A collection of open source threat detection tools
3rd-party lists
- MHaggis/hunt-detect-prevent - Lists of sources and utilities utilized to hunt, detect and prevent evildoers
- 0x4D31/awesome-threat-detection - A curated list of awesome threat detection and hunting resources
Online scanners
- Virus scanner
- Behavior analysis
- Packet analysis
- APK
- Office
- Automation
Automated analysis
- certsocietegenerale/fame - FAME Automates Malware Evaluation 有界面
- Rurik/Noriben - Noriben - Portable, Simple, Malware Analysis Sandbox
- Macos
- Javascript
- VM enhancements
Windows
- kurtfalde/DNS-Debug - Script to enabled DNS Debug Logging across Domain Controllers in a Forest and then retrieve for analysis
- AxtMueller/Windows-Kernel-Explorer - A free but powerful Windows kernel research tool
- Event Tracing for Windows (ETW)
- Active directory
- Windows Event forwarding
- palantir/windows-event-forwarding - A repository for using windows event forwarding for incident detection and response
- Windows Event Forwarding for Network Defense
- iadgov/Event-Forwarding-Guidance - Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding. iadgov
Linux
- Rootkit detection
Mac
Browser
- 1lastBr3ath/drmine - Dr. Mine is a node script written to aid automatic detection of in-browser cryptojacking
- leizongmin/js-xss - Sanitize untrusted HTML (to prevent XSS) with a configuration specified by a Whitelist
Traffic analysis
- dirtbags/pcapdb - A Distributed, Search-Optimized Full Packet Capture System
- TravisFSmith/SweetSecurity - Network Security Monitoring on Raspberry Pi type devices
- noddos - Noddos client
- Suricata - a free and open source, mature, fast and robust network threat detection engine
- aol/moloch - Moloch is an open source, large scale, full packet capturing, indexing, and database system
- stamparm/maltrail - Malicious traffic detection system
- 360PegasusTeam/WiFi-Miner-Detector - Detecting malicious WiFi with mining cryptocurrency
- activecm/rita - Real Intelligence Threat Analytics
Network
Host based detection tools / endpoint tools
- hasherezade/pe-sieve - Scans a given process, searching for the modules containing in-memory code modifications. When found, it dumps the modified PE
- hasherezade/hollows_hunter - Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches)
- jaredcatkinson/Get-InjectedThread.ps1 - Looks for threads that were created as a result of code injection
- TonyPhipps/THRecon - Collect endpoint information for use in incident response triage / threat hunting / live forensics using this toolkit
- Neo23x0/Fenrir - Simple Bash IOC Scanner
- 0x4D31/salt-scanner - Linux vulnerability scanner based on Salt Open and Vulners audit API, with Slack notifications and JIRA integration
- DominicBreuker/pspy - Monitor linux processes without root permissions
- mvelazc0/Oriana - a threat hunting tool that leverages a subset of Windows events to build relationships, calculate totals and run analytics
- Hestat/minerchk - Bash script to Check for malicious Cryptomining
- HIDS
- Memory analysis
- Active directory
Sysmon
- JPCERTCC/SysmonSearch - Investigate suspicious activity by visualizing Sysmon's event log
- darkoperator/Posh-Sysmon - PowerShell module for creating and managing Sysinternals Sysmon config files
- Rules
Webshell detection
- baidu-security/webshell-scanner-client - A golang client of https://scanner.baidu.com
- nbs-system/php-malware-finder - Detect potentially malicious PHP files
- emposha/PHP-Shell-Detector - a php script that helps you find and identify php/cgi(perl)/asp/aspx shells
Monitoring
- realparisi/WMI_Monitor - Log newly created WMI consumers and processes
- luctalpe/WMIMon - Tool to monitor WMI activity on Windows
- 9b/chirp - Interface to manage and centralize Google Alert information
- facebook/osquery - SQL powered operating system instrumentation, monitoring, and analytics
