small projects all working together that gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment for managing and pushing additional modules into memory to extend its functionality.
The LimaCharlie commercial version offers a free tier (no credit card required) of two sensors that includes a years worth of telemetry storage and search. It should take you less than 10 minutes to get data flowing from an endpoint after you sign up (it is really that easy). | |
LiME | live memory acquisitionlinuxandroid | Free | A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition. | |
Linux Memory Grabber | live memory acquisitionlinux | Free | Script for dumping Linux memory and creating Volatility profiles. | |
Live Response Collection | artifact collection | Free | Automated tool that collects volatile data from Windows, OSX, and *nix based operating systems. | |
Logdissect | logparsing | Free | CLI utility and Python API for analyzing log files and other data. | |
LOKI | yaraioc scanner | Free | Free IR scanner for scanning endpoint with yara rules and other indicators(IOCs). | |
LORG | logartifact analysishttpd | Free | A tool for advanced HTTPD logfile security analysis and forensics | |
LuLu (Objective-See) | osxfirewallnetwork monitoring | Free | In today's connected world, it is rare to find an application or piece of malware that doesn't talk to a remote server. Let's control this!
LuLu is the free, open-source macOS firewall that aims to block unknown outgoing connections, unless explicitly approved by the user. | |
mac_apt - macOS Artifact Parsing Tool | osx artificat collection | Free | mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines) and extract data/metadata useful for forensic investigation. It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, ..) | |
Magnet ACQUIRE | disk image creationosxandroid | Free | ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems. | |
Magnet Encrypted Disk Detector | acquisition | Free | MAGNET Encrypted Disk Detector (v3.0 released May 12th, 2020) is a command-line tool that can quickly and non-intrusively check for encrypted volumes on a computer system during incident response. The decision can then be made to investigate further and determine whether a live acquisition needs to be made in order to secure and preserve the evidence that would otherwise be lost if the plug was pulled . | |
Magnet RAM Capture | live memory acquisitionwindows | Free | Free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows. | |
MalConfScan (Volatility) | live memory acquisitionmalware analysis | Free | MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers. | |
Malware Information Sharing Platform (MISP) | cyber threat intelligence | Free | Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing | |
Manalzyer | malware analysissaasstatic analysis framework | Free | Manalyzer is a free service which performs static analysis on PE executables to detect undesirable behavior. | |
Margarita Shotgun | live memory acquisition | Free | Command line utility (that works with or without Amazon EC2 instances) to parallelize remote memory acquisition. | |
Mastiff | static analysis framework | FreeDeprecated | Static analysis framework that automates the process of extracting key
characteristics from a number of different file formats. | |
MEEKRAT | windowsartifact collectionioc scanner | Free | PowerShell-based triage and threathunting for Windows. | |
MetaDefender Cloud OPSWAT | saasfile analysisurl analysisartifact search | FreeCommercial | ||
Metta | adversary emulation | Free | Metta is an information security preparedness tool.
This project uses Redis/Celery, python, and vagrant with virtualbox to do adversarial simulation. This allows you to test (mostly) your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants.
The project parses yaml files with actions and uses celery to queue these actions up and run them one at a time without interaction. | |
Mordor | adversary emulation | Free | The Mordor project provides pre-recorded security events generated after simulating adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption and Packet Capture (PCAP) files as additional context when applicable. The pre-recorded data is categorized by platforms, adversary groups, tactics and techniques defined by the MITRE ATT&CK Framework. The pre-recorded data represents not only specific known malicious events but additional context/events that occur around it. This is done on purpose so that you can test creative correlations across diverse data sources, enhancing your detection strategy and potentially reducing the number of false positives in your own environment. | |
MozDef | all-in-onesiem | Free | Automates the security incident handling process and facilitate the real-time activities of incident handlers. | |
MSTIC Jupyter and Python Security Tools | acquisitionartifact collectionanalyticsartifact analysisazure sentinel | Free | Microsoft Threat Intelligence Python Security Tools.
msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. It includes functionality to:
- query log data from multiple sources
- enrich the data with Threat Intelligence, geolocations and Azure resource data
- extract Indicators of Activity (IoA) from logs and unpack encoded data
- perform sophisticated analysis such as anomalous session detection and time series decomposition
- visualize data using interactive timelines, process trees and multi-dimensional Morph Charts | |
Munin | cyber threat intelligencefile analysis | Free | Online hash checker for Virustotal and other services. | |
Netiquette (Objective-See) | osxnetwork monitoring | Free | In today's connected world, it is rare to find an application or piece of malware that doesn't talk to a remote server.
