You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<li><ahref="https://mitre.github.io/attack-navigator/enterprise/">MITRE ATT&CK Navigator</a> (<ahref="https://github.com/mitre-attack/attack-navigator">source code</a>) - The ATT&CK Navigator is designed to provide basic navigation and annotation of ATT&CK matrices, something that people are already doing today in tools like Excel.</li>
50
50
<li><ahref="https://github.com/Cyb3rWard0g/HELK">HELK</a> - A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.</li>
51
-
<li><ahref="https://github.com/palantir/osquery-configuration">osquery-configuration</a> - A repository for using osquery for incident detection and response.</li>
52
51
<li><ahref="https://github.com/clong/DetectionLab/">DetectionLab</a> - Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices.</li>
53
-
<li><ahref="https://github.com/MHaggis/sysmon-dfir">Sysmon-DFIR</a> - Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.</li>
<li><ahref="https://github.com/olafhartong/sysmon-modular">sysmon-modular</a> - A repository of sysmon configuration modules. It also includes a <ahref="https://github.com/olafhartong/sysmon-modular/blob/master/attack_matrix/README.md">mapping</a> of Sysmon configurations to MITRE ATT&CK techniques.</li>
<li><ahref="https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI">Invoke-ATTACKAPI</a> - A PowerShell script to interact with the MITRE ATT&CK Framework via its own API.</li>
58
54
<li><ahref="https://github.com/unfetter-analytic/unfetter">Unfetter</a> - A reference implementation provides a framework for collecting events (process creation, network connections, Window Event Logs, etc.) from a client machine and performing CAR analytics to detect potential adversary activity.</li>
@@ -86,6 +82,7 @@ <h2 id="tools">Tools</h2>
86
82
<li><ahref="https://github.com/zdhenard42/SOC-Multitool">SOC-Multitool</a>: A powerful and user-friendly browser extension that streamlines investigations for security professionals.</li>
87
83
<li><ahref="https://github.com/SuperCowPowers/zat">Zeek Analysis Tools (ZAT)</a>: Processing and analysis of Zeek network data with Pandas, scikit-learn, Kafka and Spark.</li>
88
84
<li><ahref="https://github.com/Sysinternals/ProcMon-for-Linux">ProcMon for Linux</a></li>
85
+
<li><ahref="https://github.com/splunk/salo">Synthetic Adversarial Log Objects (SALO)</a> - A framework for the generation of log events without the need for infrastructure or actions to initiate the event that causes a log event.</li>
89
86
</ul>
90
87
<h3id="detection-alerting-and-automation-platforms">Detection, Alerting and Automation Platforms</h3>
<li><ahref="https://github.com/ossec/ossec-hids">OSSEC</a> - An open-source Host-based Intrusion Detection System (HIDS)</li>
108
105
<li><ahref="https://github.com/wazuh/wazuh">WAZUH</a> - An open-source security platform</li>
109
106
</ul>
107
+
<h4id="configuration">Configuration</h4>
108
+
<ul>
109
+
<li><ahref="https://github.com/MHaggis/sysmon-dfir">sysmon-DFIR</a> - Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.</li>
<li><ahref="https://github.com/olafhartong/sysmon-modular">sysmon-modular</a> - A repository of sysmon configuration modules. It also includes a <ahref="https://github.com/olafhartong/sysmon-modular/blob/master/attack_matrix/README.md">mapping</a> of Sysmon configurations to MITRE ATT&CK techniques.</li>
<li><ahref="https://github.com/palantir/osquery-configuration">osquery-configuration</a> - A repository for using osquery for incident detection and response.</li>
<li><ahref="https://car.mitre.org/">MITRE CAR</a> - The Cyber Analytics Repository is a knowledge base of analytics developed by MITRE based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) adversary model.</li>
<li><ahref="https://github.com/chronicle/detection-rules">Chronicle Detection Rules</a> - Collection of YARA-L 2.0 sample rules for the Chronicle Detection API.</li>
147
+
<li><ahref="https://github.com/GoogleCloudPlatform/security-analytics">GCP Security Analytics</a> - Community Security Analytics provides a set of community-driven audit & threat queries for Google Cloud.</li>
