Forensics
| Repository | Description |
|---|---|
| Angle-Grinder | Parse, aggregate, sum, average, min/max, percentile, and sort log files. |
| Autopsy | Investigate disk images. |
| Autoruns | Show persistence on Windows |
| Chainsaw | Parse and threat hunt Windows EVTX files. |
| FTK Imager | Investigate disk images. |
| KnockKnock | Show persistence on macOS |
| Magika | Detect file content types with deep learning. |
| Velociraptor | Velociraptor is a tool for collecting host based state information using The Velociraptor Query Language (VQL) queries. |
| Volatility | Analyze memory dump files. |
| ZimmermanTools | Eric Zimmerman’s toolset for Windows forensics: EVTX, registry, ShellBags, ShimCache, and more. |
Network Analysis
| Repository | Description |
|---|---|
| mitmproxy | CLI-based HTTP(S) proxy to intercept and modify HTTP requests. |
| Wireshark | GUI-based pcap, pcapng analyzer and network traffic sniffer. |
Deobfuscation & Unpacking
| Repository | Description |
|---|---|
| cfxc-deobf | ConfuserEx unpacker. |
| de4dot-cex | ConfuserEx unpacker. |
| de4dot | .NET deobfuscator and unpacker. |
| deobfuscate.io | Javascript deobfuscator. |
| FLOSS | Automatically extract obfuscated strings from malware. |
| NoFuserEx | ConfuserEx unpacker. |
| Packer-specific Unpackers | List of unpackers for specific packers. |
| PSDecode | PowerShell deobfuscator. |
| relative.im | Javascript deobfuscator. |
| UnconfuserExTools | ConfuserEx deobfuscation toolkit (old). |
Reverse Engineering
| Repository | Description |
|---|---|
| awesome-ida-x64-olly-plugin | A list of plugins for IDA, Ghidra, GDB, OllyDBG, etc. |
| Binary Ninja | Decompiler, disassembler, and debugger GUI. |
| Cerberus | Unstrips Rust and Go binaries. |
| cutter | Decompiler, disassembler, and debugger GUI based on Rizin. |
| dnSpy | .NET debugger and editor. |
| dotPeak | .NET Decompiler and assembly browser |
| GDB | CLI debugger for Linux executables. |
| GEF | GDB addon with advanced features. |
| ghidra | Decompiler and disassembler GUI. |
| JADX | JAR, APK, DEX, AAR, AAB, and ZIP decompiler. |
| IDA | Decompiler and disassembler GUI. |
| OllyDbg | GUI debugger for Windows executables. |
| pycdc | Decompile .pyc files into Python source code. |
| pyinstxtractor | Extract .pyc files from PyInstaller compiled executables. |
| redress | Analyzes stripped Go binaries. |
| rizin | Disassembler and debugger CLI. |
| x64dbg | GUI debugger for Windows executables. |
| XPEViewer | PE file viewer (headers, libraries, strings, etc). |
Malware Analysis
| Repository | Description |
|---|---|
| any.run | Cloud-based sandbox. |
| CAPA | Identify capabilities in executable files. |
| CAPEv2 | Self-hosted sandbox. |
| Cuckoo | Self-hosted sandbox. |
| Detect-It-Easy | Detect file type and packer used for Windows executables. |
| DRAKVUF | Self-hosted sandbox. |
| Joe’s Sandbox | Cloud-based sandbox. |
| mac-monitor | Advanced process monitoring for macOS |
| oletools | Toolkit for Microsoft Office documents (Word, Excel, etc.) to extract VBA, embedded objects, etc. |
| PEiD | Detect packer, cryptor, and compiler used for Windows executables. |
| Process Explorer | Shows parent-child relationships between processes and open DLL handles. |
| Process Hacker | Process Explorer + more |
| Process Monitor | Tracks registry, file system, network, and process activity. |
Hardening
| Repository | Description |
|---|---|
| BLUESPAWN | An Active Defense and EDR software to empower Blue Teams |
| CISBenchmarks | Benchmark for security configuration best practices |
| HardeningKitty | HardeningKitty and Windows Hardening settings and configurations |
| Linux Hardening | Linux Hardening |
| SteamRoller | Automating basic security configurations across an Active Directory environment |