Netiquette, a network monitor, allows one to explore all network sockets and connections, either via an interactive UI, or from the commandline. | |
Network Flight Simulator | adversary emulation | Free | flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunneling, DGA traffic, requests to known active C2 destinations, and other suspicious traffic patterns. | |
Network Security Toolkit (NST) | linux distributionnetwork monitoringartifact analysis | Free | Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional. | |
nightHawk Response | artifact analysisforensicsall-in-one | Free | Application built for asynchronus forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections. | |
Open Threat Exchange AlienVault | saasfile analysisurl analysisartifact search | Free | ||
OpenCTI | cyber threat intelligence | Free | Store, organizer, visualize and share knowledge about cyber threats. Open source application, community-centered approach | |
OS X Auditor | osx artificat collection | Free | OSX Auditor offshoot for live response. | |
OSForensics | all-in-oneforensics | Commercial | Tool to acquire live memory on 32bit and 64bit systems. A dump of an individual process’s memory space or physical memory dump can be done. | |
osquery | analyticssystem monitoringosxlinuxwindowsfreebsd | Free | osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework.
Available for Linux, macOS, Windows, and FreeBSD. | |
OSSEM | logstandardizationdocumentation | Free | The Open Source Security Events Metadata (OSSEM) is a community-led project that focuses primarily on the documentation and standardization of security event logs from diverse data sources and operating systems. Security events are documented in a dictionary format and can be used as a reference while mapping data sources to data analytics used to validate the detection of adversarial techniques. | |
OSXCollector | osx artificat collection | Free | Plugin based forensics framework for quick mac triage that works on live machines, disk images or individual artifact files. | |
PALADIN | all-in-onelinux distributionforensics | FreeCommercial | Modified Linux distribution to perform various forenics task in a
forensically sound manner. It comes with many open source forensics
tools included. | |
Pikker.ee Sandbox (Cuckoo) | sandboxmalware analysissaas | Free | A cuckoo sandbox provided by Pikker.ee | |
Plaso | timeline analysis | Free | A Python-based backend engine for the tool log2timeline | |
PMDump | process dumpwindowsartifact collection | Free | Tool that lets you dump the memory contents of a process to a file without stopping the process. | |
PowerSponse | containmentartifact searchprocess killing | Free | PowerSponse is a PowerShell module for targeted containment and remediation. | |
ProcDump | process dumpwindowsartifact collection | Free | ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts. | |
ProcDump (Linux) | linuxlinux artifact collectionprocess dump | Free | ProcDump is a Linux reimagining of the classic ProcDump tool from the Sysinternals suite of tools for Windows. ProcDump provides a convenient way for Linux developers to create core dumps of their application based on performance triggers. | |
ProcessMonitor (Objective-See) | osxmalware analysissystem monitoring | Free | Leveraging Apple's new Endpoint Security Framework, this utility monitors process creations and terminations, providing detailed information about such events. | |
PyaraScanner | yaraioc scanner | Free | Very simple multithreaded many-rules to many-files YARA scanning Python script for malware zoos and IR. | |
Quttera | saasurl analysis | Free | Free Online Website Malware Scanner
check your website for malware and vulnerability exploits online | |
Radare2 | reverse engineering framework | Free | r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files.
Radare project started as a forensics tool, a scriptable command-line hexadecimal editor able to open disk files, but later added support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers...
radare2 is portable. | |
RaQet | acquisitionremote | Free | Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system. | |
rastrea2r | yaraartifact analysiswindowslinuxosx | Free | Allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X. | |
Red Team Automation (RTA) by Elastic | adversary emulation | Free | RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK. | |
RedHunt Linux Distribution (VM) v2 | adversary emulation | Free | Virtual Machine for Adversary Emulation and Threat Hunting by RedHunt Labs
RedHunt OS aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment. | |
Redline (FireEye) | forensicsanalyticswindowslinuxosxartifact collection | Free | Redline 2.0 is now able to collect investigative artifacts available from OS X and Linux environments. Redline will also import and analyze triages and acquisitions from the FireEye Endpoint Security audit viewer. | |
reg_hunter | registrywindowsforensics | Free | Blueteam operational triage registry hunting/forensic tool. | |
RegRipper | windowsartifact collectionregistry | Free | Open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis. | |
ReiKey (Objective-See) | osxartifact analysiskeylogger | Free | Malware and other applications may install persistent keyboard "event taps" to intercept your keystrokes.