141
148
</ul>
142
149
<h2id="dataset">Dataset</h2>
143
150
<ul>
@@ -152,6 +159,8 @@ <h2 id="dataset">Dataset</h2>
152
159
<li><ahref="https://www.netresec.com/?page=PcapFiles">Netresec's PCAP repo list</a> - A list of public packet capture repositories, which are freely available on the Internet.</li>
153
160
<li><ahref="https://github.com/sbousseaden/PCAP-ATTACK">PCAP-ATTACK</a> - A repo of PCAP samples for different ATT&CK techniques.</li>
154
161
<li><ahref="https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES">EVTX-ATTACK-SAMPLES</a> - A repo of Windows event samples (EVTX) associated with ATT&CK techniques (<ahref="https://docs.google.com/spreadsheets/d/12V5T9j6Fi3JSmMpAsMwovnWqRFKzzI9l2iXS5dEsnrs/edit#gid=164587082">EVTX-ATT&CK Sheet</a>).</li>
<li><ahref="https://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html">Cyber Kill Chain</a> - It is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.</li>
208
217
<li><ahref="http://ryanstillions.blogspot.com.au/2014/04/the-dml-model_21.html">The DML Model</a> - The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks.</li>
<li><ahref="https://github.com/hunters-forge/OSSEM">OSSEM</a> (Open Source Security Events Metadata) - A community-led project that focuses on the documentation and standardization of security event logs from diverse data sources and operating systems</li>
211
-
<li><ahref="https://engage.mitre.org/">MITRE Engage</a> - A framework<br/>
212
-
for planning and discussing adversary engagement operations<br/>
213
-
that empowers you to engage your adversaries<br/>
214
-
and achieve your cybersecurity goals.</li>
219
+
<li><ahref="https://github.com/hunters-forge/OSSEM">OSSEM</a> (Open Source Security Events Metadata) - A community-led project that focuses on the documentation and standardization of security event logs from diverse data sources and operating systems.</li>
220
+
<li><ahref="https://github.com/ocsf/ocsf-schema">Open Cybersecurity Schema Framework (OCSF)</a> - A framework for creating schemas and it also delivers a cybersecurity event schema built with the framework (<ahref="https://schema.ocsf.io/">schema browser</a>).</li>
221
+
<li><ahref="https://engage.mitre.org/">MITRE Engage</a> - A framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals.</li>
215
222
<li><ahref="https://www.betaalvereniging.nl/wp-content/uploads/FI-ISAC-use-case-framework-verkorte-versie.pdf">MaGMa Use Case Defintion Model</a> - A business-centric approach for planning and defining threat detection use cases.</li>
216
223
</ul>
217
224
<h3id="windows">Windows</h3>
@@ -386,6 +393,7 @@ <h2 id="labs">Labs</h2>
386
393
<li><ahref="https://bots.splunk.com/">Splunk Boss of the SOC</a> - Hands-on workshops and challenges to practice threat hunting using the BOTS and other datasets.</li>
387
394
<li><ahref="https://github.com/Cyb3rWard0g/HELK">HELK</a> - A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.</li>
388
395
<li><ahref="https://github.com/op7ic/BlueTeam.Lab">BlueTeam Lab</a> - A detection lab created with Terraform and Ansible in Azure.</li>
396
+
<li><ahref="https://github.com/splunk/attack_range">attack_range</a> - A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk.</li>
<li><ahref="https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/signal-att-and-ck-part-1.html">Signal the ATT&CK: Part 1</a> - Modelling APT32 in CALDERA</li>
421
429
<li><ahref="https://github.com/infosecn1nja/Red-Teaming-Toolkit">Red Teaming/Adversary Simulation Toolkit</a> - A collection of open source and commercial tools that aid in red team operations.</li>
<li><ahref="https://github.com/center-for-threat-informed-defense/adversary_emulation_library">adversary<em>emulation</em>library</a> - An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.</li>
423
432
</ul>
424
433
<h2id="contribute">Contribute</h2>
425
434
<p>Contributions welcome! Read the <ahref="CONTRIBUTING.md">contribution guidelines</a> first.</p>
0 commit comments