- elastic/beats - Beats - Lightweight shippers for Elasticsearch & Logstash
- dgunter/evtxtoelk - A lightweight tool to load Windows Event Log evtx files into Elasticsearch
- Github
- Zabbix plugin
- ElasticSearch addons
Log analysis / Visualization
- Scribery/tlog - Terminal I/O logger
- JPCERTCC/LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log
- THIBER-ORG/userline - Query and report user logons relations from MS Windows Security Events
- austin-taylor/VulnWhisperer - Create actionable data from your Vulnerability Scans
- Windows Security Log Events
Log queries
- beahunt3r/Windows-Hunting - Aid windows threat hunters to look for some common artifacts during their day to day operations
- Microsoft/WindowsDefenderATP-Hunting-Queries - Sample queries for Advanced hunting in Windows Defender ATP
SIEM
- TheHive-Project/TheHive - TheHive: a Scalable, Open Source and Free Security Incident Response Platform
- wazuh - Host and endpoint security
- uncoder.io - SOC Prime - 转换SIEM查询语句的工具
Yara tools
- CERT-Polska/mquery - YARA malware query accelerator (web frontend)
- botherder/kraken - Cross-platform Yara scanner written in Go
- Neo23x0/yarGen - a generator for YARA rules
Sandbox analysis
- phdphuc/mac-a-mal-cuckoo - This analyzer extends the open-source Cuckoo Sandbox (legacy) with functionality for analyzing macOS malware in macOS guest VM(s)
- cuckoo-install.sh - Cuckoo auto installer for Ubuntu
Phishing
- wesleyraptor/streamingphish - Python-based utility that uses supervised machine learning to detect phishing domains from the Certificate Transparency log network
- OpenPhish - Phishing Intelligence
- x0rz/phishing_catcher - Phishing catcher using Certstream
Security intelligence / feeds
Uncategorized
- target/strelka - a real-time file scanning system used for threat hunting, threat detection, and incident response
- phishai/phish-protect - Chrome extension to alert and possibly block IDN/Unicode websites and zero-day phishing websites using AI and Computer Vision
- MiSecurity/x-patrol - Github 泄露扫描系统
- Cyb3rWard0g/HELK - The Hunting ELK
- endgameinc/ClrGuard - a proof of concept project to explore instrumenting the Common Language Runtime (CLR) for security purposes - CLR动态加载检测
Tools
- redhuntlabs/RedHunt-OS - Virtual Machine for Adversary Emulation and Threat Hunting
- vysec/CACTUSTORCH - Payload Generation for Adversary Simulations
- NextronSystems/APTSimulator - A toolset to make a system look as if it was the victim of an APT attack
- redcanaryco/atomic-red-team - Small and highly portable detection tests mapped to the Mitre ATT&CK Framework
- mitre/caldera - An automated adversary emulation system
- uber-common/metta - An information security preparedness tool to do adversarial simulation
- endgameinc/RTA - RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
- TryCatchHCF/DumpsterFire - DumpsterFire Toolset - "Security Incidents In A Box!"
- jymcheong/AutoTTP - Automated Tactics Techniques & Procedures
- Cyb3rWard0g/Invoke-ATTACKAPI - A PowerShell script to interact with the MITRE ATT&CK Framework via its own API
- CyberMonitor/Invoke-Adversary - Simulating Adversary Operations
- P4T12ICK/ypsilon - an Automated Security Use Case Testing Environment using real malware to test SIEM use cases in an closed environment
- n0dec/MalwLess - Test Blue Team detections without running any attack
Dataset
Uncategorized
- Tales of a Threat Hunter 2 - Following the trace of WMI Backdoors & other nastiness
- awslabs/aws-security-automation - Collection of scripts and resources for DevSecOps and Automated Incident Response Security
- mitre/attack-navigator - Web app that provides basic navigation and annotation of ATT&CK matrices
- Establishing a Baseline for Remote Desktop Protocol
- Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity
- OffensiveSplunk vs. Grep
Books
Frameworks
Auditing