Cyber-resource-list

Cyber Security resource list

Learning - AppSec

• Semgrep Academy - https://academy.semgrep.dev/
• IriusRisk - https://learn.iriusrisk.com/library/
• Wiz Academy - https://www.wiz.io/academy
• Linux Foundation (some $0) - https://training.linuxfoundation.org/full-catalog/?_sft_product_type=training&_sft_topic_area=cybersecurity
• EdX - https://www.edx.org/learn/software-development
  • Secure supply chain with Sigstore - https://www.edx.org/learn/software-development/the-linux-foundation-securing-your-software-supply-chain-with-sigstore
• OpenSSF - https://openssf.org/training/

What's popular in open source security software:

• Open Source Security Index - https://opensourcesecurityindex.io/

Policy As Code

• OPA - https://www.openpolicyagent.org/
  • Docs - https://www.openpolicyagent.org/docs/latest/

Threat Intel Sources

• Team Cymru - https://team-cymru.com/
• Anomali - https://www.anomali.com/
• Mnemonic - https://www.mnemonic.no/
• Intel 471 - https://intel471.com/
• Silobreaker - https://www.silobreaker.com/
• Cisco Talos - https://talosintelligence.com/
• Alienvault OTX - https://cybersecurity.att.com/open-threat-exchange
• ThreatConnect - https://threatconnect.com/
• Red Canary - https://redcanary.com/
• Randy F Smith - https://www.ultimatewindowssecurity.com/
• Redmond Mag - https://redmondmag.com/Home.aspx
• InfoSecurity Mag - https://www.infosecurity-magazine.com/
• Bleeping Computer - https://www.bleepingcomputer.com/
• Wired - https://www.wired.co.uk/topic/security
• The Register - https://www.theregister.com/security/
• Fortinet - https://www.fortinet.com/blog/threat-research
• Black Hills Security - https://www.blackhillsinfosec.com/
• Active Counter-Measures - https://www.activecountermeasures.com/
• Scythe - https://www.scythe.io/library
• F-Secure - https://blog.f-secure.com/category/threats-research/
• DomainTools - https://www.domaintools.com/resources
• Sophos - https://news.sophos.com/en-us/
• Blueliv - https://blueliv.com/ & https://community.blueliv.com/
• TL;DR Sec - https://tldrsec.com/
• Insinuator.net - Walter Legowski aka SadProcessor writes here - https://insinuator.net/
• SANS instructor Lenny Zeltser's infosec site - https://zeltser.com/
• Threat intel source list - https://github.com/hslatman/awesome-threat-intelligence

Threat Intel API Providers

• abuse.ch - https://abuse.ch/
  • Malware Bazaar - https://bazaar.abuse.ch/
  • Feodo Tracker - https://feodotracker.abuse.ch/
  • I Got Phished - https://igotphished.abuse.ch/
  • SSL Blacklist - https://sslbl.abuse.ch/
  • (Malware) URL Haus - https://urlhaus.abuse.ch/
• Greynoise - https://greynoise.io/
• Have I Been Pwned - https://haveibeenpwned.com/
• Censys - https://censys.io/
• Phishtank - https://www.phishtank.com/
• Openphish - https://openphish.com/
• Lenny Zeltser's IP blocklist provider list - https://zeltser.com/malicious-ip-blocklists/
• Lenny Zeltser's malicious website lookup provider list - https://zeltser.com/lookup-malicious-websites/

Threat Intelligence Platform Providers

• RiskIQ - https://www.riskiq.com/
• Silobreaker - https://www.silobreaker.com/
• Maltego - https://www.maltego.com/

