Forensics
Repository Description Angle-Grinder Parse, aggregate, sum, average, min/max, percentile, and sort log files Autopsy Digital forensics platform and graphical interface for disk images Autoruns Show persistence on Windows Chainsaw Parse and threat hunt Windows EVTX files. FTK Imager Digital forensics platform and graphical interface for disk images KnockKnock Show persistence on macOS Magika Detect file content types with deep learning Velociraptor Velociraptor is a tool for collecting host based state information using The Velociraptor Query Language (VQL) queries Volatility An advanced memory forensics framework ZimmermanTools Eric Zimmerman’s toolset for Windows forensics: EVTX, registry, ShellBags, ShimCache, and more
Network Analysis
Repository Description mitmproxy CLI-based HTTP(S) proxy to intercept and modify HTTP requests Wireshark GUI-based pcap, pcapng analyzer and network traffic sniffer
Deobfuscation & Unpacking
Reverse Engineering
APK
Convert APK to JAR and then decompile the JAR
Repository Description JADX JAR, APK, DEX, AAR, AAB, and ZIP decompiler dex2jar .APK to .JAR
Binaries
Run strings to quickly help determine the functionality of the program. If we see references of a specific compiler (ie: Rust, Go) make sure we set the language in Ghidra for best decompilation support.
Repository Description Binary Ninja Decompiler, disassembler, and debugger GUI Cerberus Unstrips Rust and Go binaries cutter Decompiler, disassembler, and debugger GUI based on Rizin Floss extract obfuscated strings from Windows binaries dnSpy .NET debugger and editor dotPeak .NET Decompiler and assembly browser GDB CLI debugger for Linux executables ghidra Decompiler and disassembler GUI Ghidra Go Scripts Scripts for helping with go decompilation IDA Decompiler and disassembler GUI. OllyDbg GUI debugger for Windows executables. PwnDbg Plugin for GDB and LLDB offering advanced capabilities redress Analyzes stripped Go binaries. rizin Disassembler and debugger CLI WinDBG GUI debugger for Windows executables x64dbg GUI debugger for Windows executables XPEViewer PE file viewer (headers, libraries, strings, etc)
Python
Repository Description pycdc Decompile .pyc files into Python source code pyinstxtractor Extract .pyc files from PyInstaller compiled executables PyLingual Decompile .pyc files into Python source code
Malware Analysis
Repository Description any.run Cloud-based sandbox CAPA Identify capabilities in executable files CAPEv2 Self-hosted sandbox Cuckoo Self-hosted sandbox Detect-It-Easy Detect file type and packer used for Windows executables DRAKVUF Self-hosted sandbox Joe’s Sandbox Cloud-based sandbox mac-monitor Advanced process monitoring for macOS oletools Toolkit for Microsoft Office documents (Word, Excel, etc.) to extract VBA, embedded objects, etc. PEiD Detect packer, cryptor, and compiler used for Windows executables Process Explorer Shows parent-child relationships between processes and open DLL handles. Process Hacker Process Explorer + more Process Monitor Tracks registry, file system, network, and process activity.
Hardening
Repository Description BLUESPAWN An Active Defense and EDR software to empower Blue Teams CISBenchmarks Benchmark for security configuration best practices HardeningKitty HardeningKitty and Windows Hardening settings and configurations Linux Hardening Linux Hardening SteamRoller Automating basic security configurations across an Active Directory environment