ReiKey can scan, detect, and monitor for such taps! | |
Rekall | acquisitionlive memory acquisition | Free | Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples. | |
REMnux | malware analysislinux distribution | Free | REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools. | |
Request Tracker for Incident Response (RTIR) | sirp | Free | Request Tracker for Incident Response (RTIR) builds on all the features of RT and provides pre-configured queues and workflows designed for incident response teams. It's the tool of choice for many CERT and CSIRT teams all over the globe. | |
Sandia Cyber Omni Tracker (SCOT) | Free | Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user. | ||
SANS Investigative Forensic Toolkit (SIFT) Workstation | all-in-oneforensicslinux distribution | Free | Demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated. | |
 | all-in-oneanalyticslinux distribution | Free | Special Linux distro aimed at network security monitoring featuring advanced analysis tools. | |
Sigma | logyararulesetsiemalerting | Free | Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others.
Sigma is for log files what Snort is for network traffic and YARA is for files. | |
SilkETW | windowsartifact analysisetw | Free | SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. While both projects have obvious defensive (and offensive) applications they should primarily be considered as research tools : https://www.fireeye.com/blog/threat-research/2019/03/silketw-because-free-telemetry-is-free.html | |
SiteCheck Sucuri | saasurl analysis | Free | Free website security check & malware scanner | |
Skadi | all-in-onewindowslinuxosx | Free | Skadi is a free, open source collection of tools that enables the collection, processing and advanced analysis of forensic artifacts and images. It works on MacOS, Windows, and Linux machines. It scales to work effectively on laptops, desktops, servers, the cloud, and can be installed on top of hardened / gold disk images. | |
SOF ELK | analytics | Free | SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. The platform is a customized build of the open source Elastic stack, consisting of the Elasticsearch storage and search engine, Logstash ingest and enrichment system, Kibana dashboard frontend, and Elastic Beats log shipper (specifically filebeat). With a significant amount of customization and ongoing development, SOF-ELK® users can avoid the typically long and involved setup process the Elastic stack requires. Instead, they can simply download the pre-built and ready-to-use SOF-ELK® virtual appliance that consumes various source data types (numerous log types as well as NetFlow), parsing out the most critical data and visualizing it on several stock dashboards. Advanced users can build visualizations the suit their own investigative or operational requirements, optionally contributing those back to the primary code repository. | |
Stalk | mysqlforensicsartifact collection | Free | Collect forensic data about MySQL when problems occur. | |
Steganographer | full-packet-capture | Free | Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily. | |
StreamAlert | analyticsserverlessalertinglogawslambda | Free | StreamAlert (developed by AirBnB) is a serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using data sources and alerting logic you define. Computer security teams use StreamAlert to scan terabytes of log data every day for incident detection and response. | |
StringSifter | machine learningmalware analysis | Free | StringSifter is a machine learning tool that automatically ranks strings based on their relevance for malware analysis. | |
Sysmon DFIR | windowsartifact collectiondetection toolrulesetsystem monitoringsysmon | Free | A curated list of resources for learning about deploying, managing and hunting with Microsoft Sysmon. Contains presentations, deployment methods, configuration file examples, blogs and additional github repositories. | |
T-Pot | honeypotcyber threat intelligence | Free | T-Pot 20.06 runs on Debian (Stable), is based heavily on docker, docker-compose and includes dockerized versions of the following honeypots | |
TaskExplorer (Objective-See) | osxartifact analysis | Free | Explore all the tasks (processes) running on your Mac with TaskExplorer.
Quickly see a task's signature status, loaded dylibs, open files, network connection, and much more! | |
The Sleuth Kit | artifact collectionall-in-onefile analysis | Free | The Sleuth Kit is a collection of command line tools and a C library that allows you to analyze disk images and recover files from them. It is used behind the scenes in Autopsy and many other open source and commercial forensics tools. | |
TheHive Project | sirpsoar | Free | TheHive is a scalable 4-in-1 open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. It is the perfect companion for MISP. | |
ThreatCrowd is now powered by AlienVault | saasurl analysisfile analysisartifact search | Free | ||
ThreatFox | saascyber threat intelligenceartifact analysismalware analysisioc scanner | Free | ThreatFox is a free platform from abuse.ch with the goal of sharing indicators of compromise (IOCs) associated with malware with the infosec community, AV vendors and threat intelligence providers. | |
threatnote.io | reportingcyber threat intelligence | FreeCommercial | Cyber Threat Intelligence Notebook: Manage your Threat Intelligence lifecycle through threatnote.io with intelligence requirements, reporting and stakeholder management. | |
ThreatPursuit VM (FireEye) | cyber threat intelligence | Free | A Threat Intelligence and Hunting Virtual Machine with 50+ tools for CTI and ThreatHunting | |
Timesketch | timeline analysis | Free | Timesketch is an open source tool for collaborative forensic timeline analysis. Using sketches you and your collaborators can easily organize your timelines and analyze them all at the same time. Add meaning to your raw data with rich annotations, comments, tags and stars. | |
UAC (Unix-like Artifacts Collector) | artifact collectionlinuxosxosx artificat collectionsolarisaixbsd | Free | AC (Unix-like Artifacts Collector) is a Live Response collection tool for Incident Reponse that makes use of built-in tools to automate the collection of Unix-like systems artifacts. Supported systems: AIX, FreeBSD, Linux, macOS, NetBSD, Netscaler, OpenBSD and Solaris. | |
Valkyrie Comodo | saasmalware analysis | Free | Valkyrie is a file verdict system. Different from traditional signature based malware detection techniques Valkyrie conducts several analysis using run-time behavior and hundreds of features from a file and based on analysis results can warn users against malware undetected by classic Anti-Virus products. | |
Velocyraptor | forensicsremotewindowsframeworkall-in-one | Free | Velociraptor is a unique, advanced open-source endpoint monitoring, digital forensic and cyber response platform.