Tools - Documentation

• Diagram as Code - https://github.com/mingrammer/diagrams

Container/Docker/Kubernetes Security

• Clint Gibler - TL;DR Sec - https://tldrsec.com/blog/container-security/
• SysDig - https://sysdig.com/
• Falco - k8s threat detection - https://sysdig.com/opensource/falco/
• Uptycs - cloud & container protection, posture assessment - https://www.uptycs.com/
• OSQuery for container detection:
• https://www.uptycs.com/blog/get-started-using-osquery-for-container-security
• https://developer.ibm.com/technologies/containers/articles/monitoring-containers-osquery/
• Peirates - k8s penetration tool - https://www.inguardians.com/peirates/
• Kubesploit - C2 for container environments - https://github.com/cyberark/kubesploit
• Popeye - K8s config & best practise scanner - https://github.com/derailed/popeye
• Wazuh - For Docker hosts and containers - https://wazuh.com/#containers-security
• KubiScan - CyberArk's K8s security permissions assessment tool - https://github.com/cyberark/KubiScan

Cloud Security Tools

• CloudSecDocs - Resource list for containers, AWS, Azure, GCP, Kafka & DevOps - https://cloudsecdocs.com/
• CrowdStrike CRT - Azure/O365 assessment - https://github.com/CrowdStrike/CRT
• Sygnia Cloud Scout - AD/Azure AD/AWS assessment tool - https://www.sygnia.co/cloudscout
• AWSPX - AWS effective access & attack paths assessment - https://github.com/FSecureLABS/awspx
• Azure - Stormspotter - attack graphing tool for Azure by Azure Red Teams - https://github.com/Azure/Stormspotter
• Wazuh - Azure/AWS/GCP sec data and configuration via API then agents for cloud assets - https://wazuh.com/#cloud-security-monitoring
• Microburst - Azure offensive powershell toolset - https://github.com/NetSPI/MicroBurst
• IAM Zero - suggests least-privilege policies for AWS (Azure/GCP/K8s later) - https://github.com/common-fate/iamzero
• Azure Security Benchmarks - https://github.com/MicrosoftDocs/SecurityBenchmarks
• CloudFormation Guard - IaC templates - https://github.com/aws-cloudformation/cloudformation-guard
• CloudMapper - AWS mapper/analyzer - https://github.com/duo-labs/cloudmapper
• SkyArk - CyberArk's AWS & Azure permissions analyzer - https://github.com/cyberark/SkyArk
• ROADTools - O365 & Azure AD recon tools - https://github.com/dirkjanm/ROADtools
• Cloudsplaining - https://opensource.salesforce.com/cloudsplaining/#/
  • https://github.com/salesforce/cloudsplaining
  • https://cloudsplaining.readthedocs.io/en/latest/

SaaS Security

• Raccoon - Salesforce data visibility assessment tool from NCC - https://github.com/nccgroup/raccoon

Security Posture & Configuration Assessment

• NSA - Unfetter - Mitre-based security posture analysis tool - https://nsacyber.github.io/unfetter/index.html
• Mitre:
  • ATT&CK - Offense TTPs
    • https://attack.mitre.org/
    • https://github.com/mitre-attack/attack-navigator
  • Engage - Active Defense TTPs
    • [https://engage.mitre.org/
  • D3fend - Defensive countermeasures
    • https://d3fend.mitre.org/
  • CAR - Cyber Analytics Repository
    • https://car.mitre.org/
  • EMB3D - Threats & mitigations for embedded devices
    • https://emb3d.mitre.org/
  • Evaluation - products and people
    • https://mitre-engenuity.org/
  • Attack2Neo - import Mitre into Neo4j
    • https://github.com/vmapps/attack2neo
  • ATT&CK mapping bast practices from US CISA
    • https://us-cert.cisa.gov/sites/default/files/publications/Best%20Practices%20for%20MITRE%20ATTCK%20Mapping.pdf
  • ATT&CK Workbench - CTID's customise/extend ATT&CK tool
    • https://github.com/center-for-threat-informed-defense/attack-workbench-frontend
    • https://medium.com/mitre-engenuity/att-ck-workbench-a-tool-for-extending-att-ck-e1718cbfe0ef
  • ATT&CK DataMap - show potential coverage for Mitre
    • https://github.com/olafhartong/ATTACKdatamap
• Microsoft Attack Surface Analyzer - scan Windows for unsafe changes due to software installs - https://github.com/Microsoft/AttackSurfaceAnalyzer
• Rabobank's DETTECT - Map log sources, detections and attacker behviours to show ATT&CK coverage - https://github.com/rabobank-cdc/DeTTECT
• Threat Mapping Catalogue - https://github.com/intelforge/tmc

