Defense

In Progress

Table of Contents

Sort

  • Invoke-DOSfuscation

    • Cmd.exe Command Obfuscation Generator & Detection Test Harness
  • Powershell Download Cradles - Matthew Green

    • DrawBridge
      • A layer 4 Single Packet Authentication (SPA) Module, used to conceal TCP ports on public facing machines and add an extra layer of security.
  • WindowsDefenderATP-Hunting-Queries

    • This repo contains sample queries for Advanced hunting on Windows Defender Advanced Threat Protection. With these sample queries, you can start to experience Advanced hunting, including the types of data that it covers and the query language it supports. You can also explore a variety of attack techniques and how they may be surfaced through Advanced hunting.
  • PE-sieve

    • PE-sieve scans a given process, searching for the modules containing in-memory code modifications. When found, it dumps the modified PE.
  • ClrGuard

    • ClrGuard is a proof of concept project to explore instrumenting the Common Language Runtime (CLR) for security purposes. ClrGuard leverages a simple appInit DLL (ClrHook32/64.dll) in order to load into all CLR/.NET processes. From there, it performs an in-line hook of security critical functions. Currently, the only implemented hook is on the native LoadImage() function. When events are observed, they are sent over a named pipe to a monitoring process for further introspection and mitigation decision.
  • Defending against PowerShell attacks - in theory, and in practice by Lee holmes

https://www.auditscripts.com/free-resources/critical-security-controls/

End Sort


Access Control

  • Capirca
    • Capirca is a tool designed to utilize common definitions of networks, services and high-level policy files to facilitate the development and manipulation of network access control lists (ACLs) for various platforms. It was developed by Google for internal use, and is now open source.

Amazon S3


Anti-Redteam Tactics


Application Whitelisting


Attack Surface Analysis/Reduction

  • General
    • Intrigue-core
      • Intrigue-core is a framework for automated attack surface discovery.

(General)Auditing Account Passwords/Privileges


(General)Auditing Processes

(General) Baselining


Certificates (X.509)


Firewalls

  • Assimilator
    • The first restful API to control all firewall brands. Configure any firewall with restful API calls, no more manual rule configuration. Centralize all your firewalls into one API.
  • simplewall
    • Simple tool to configure Windows Filtering Platform (WFP) which can configure network activity on your computer. The lightweight application is less than a megabyte, and it is compatible with Windows Vista and higher operating systems. You can download either the installer or portable version. For correct working, need administrator rights.

(General) Hardening


Journalist


Leaks

  • General
    • AIL framework - Analysis Information Leak framework
      • AIL is a modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams. AIL framework is flexible and can be extended to support other functionalities to mine sensitive information.
    • git-secrets
      • Prevents you from committing passwords and other sensitive information to a git repository.
    • keynuker
      • KeyNuker scans public activity across all Github users in your Github organization(s) and proactively deletes any AWS keys that are accidentally leaked. It gets the list of AWS keys to scan by directly connecting to the AWS API.
    • You're Leaking Trade Secrets - Defcon22 Michael Schrenk
      • Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.

Linux/Unix


Malicious USBs


Network


OS X

  • General
  • Tools
    • netman
      • A userland network manager with monitoring and limiting capabilities for macOS.
    • netfil
      • A kernel network manager with monitoring and limiting capabilities for macOS.
    • OverSight
      • OverSight monitors a mac's mic and webcam, alerting the user when the internal mic is activated, or whenever a process accesses the webcam.
    • LuLu
      • LuLu is the free open-source macOS firewall that aims to block unauthorized (outgoing) network traffic

Phishing

  • Mercure
    • Mercure is a tool for security managers who want to teach their colleagues about phishing.
  • PPRT
    • This module is used to report phishing URLs to their WHOIS/RDAP abuse contact information.
  • PhishingKitHunter
    • PhishingKitHunter (or PKHunter) is a tool made for identifying phishing kits URLs used in phishing campains targeting your customers and using some of your own website files (as CSS, JS, ...). This tool - write in Python 3 - is based on the analysis of referer's URL which GET particular files on the legitimate website (as some style content) or redirect user after the phishing session. Log files (should) contains the referer URL where the user come from and where the phishing kit is deployed. PhishingKitHunter parse your logs file to identify particular and non-legitimate referers trying to get legitimate pages based on regular expressions you put into PhishingKitHunter's config file.
  • Catching phishing before they catch you
  • Tracking Newly Registered Domains - SANS
  • Hunting-Newly-Registered-Domains
    • The hnrd.py is a python utility for finding and analysing potential phishing domains used in phishing campaigns targeting your customers. This utility is written in python (2.7 and 3) and is based on the analysis of the features below by consuming a free daily list provided by the Whoisds site.
  • SwiftFilter
    • Exchange Transport rules using text matching and Regular Expressions to detect and enable response to basic phishing. Designed to augment EOP in Office 365.

Ransomware

  • Decryptonite
    • Decryptonite is a tool that uses heuristics and behavioural analysis to monitor for and stop ransomware.

User Awareness Training


Web

  • Practical Approach to Detecting and Preventing Web Application Attacks over HTTP2
  • AWS Lambda - IAM Access Key Disabler
    • The AWS Key disabler is a Lambda Function that disables AWS IAM User Access Keys after a set amount of time in order to reduce the risk associated with old access keys.
  • OWASP Secure Headers Project
  • The Open Guide to Amazon Web Services
    • A lot of information on AWS is already written. Most people learn AWS by reading a blog or a “getting started guide” and referring to the standard AWS references. Nonetheless, trustworthy and practical information and recommendations aren’t easy to come by. AWS’s own documentation is a great but sprawling resource few have time to read fully, and it doesn’t include anything but official facts, so omits experiences of engineers. The information in blogs or Stack Overflow is also not consistently up to date. This guide is by and for engineers who use AWS. It aims to be a useful, living reference that consolidates links, tips, gotchas, and best practices. It arose from discussion and editing over beers by several engineers who have used AWS extensively.

WAF


Windows