Forensics

RepositoryDescription
Angle-GrinderParse, aggregate, sum, average, min/max, percentile, and sort log files
AutopsyDigital forensics platform and graphical interface for disk images
AutorunsShow persistence on Windows
ChainsawParse and threat hunt Windows EVTX files.
FTK ImagerDigital forensics platform and graphical interface for disk images
KnockKnockShow persistence on macOS
MagikaDetect file content types with deep learning
VelociraptorVelociraptor is a tool for collecting host based state information using The Velociraptor Query Language (VQL) queries
VolatilityAn advanced memory forensics framework
ZimmermanToolsEric Zimmerman’s toolset for Windows forensics: EVTX, registry, ShellBags, ShimCache, and more

Network Analysis

RepositoryDescription
mitmproxyCLI-based HTTP(S) proxy to intercept and modify HTTP requests
WiresharkGUI-based pcap, pcapng analyzer and network traffic sniffer

Deobfuscation & Unpacking

RepositoryDescription
cfxc-deobfConfuserEx unpacker
de4dot-cexConfuserEx unpacker
de4dot.NET deobfuscator and unpacker
deobfuscate.ioJavascript deobfuscator
FLOSSAutomatically extract obfuscated strings from malware
NoFuserExConfuserEx unpacker
Packer-specific UnpackersList of unpackers for specific packers
PSDecodePowerShell deobfuscator
relative.imJavascript deobfuscator
UnconfuserExToolsConfuserEx deobfuscation toolkit (old)
UnPHPPHP deobfuscator
UPXPE (un)packer - look for UPX0 section

Reverse Engineering

APK

Convert APK to JAR and then decompile the JAR

RepositoryDescription
JADXJAR, APK, DEX, AAR, AAB, and ZIP decompiler
dex2jar.APK to .JAR

Binaries

Run strings to quickly help determine the functionality of the program. If we see references of a specific compiler (ie: Rust, Go) make sure we set the language in Ghidra for best decompilation support.

RepositoryDescription
Binary NinjaDecompiler, disassembler, and debugger GUI
CerberusUnstrips Rust and Go binaries
cutterDecompiler, disassembler, and debugger GUI based on Rizin
Flossextract obfuscated strings from Windows binaries
dnSpy.NET debugger and editor
dotPeak.NET Decompiler and assembly browser
GDBCLI debugger for Linux executables
ghidraDecompiler and disassembler GUI
Ghidra Go ScriptsScripts for helping with go decompilation
IDADecompiler and disassembler GUI.
OllyDbgGUI debugger for Windows executables.
PwnDbgPlugin for GDB and LLDB offering advanced capabilities
redressAnalyzes stripped Go binaries.
rizinDisassembler and debugger CLI
WinDBGGUI debugger for Windows executables
x64dbgGUI debugger for Windows executables
XPEViewerPE file viewer (headers, libraries, strings, etc)

Python

RepositoryDescription
pycdcDecompile .pyc files into Python source code
pyinstxtractorExtract .pyc files from PyInstaller compiled executables
PyLingualDecompile .pyc files into Python source code

Malware Analysis

RepositoryDescription
any.runCloud-based sandbox
CAPAIdentify capabilities in executable files
CAPEv2Self-hosted sandbox
CuckooSelf-hosted sandbox
Detect-It-EasyDetect file type and packer used for Windows executables
DRAKVUFSelf-hosted sandbox
Joe’s SandboxCloud-based sandbox
mac-monitorAdvanced process monitoring for macOS
oletoolsToolkit for Microsoft Office documents (Word, Excel, etc.) to extract VBA, embedded objects, etc.
PEiDDetect packer, cryptor, and compiler used for Windows executables
Process ExplorerShows parent-child relationships between processes and open DLL handles.
Process HackerProcess Explorer + more
Process MonitorTracks registry, file system, network, and process activity.

Hardening

RepositoryDescription
BLUESPAWNAn Active Defense and EDR software to empower Blue Teams
CISBenchmarksBenchmark for security configuration best practices
HardeningKittyHardeningKitty and Windows Hardening settings and configurations
Linux HardeningLinux Hardening
SteamRollerAutomating basic security configurations across an Active Directory environment