Incident Response

• Incident Playbook - Playbooks mapped to MITRE - https://github.com/austinsonger/Incident-Playbook
• The Hive Project - IR application, docker - https://thehive-project.org/

CICD Security

• Legitify by Legit Security - Security posture of Github/Gitlab instances - https://www.legitsecurity.com/legitify

Code Analysis

• KICS by Checkmarx - https://docs.kics.io/latest - https://github.com/Checkmarx/kics
• Trivy by Aqua - https://aquasecurity.github.io/trivy - https://github.com/aquasecurity/trivy
• Checkov - Bridgecrew - Static code analysis for IaC - https://github.com/bridgecrewio/checkov - https://www.checkov.io/
• TFSec - Terraform static analysis - https://github.com/tfsec/tfsec
• TFLint - Terraform error & best practise scanner - https://github.com/terraform-linters/tflint

SIEM

• Devo - https://www.devo.com/
• Elastic - https://www.elastic.co/
• Humio - https://www.humio.com/secops
• Sumo Logic - https://www.sumologic.com/solutions/cloud-siem-enterprise/
• Sigma - platform agnostic SIEM rules - https://github.com/SigmaHQ/sigma
  • https://www.nextron-systems.com/2018/02/10/write-sigma-rules/
  • https://syedhasan010.medium.com/defenders-toolkit-102-sigma-rules-4a623acb2036
• Security Onion - Ready made FOSS SIEM - https://securityonionsolutions.com/ - https://github.com/Security-Onion-Solutions/securityonion
• Vadim Hunter's detection rules - https://github.com/vadim-hunter/Detection-Ideas-Rules

SOAR & Automation

• Shuffle - FOSS SOAR - https://github.com/frikky/Shuffle
• Tines - limited community version plus paid SOAR - https://www.tines.com/
• Siemplify - community & paid versions - https://www.siemplify.co/
• Swimlane - https://swimlane.com/
• Jimi - FOSS no-code SOAR - https://github.com/z1pti3/jimi
• PowerShell Universal & PowerShell Pro Tools - From Ironman Software & Adam Driscoll - https://ironmansoftware.com/
• Automation mindset & process article - https://queue.acm.org/detail.cfm?id=3197520
• Patrowl - FOSS SOAR - https://github.com/Patrowl/PatrowlEngines
  • https://github.com/vletoux/PingCastlePatrOwl - Pingcastle for Patrowl

Threat Emulation

• Atomic Red Team - https://atomicredteam.io/ - https://github.com/redcanaryco/atomic-red-team
• Atomic Threat Coverage - TTPs, SIGMAs & KBs all in one place - https://github.com/atc-project/atomic-threat-coverage
• Prelude - Atomic Red Team in your environment - https://www.prelude.org/platform/community
• Thremulation - Atomic Red Team with ELK & sandbox - https://www.thremulation.io/ - https://github.com/thremulation-station/thremulation-station
• Mitre Caldera - https://www.mitre.org/research/technology-transfer/open-source-software/caldera%E2%84%A2 - https://github.com/mitre/caldera
• https://github.com/clong/DetectionLab
• https://github.com/OTRF/SimuLand
• https://github.com/davidprowe/BadBlood
• AD in Azure playground - https://github.com/christophetd/Adaz
• https://github.com/OTRF/Blacksmith

Vulnerability Management

• Nuclei - FOSS vuln scanner - https://github.com/projectdiscovery/nuclei
• Wazuh (again) - vuln detection and reporting where agent installed - https://wazuh.com/#vulnerability-detection
• Vulcan - vulnerability remediation automation - https://vulcan.io/integrations/
• 0Patch - micro patch solution - https://0patch.com/