It was originally developed by DFIR professionals who needed a powerful and efficient way to hunt and monitor activities across fleets of endpoints for specific artefacts, in a wide range of digital forensic and cyber incident response investigations such as: | |
Viper | binary analysis and management framework | Free | Viper is a binary analysis and management framework. Its fundamental objective is to provide a solution to easily organize your collection of malware and exploit samples as well as your collection of scripts you created or found over the time to facilitate your daily research. It works well with Cuckoo and YARA. | |
VirusBay | malware exchangereporting | Free with an inviteCommercial | VirusBay is a web-based, collaboration platform that connects security operations center (SOC) professionals with relevant malware researchers.
Created by high-end malware researchers, VirusBay is designed to help organizations effectively respond to and recover from an IT security incident when it is not possible for an external expert to visit their facility. | |
VirusTotal | saasfile analysisurl analysisartifact search | FreeCommercial | ||
Volatility | acquisitionlive memory acquisition | Free | The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. | |
What's Your Sign? (Objective-See) | osxartifact analysiscrypto signature | Free | Verifying a file's cryptographic signature can deduce its origin or trustability. Unfortunately on macs there's no simple way to view a file's signature via the UI.
WhatsYourSign adds a menu item to Finder.app. Simply right-, or control-click on any file to display its cryptographic signing information! | |
Wintriage (Securizame) | artifact collectionartifact analysiswindowsforensics | Free | Wintriage is a live response tool that extracts Windows artifacts. It must be executed with local or domain administrator privileges and recommended to be done from an external drive. | |
X-Way Forensics | all-in-onedisk image creationacquisitionmemory analysisfile analysistimeline analysis | Commercial | X-Ways Forensics is an advanced work environment for computer forensic examiners and our flagship product. Runs under Windows XP/2003/Vista/2008/7/8/8.1/2012/10/2016*, 32 Bit/64 Bit, standard/PE/FE. (Windows FE is described here, here and here.) Compared to its competitors, X-Ways Forensics is more efficient to use after a while, by far not as resource-hungry, often runs much faster, finds deleted files and search hits that the competitors will miss, offers many features that the others lack, as a German product is potentially more trustworthy, comes at a fraction of the cost, does not have any ridiculous hardware requirements, does not depend on setting up a complex database, etc.! | |
xCyclopedia | baseliningexecutables | Free | The xCyclopedia project attempts to document all executable binaries (and eventually scripts) that reside on a typical operating system. Currently, this includes all observed EXE and DLL files, as well as COM Objects (new!). It provides a web page to view the data as well as a machine-readable format (JSON and CSV) that can be immediately usable in other systems such as SIEMs to enrich observed executions with contextual data. | |
Yara | cyber threat intelligenceyara | Free | YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a. rule, consists of a set of strings and a boolean expression which determine its logic. Let's see an example: | |
Yara-Rules | cyber threat intelligenceyararuleset | Free | This project covers the need of a group of IT Security Researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and began as an open source community for collecting Yara rules. Our Yara ruleset is under the GNU-GPLv2 license and open to any user or organization, as long as you use it under this license. | |
yet another registry parser (yarp) | windowsregistryartifact analysisparsing | Free | Project goals: the library and tools
- Parse Windows registry files in a proper way (with forensics in mind).
- Expose values of all fields of underlying registry structures.
- Support for truncated registry files and registry fragments.
- Support for recovering deleted keys and values.
- Support for carving of registry hives.
- Support for transaction log files. | |
Yomi | sandboxsaasmalware analysis | Free | Free MultiSandbox managed and hosted by Yoroi. | |
Zentral | artifact collectionartifact analysislinuxosxall-in-one | Free | Zentral is an Event Hub to gather, process, and monitor system events and link them to an inventory. Combines osquery's powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients. |
