--- title: "Information Security" date: 2022-06-07T08:00:00+02:00 draft: false showthedate: false --- ### Threat Intelligence Portals/Feeds * [IBM X-Force Exchange](https://exchange.xforce.ibmcloud.com) - Cloud platform for sharing threat intel data * [OTX threat intelligence](https://otx.alienvault.com) - AlienVault Open Threat Intelligence Community * [List of Threat Intelligence Feeds](https://intelmq.readthedocs.io/en/latest/Feeds) * [csirtg.io](https://csirtg.io/) * [CentralOps Whois](https://centralops.net/co/) - in depth whois with IP history * [VirusTotal](https://www.virustotal.com/) - You have to know VirusTotal * [GitHub - sroberts/awesome-iocs: A collection of sources of indicators of compromise](https://github.com/sroberts/awesome-iocs) ### Threat Intelligence Tools * [IntelMQ](https://www.enisa.europa.eu/topics/csirt-cert-services/community-projects/incident-handling-automation) - Solution for collecting and processing security feeds, pastebins, tweets using a message queue protocol * [harpoon](https://www.randhome.io/blog/2018/02/23/harpoon-an-osint-/-threat-intelligence-tool/) - CLI tool for open source and threat intelligence * [Bearded-Avenger / CIF](https://csirtgadgets.com/collective-intelligence-framework) - CIF allows you to combine known malicious threat information from many sources and use that information for incident response, detection and mitigation. * [MISP](https://www.misp-project.org) - Self-hosted threat information sharing platform * [Cyber Threat Intelligence Tools](https://gbhackers.com/cyber-threat-intelligence-tools/) - Very extensive list of tools * [urlQuery](http://urlquery.net/) - Gives you a screenshot of a given site along with all HTTP transactions (request and response) and executed JS * [OSINT Framework](https://osintframework.com/) ### Threat Detection * [Blue Team fundamentals Part Two: Windows Processes.](https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2) * [Detect Password Spraying With Windows Event Log Correlation – Welcome to the Ziemba.Ninja Infosec Blog!](https://www.ziemba.ninja/?p=66) * [Download Windows security audit events from Official Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=50034) * [GitHub - MHaggis/sysmon-dfir: Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.](https://github.com/MHaggis/sysmon-dfir) * [Endpoint detection Superpowers on the cheap — part 1](https://medium.com/p/endpoint-detection-superpowers-on-the-cheap-part-1-e9c28201ac47) * [Windows RDP-Related Event Logs: Identification, Tracking, and Investigation | Ponder The Bits](https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/) * [GitHub - Neo23x0/APTSimulator: A toolset to make a system look as if it was the victim of an APT attack](https://github.com/Neo23x0/APTSimulator) * [GitHub - 0x4D31/awesome-threat-detection: A curated list of awesome threat detection and hunting resources](https://fb.me/4hCASkUkD) * [Hack the Hacker – Fuzzing Mimikatz On Windows With WinAFL & Heatmaps (0day) | SEC Consult](https://www.sec-consult.com/en/blog/2017/09/hack-the-hacker-fuzzing-mimikatz-on-windows-with-winafl-heatmaps-0day/index.html) * [Tales of a Threat Hunter 1](https://www.eideon.com/2017-09-09-THL01-Mimikatz/) * [GitHub - sroberts/awesome-iocs: A collection of sources of indicators of compromise](https://github.com/sroberts/awesome-iocs) * [ion-storm/sysmon-config: Sysmon configuration file template with default high-quality event tracing](https://github.com/ion-storm/sysmon-config) * [Greater Visibility Through PowerShell Logging « Threat Research Blog | FireEye Inc](https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html) * [Know your Windows Processes or Die Trying](http://www.sysforensics.org/2014/01/know-your-windows-processes/) * [http://blog.rootshell.be/2012/01/17/monitoring-pastebin-com-within-your-siem/](http://blog.rootshell.be/2012/01/17/monitoring-pastebin-com-within-your-siem/) * [FCL - Fileless Command Lines](https://github.com/chenerlich/FCL) ### Data Scraping * [pystemon](https://github.com/cvandeplas/pystemon) - Monitoring tool for PasteBin-alike sites written in Python ### Vulnerability Management * [https://vulners.com](https://vulners.com) - Vulnerability search engine - ("Google for Hackers") ### Honeypots * [ssh-auth-logger](https://github.com/JustinAzoff/ssh-auth-logger) - works great in combination with CIF and csirtg.io, see [explodingwoodchucks.com](https://www.explodingwoodchucks.com/build-a-ssh-sensor) * [cowrie](https://github.com/cowrie/cowrie) - successor to kippo * [High Interaction Honeypots with Sysdig and Falco](https://labs.mwrinfosecurity.com/blog/high-interaction-honeypots-with-sysdig-and-falco) ### Tools - Packet String Data (PSTR) * [URLsnarf](http://) * [Httpry](https://github.com/jbittel/httpry) - HTTP logging and information retrieval tool * [Justsniffer](https://github.com/onotelli/justniffer) - a network protocol analyzer that captures network traffic ### Incident Response * [Incident Response](http://www.cst.ucf.edu/about/information-security-office/incident-response/) * [Cyber Probe - Capturing, Analysing and Responding to Cyber Attacks](http://www.kitploit.com/2017/01/cyber-probe-capturing-analysing-and.html) * [Basics of Windows Incident Response – JP](https://jordanpotti.com/2017/01/20/basics-of-windows-incident-response/) * [PENTEST-WIKI](https://github.com/nixawk/pentest-wiki) * [https://github.com/meirwah/awesome-incident-response](https://github.com/meirwah/awesome-incident-response) ### Incident / Malware Analysis * Detection * [https://virustotal.github.io/yara/](Yara) - Signature based detection * [https://ssdeep-project.github.io/ssdeep/usage.html](ssdeep) - Fuzzy Hashing * [https://github.com/Dynetics/Malfunction](malfunction) - Fuzzy Hasing * String Extraction * [https://blog.didierstevens.com/programs/xorsearch/](xorstrings) * [https://github.com/fireeye/flare-floss](floss) - Automatic decoder function detection and usage, Extracts ASCII and UTF-16-le strings * [https://docs.microsoft.com/en-us/sysinternals/downloads/strings](strings) * PE * [PE Wiki](https://code.google.com/p/corkami/wiki/PE101) * [PE Infographic](https://i.imgur.com/pHjcI.png) * [pescanner.py](https://code.google.com/p/malwarecookbook/source/browse/trunk/3/8/pescanner.py) * [pestudio](http://www.winitor.com/) * [Manalyze](https://github.com/JusticeRage/Manalyze) * [Dependency Walker](http://dependencywalker.com/) * Graphical Analysis * [Binvis](binvis.io) * [Cantor Dust](https://sites.google.com/site/xxcantorxdustxx/) * Disassembler * [IDA]() * [Radare2](https://www.radare.org) * [RetDec](https://retdec.com/) * PDF Analysis * [malicious-pdf-analysis-ebook](http://didierstevens.com/files/data/malicious-pdf-analysis-ebook.zip) * [pdf-parser.py](https://blog.didierstevens.com/2008/10/30/pdf-parserpy/) * [pdftk](https://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/) * [peepdf](https://github.com/jesparza/peepdf) * Office Analysis * [viper](http://viper.li/) * [vipermonkey](https://github.com/decalage2/ViperMonkey) * [oledumpi.py](https://blog.didierstevens.com/programs/oledump-py/) * [Quicksand lite](https://github.com/tylabs/quicksand_lite) * Filesystem Analysis * [Sleuthkit](http://www.sleuthkit.org/index.php) * [FireBrick](http://digitalfire.ucd.ie/?page_id=1011) - Software Write Blocker * Shellcode Analysis * [Yara rule](https://github.com/Yara-Rules/rules/tree/master/Antidebug_AntiVM) * [Viper Module](https://github.com/viper-framework/viper/blob/master/viper/modules/shellcode.py) * [Shellcode Detector](http://blog.didierstevens.com/2014/09/29/update-xorsearch-with-shellcode-detector/) ### Reconnaissance * [shodan.io](https://shodan.io) - service banner search engine * [A Shodan Tutorial and Primer](https://danielmiessler.com/study/shodan/) * [AutoNSE - Massive NSE (Nmap Scripting Engine) AutoSploit And AutoScanner - KitPloit - PenTest Tools for your Security Arsenal ☣](http://www.kitploit.com/2018/04/autonse-massive-nse-nmap-scripting.html) * [GitHub - gpoguy/GetVulnerableGPO: PowerShell script to find 'vulnerable' security-related GPOs that should be hardended](https://github.com/gpoguy/GetVulnerableGPO) * [PowerShell: Get all logged on Users per Computer/OU/Domain (Get-UserLogon) – SID-500.COM](https://sid-500.com/2018/02/28/powershell-get-all-logged-on-users-per-computer-ou-domain-get-userlogon/) * [port-scan-automation: Automate NMAP Scans & Generate Custom Nessus Policies Automatically • Penetration Testing](https://securityonline.info/port-scan-automation-automate-nmap-scans-generate-custom-nessus-policies-automatically/) * [Vision2 - Nmap's XML result parse and NVD's CPE correlation to search CVE - KitPloit - PenTest Tools for your Security Arsenal ☣](http://www.kitploit.com/2017/09/vision2-nmaps-xml-result-parse-and-nvds.html?m=1) * [Retrieving scan results through Nessus API | Alexander V. Leonov](https://avleonov.com/2016/06/03/retrieving-scan-results-through-nessus-api/) * [Nmap Cheat Sheet](https://highon.coffee/blog/nmap-cheat-sheet/) # (Post-)Exploitation * [GitHub - mubix/post-exploitation: Post Exploitation Collection](https://github.com/mubix/post-exploitation) * [GitHub - skelsec/pypykatz: Mimikatz implementation in pure Python](https://github.com/skelsec/pypykatz) * [(403) http://blog.secu.dk/blog/Tunnels_in_a_hard_filtered_network/](http://blog.secu.dk/blog/Tunnels_in_a_hard_filtered_network/) * [A Red Teamer's guide to pivoting](https://artkond.com/2017/03/23/pivoting-guide/) * [How to use weaponized PDF documents to steal Windows credentialsSecurity Affairs](https://securityaffairs.co/wordpress/71856/hacking/weaponized-pdf-hack-windows.html) * [GitHub - dylanaraps/pure-bash-bible: 📖 A collection of pure bash alternatives to external processes.](https://github.com/dylanaraps/pure-bash-bible/) * [Untitled (http://LetMeOutOfYour.Net)](http://letmeoutofyour.net/) * [Passing the hash with native RDP client (mstsc.exe) - Blog | Michael Eder](https://michael-eder.net/post/2018/native_rdp_pass_the_hash/) * [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa) * [Digging passwords in Linux swap - Sevagas](http://blog.sevagas.com/?Digging-passwords-in-Linux-swap) * [GitHub - quentinhardy/msdat: MSDAT: Microsoft SQL Database Attacking Tool](https://github.com/quentinhardy/msdat) * [How to Bypass Application Whitelisting & AV - Black Hills Information Security](https://www.blackhillsinfosec.com/how-to-bypass-application-whitelisting-av/) * [Weaponization of Nessus Plugins](https://depthsecurity.com/blog/weaponization-of-nessus-plugins) * [Getting SYSTEM – Decoder's Blog](https://decoder.cloud/2018/02/02/getting-system/) * [SSH Hijacking for lateral movement | xorl %eax, %eax](https://xorl.wordpress.com/2018/02/04/ssh-hijacking-for-lateral-movement/) * [awesome-windows-exploitation/README.md at master · enddo/awesome-windows-exploitation · GitHub](https://github.com/enddo/awesome-windows-exploitation/blob/master/README.md) * [GitHub - gobiasinfosec/Wireless_Query: Query Active Directory for Workstations and then pull their Wireless Network Passwords](https://github.com/gobiasinfosec/Wireless_Query) * [(500) https://raw.githubusercontent.com/enigma0x3/Invoke-LoginPrompt/master/Invoke-LoginPrompt.ps1](https://raw.githubusercontent.com/enigma0x3/Invoke-LoginPrompt/master/Invoke-LoginPrompt.ps1) * [Step by step Metasploit walkthrough](https://www.zero-day.io/metasploitwalkthrough/) * [Ping is okay? – Right? – MSitPros Blog](https://msitpros.com/?p=3877) * [How to get SQL Server Sysadmin Privileges as a Local Admin with PowerUpSQL](https://blog.netspi.com/get-sql-server-sysadmin-privileges-local-admin-powerupsql/#disqus_thread) * [Applocker Bypass via Registry