Endpoint Security

• Sysmon config pusher - https://github.com/LaresLLC/SysmonConfigPusher
• Wazuh - HIDS/HIPS/Vulns/FIM/IR/EDR - https://wazuh.com/ - https://documentation.wazuh.com/current/index.html
• Osquery - SQL queries on endpoints, very powerful - https://github.com/osquery/osquery
• YARA rules & info collection - https://github.com/InQuest/awesome-yara
• Velociraptor - monitor, alert, hunt on endpoints - https://www.velocidex.com/
• NCSC - security config packs Win,OSX,iOS,Ubuntu,Android - https://github.com/ukncsc/Device-Security-Guidance-Configuration-Packs
• Nextron Systems - FOSS/Commercial - Compromise assessment, forensics, IOC scanners - https://www.nextron-systems.com/products/
• DeepBlueCLI - command line threat hunting on Windows - https://github.com/sans-blue-team/DeepBlueCLI
• OpenEDR - Comodo's FOSS EDR - https://openedr.com/
• OSSEM - Open Source Security Events Metadata - https://github.com/OTRF/OSSEM
• SilkETW from Fireeye - Event Tracing for Windows telemetry made easier:
  • https://www.fireeye.com/blog/threat-research/2019/03/silketw-because-free-telemetry-is-free.html
  • https://github.com/fireeye/SilkETW
  • https://medium.com/threat-hunters-forge/threat-hunting-with-etw-events-and-helk-part-1-installing-silketw-6eb74815e4a0

Network Security

• Arkime - Packet capture & analysis - https://arkime.com/ - https://github.com/arkime/arkime
• Suricata - NIDS/NIPS/NSM - https://suricata.io/
• Zeek - NIDS/NSM - https://zeek.org/
• Snort - NIPS - https://www.snort.org/
• Owlh & Wazuh - Uses Snort/Zeek/Suricata data integrated via OwlH into Wazuh adding NIDS to HIDS:
  • https://www.owlh.net/
  • https://documentation.owlh.net/en/0.17.0/index.html
  • https://documentation.owlh.net/en/0.17.0/main/OwlHWazuh.html
  • https://wazuh.com/owlh-network-ids-integration/
• CISA's Malcolm - FOSS network traffic analysis suite - https://github.com/cisagov/malcolm

Perimeter Defence

• PerimeterX - bot defence, website defence - https://www.perimeterx.com/
• TypoDetect - discover domain name mutations similar to corporate domain names used for phishing/smishing etc - https://github.com/telefonica/typodetect

Deception

• Thinkst Canary - decoys/honeytraps - https://canary.tools/

Malware Analysis

• Anyrun - online analysis/sandbox - https://any.run/
• Hybrid Analysis - online malware anlysis - https://www.hybrid-analysis.com/
• Joe Sandbox - online sandbox/analysis - https://www.joesandbox.com/
• Lenny Zeltser's list of online malware analysis tools - https://zeltser.com/automated-malware-analysis/
• REMnux - malware analysis toolkit OS - https://remnux.org/
• Nextron Valhalla - YARA rule feed - https://www.nextron-systems.com/valhalla/

Phishing

• PhishCatch - browser ext and API server detects corp pwd use on external sites from Palantir - https://github.com/palantir/phishcatch

GRC

• GRC knowledge list - https://github.com/Arudjreis/awesome-security-GRC
• Protecht - Enterprise Risk Management software - https://www.protechtgroup.com/en-gb/enterprise-risk-management-software
• Deciduous - security decision mapping from Ryan Petrich & Kelly Shortridge:
  • https://swagitda.com/deciduous/
  • https://swagitda.com/blog/posts/deciduous-attack-tree-app/
  • https://swagitda.com/blog/posts/security-decision-trees-with-graphviz/
  • https://graphviz.org/
  • https://github.com/rpetrich

Red Team Tools

• Phant0m - Win Event Log Killer - https://github.com/hlldz/Phant0m
• Mythic - red team framework - https://github.com/its-a-feature/Mythic
• GoFetch - generate attack plans from Bloodhound - https://github.com/GoFetchAD/GoFetch

Go/Golang Tools

• The Hive Go library - https://github.com/TheHive-Project/TheHive4go
• Jira Go library - https://github.com/andygrunwald/go-jira
• Jira Go library (another) - https://github.com/go-jira/jira
• Tenable.io Go library - https://github.com/whereiskurt/tiogo
• Tenable.io Go library - https://github.com/attwad/nessie
• Tenable.io Go library - https://github.com/mistsys/go-tenable
• Tenable.io Go library - https://github.com/thathaneydude/go-tenable
• Kibana Go library - https://github.com/ewilde/go-kibana
• Elasticsearch Go library - https://github.com/elastic/go-elasticsearch
• Azure SDK for Go - https://github.com/Azure/azure-sdk-for-go
• Harp - Secret management toolchain from Elastic - https://github.com/elastic/harp
• Cisco Firepower Go client - https://github.com/buttahtoast/fmcClient

Python Tools

• Loguru - Python logging - https://github.com/Delgan/loguru
• Tenable Python library - https://github.com/tenable/pyTenable
• Tenable Python CLI tool - https://github.com/packetchaos/navi

Training

• Instruqt - cloud tech & cloudsec training modules - https://instruqt.com/

Random Useful Sites

• https://parsiya.net/ - Go/Golang, blog, hacking, reverse engineering, automation
• Purp1eW0lf's Blue Team Notes - https://github.com/Purp1eW0lf/Blue-Team-Notes
• US DHS CISA's tools github repos - https://github.com/search?q=user%3Acisagov+&s=stars&type=Repositories

AD Security

• https://posts.specterops.io/the-attack-path-management-manifesto-3a3b117f5e5
• SpecterOps - Bloodhound FOSS - https://github.com/BloodHoundAD/BloodHound
• Dockerised Bloodhound - https://github.com/belane/docker-bloodhound
• Bloodhound/Cypher Queries:
  • https://neo4j.com/docs/cypher-refcard/current/
  • https://blog.cptjesus.com/posts/introtocypher
  • https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
  • https://github.com/hausec/Bloodhound-Custom-Queries
  • https://github.com/SadProcessor
  • https://www.ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf
  • https://github.com/JoshSchwarz/Bloodhound-Cypher
  • https://gist.github.com/jeffmcjunkin/7b4a67bb7dd0cfbfbd83768f3aa6eb12
  • https://bloodhoundnotebook.com/notebooks/cypher/queries_notebook.html
  • https://github.com/Scoubi/BloodhoundAD-Queries
• https://github.com/improsec/ImproHound - https://improsec.com/tech-blog/improhound-identify-ad-tiering-violations
• BloodCheck - Manage multiple Neo4j DBs & cypher query BH datasets - https://github.com/Mr-B0b/BloodCheck
• Plumhound - Bloodhound for blue & purple teams - https://github.com/PlumHound/PlumHound
• Use Bloodhound with network data to predict ransomware spread - https://github.com/zeronetworks/BloodHound-Tools
• Sean Metcalf - Trimarc - AD security don - https://adsecurity.org/
• SpecterOps - AD, Windows, OSX offensive & defensive tools - https://specterops.io/resources/affiliated-toolsets
• Semperis - AD defence & recovery commercial products and blog includes Darren Mar-Elia GPOGuy - https://www.semperis.com/
• Purple Knight - free AD security assessment tool from Semperis - https://www.purple-knight.com/
• Pingcastle - free/commercial AD security assessment tool from Vincent Letoux - https://www.pingcastle.com/
• Stealthbits - AD & data management commercial tools - https://stealthbits.com/active-directory-security-solutions/
• Tenable AD - formerly Alsid - https://www.tenable.com/products/tenable-ad
• YossiSassi's AD group change monitoring powershell - https://github.com/YossiSassi/Get-ADGroupChanges
• ZBang - CyberArk's AD risk assessment tool - https://github.com/cyberark/zBang
• ACLight - CyberArk's AD shadow admins discovery tool - https://github.com/cyberark/ACLight
• Vincent Yiu's red team tools & tips - https://www.vincentyiu.com/
• Dirk-Jan Mollema's blog - AD & AAD stuff - https://dirkjanm.io