Key Manipulation](https://www.contextis.com/resources/blog/applocker-bypass-registry-key-manipulation/) * [Bypassing Application Whitelisting with BGInfo – MSitPros Blog](https://msitpros.com/?p=3831) * [Mimikatz in JS - Courtesy of James Forshaw - https://github.com/tyranid/DotNetToJScript ;-) · GitHub](https://gist.github.com/subTee/b30e0bcc7645c790fcd993cfd0ad622f) * [GitHub - nccgroup/redsnarf: RedSnarf is a pen-testing / red-teaming tool for Windows environments](https://github.com/nccgroup/redsnarf) * [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/) * [Mimikatz Against Virtual Machine Memory Part 1 Carnal0wnage - Attack Research Blog Carnal0wnage & Attack Research Blog](http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html) * [Powershell script to automatically generate a malicious Excel document with different payloads and persistence methods. : netsec](https://www.reddit.com/r/netsec/comments/2rzky1/powershell_script_to_automatically_generate_a/) * [Dumping Windows Credentials | Securus Global Blog](https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/) * [Pass the Hash on Windows 8.1](https://samsclass.info/lulz/pth-8.1.htm) * [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) * [GitHub - wtsxDev/Penetration-Testing: List of awesome penetration testing resources, tools and other shiny things](https://github.com/wtsxDev/Penetration-Testing) * [p0wnedShell - PowerShell Runspace Post Exploitation Toolkit - Darknet](http://www.darknet.org.uk/2017/01/p0wnedshell-powershell-runspace-post-exploitation-toolkit/) * [WifiHistoryView - Displays history of connections to wireless networks on your computer](http://www.nirsoft.net/utils/wifi_history_view.html) * [How to Bypass Anti-Virus to Run Mimikatz - Black Hills Information Security](http://www.blackhillsinfosec.com/?p=5555) * [“Fileless” UAC Bypass Using eventvwr.exe and Registry Hijacking | enigma0x3](https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/comment-page-1/#comment-1080) * [Explore Hidden Networks With Double Pivoting – Pentest Blog](https://pentest.blog/explore-hidden-networks-with-double-pivoting/) * [Decrypting Modern McAfee ePolicy Orchestrator Credentials | #!/bin/blog](http://bertman.net/2016/12/decrypting-modern-mcafee-epolicy-orchestrator-credentials/) ### Malware Analysis * [Painless Cuckoo Sandbox Installation | NVISO LABS – blog](https://blog.nviso.be/2018/04/12/painless-cuckoo-sandbox-installation/) * [How to become the best Malware Analyst E-V-E-R](http://www.hexacorn.com/blog/2018/04/14/how-to-become-the-best-malware-analyst-e-v-e-r/) * [VirusTotal Blog: Meet VirusTotal Droidy, our new Android sandbox](http://blog.virustotal.com/2018/04/meet-virustotal-droidy-our-new-android.html) * [How to Share Malware Samples With Other Researchers](https://zeltser.com/share-malware-with-researchers/) * [ANY.RUN](https://any.run/) * [Any.Run - An Interactive Malware Analysis Tool - Is Now Open To The Public](https://www.bleepingcomputer.com/news/security/anyrun-an-interactive-malware-analysis-tool-is-now-open-to-the-public/) * [malware.one LOGIN](https://malware.one/index.php?action=login) * [Malware Analysis for the Incident Responder](https://blogs.cisco.com/security/malware-analysis-for-the-incident-responder) * [GitHub - ANSSI-FR/caradoc: A PDF parser and validator](https://github.com/ANSSI-FR/caradoc) * [Extract text and media content from docx | govolution](https://govolution.wordpress.com/2017/01/18/extract-text-and-media-content-from-docx/) * [GitHub - K2/EhTrace: ATrace is a tool for tracing execution of binaries on Windows.](https://github.com/K2/EhTrace) * [https://github.com/DidierStevens/DidierStevensSuite](https://github.com/DidierStevens/DidierStevensSuite) ### Hardening / Configuration Auditing * OS Hardening * [CIS Controls V7 Measures & Metrics](https://www.cisecurity.org/white-papers/cis-controls-v7-measures-metrics/) * [PaulSec/awesome-windows-domain-hardening: A curated list of awesome Security Hardening techniques for Windows.](https://github.com/PaulSec/awesome-windows-domain-hardening) * [selinux-coloring-book](http://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf) * [lateralblast/lunar: A UNIX security auditing tool based on several security frameworks](https://github.com/lateralblast/lunar) * [https://adsecurity.org/?p=2288](https://adsecurity.org/?p=2288) * [http://www.tenable.com/blog/compliance-auditing-with-microsoft-powershell](http://www.tenable.com/blog/compliance-auditing-with-microsoft-powershell) * [10 best practices for Windows security - TechRepublic](http://www.techrepublic.com/blog/10-things/-10-best-practices-for-windows-security/) * [A Look into Linux Hardening in the Wild](https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/) * Web Server Hardening * [Nginx Quick Reference](https://github.com/trimstray/nginx-quick-reference) * [GitHub - yandex/gixy: Nginx configuration static analyzer](https://github.com/yandex/gixy) * [securityheaders.com](https://securityheaders.com/) - Check the configuration of your website's security headers * [webbkoll.dataskydd.net](https://webbkoll.dataskydd.net) - Checks websites for privacy leaks and security headers ### SIEM Solutions * [AlienVault](https://www.alienvault.com/products/ossim) - Open Source SIEM solution * [McAfee Enterprise Security Manager](https://www.mcafee.com/enterprise/de-de/products/enterprise-security-manager.html) * [ArcSight](https://software.microfocus.com/en-us/products/siem-security-information-event-management/overview) * [QRadar](https://www.ibm.com/marketplace/ibm-qradar-siem) - IBM's SIEM solution * [LogRhythm](https://logrhythm.com/) * [Splunk](https://www.splunk.com) - Log management tool with SIEM ambitions * [Exabeam](https://www.exabeam.com/) - Looks promising * [Logpoint](https://www.logpoint.com) * [Gartner Peer Insights](https://www.gartner.com/reviews/market/security-information-event-management) - Gartner's SIEM rankings ### SOC Related Stuff * [SIEM use cases development workflow – Agile all the things! | SPL>Ninja](https://spl.ninja/2017/10/15/siem-use-cases-development-workflow-agile-all-the-things/) * [Lessons learned from the Microsoft SOC—Part 1: Organization](https://www.microsoft.com/security/blog/2019/02/21/lessons-learned-from-the-microsoft-soc-part-1-organization/) ### Awareness * [Our Approach to Employee Security Training | PagerDuty](https://www.pagerduty.com/blog/security-training-at-pagerduty/) ### Other Stuff * [GitHub - m4b/bingrep: like grep, but for binaries](https://github.com/m4b/bingrep/) * [GitHub - vulnersCom/getsploit: Command line utility for searching and downloading exploits](https://github.com/vulnersCom/getsploit) * [Microsoft releases new IT tool, Policy Analyzer - MSPoweruser](https://mspoweruser.com/microsoft-releases-new-tool-policy-analyzer/) * [nexxai/CryptoBlocker: A script to deploy File Server Resource Manager and associated scripts to block infected users](https://github.com/nexxai/CryptoBlocker) * [GitHub - securitywithoutborders/hardentools](https://github.com/securitywithoutborders/hardentools) * [GitHub - juliocesarfort/public-pentesting-reports: Curated list of public penetration test reports released by several consulting firms and academic security groups](https://github.com/juliocesarfort/public-pentesting-reports) * [CyberChef](https://gchq.github.io/CyberChef/) - The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis ### Leaked Password Databases * [Random](https://publicdbhost.dmca.gripe/random/) * [databases.today](https://databases.today/search.php) ### Password Lists * [CrackStation](https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm) - 1,493,677,782 Passwords * [Rockyou.txt](http://scrapmaker.com/download/data/wordlists/dictionaries/rockyou.txt) - the standard