Browse Source

Another partial update, haven't updated ATT&CK yet. Hoping to do that this week

pull/13/head
rmusser01 5 years ago
parent
commit
b3247594b3
30 changed files with 1049 additions and 829 deletions
  1. +12
    -4
      Draft/AnonOpsecPrivacy.md
  2. +61
    -13
      Draft/BIOS UEFI Attacks Defenses.md
  3. +4
    -2
      Draft/Courses_Training.md
  4. +2
    -0
      Draft/Cryptography & Encryption.md
  5. +65
    -57
      Draft/Defense.md
  6. +11
    -5
      Draft/Documentation & Reports -.md
  7. +3
    -0
      Draft/Embedded Device & Hardware Hacking -.md
  8. +5
    -0
      Draft/Exfiltration.md
  9. +35
    -37
      Draft/Exploit Development.md
  10. +295
    -288
      Draft/Forensics Incident Response.md
  11. +7
    -9
      Draft/Fuzzing Bug Hunting.md
  12. +31
    -16
      Draft/Game Hacking.md
  13. +6
    -2
      Draft/Interesting Things Useful stuff.md
  14. +21
    -8
      Draft/Malware.md
  15. +22
    -17
      Draft/Network Attacks & Defenses.md
  16. +9
    -2
      Draft/Network Security Monitoring & Logging.md
  17. +16
    -14
      Draft/Open Source Intelligence.md
  18. +2
    -1
      Draft/Phishing.md
  19. +47
    -31
      Draft/Privilege Escalation & Post-Exploitation.md
  20. +72
    -58
      Draft/Programming - Languages Libs Courses References.md
  21. +53
    -23
      Draft/Red-Teaming.md
  22. +21
    -12
      Draft/Reverse Engineering.md
  23. +76
    -90
      Draft/Rootkits.md
  24. +1
    -0
      Draft/SCADA.md
  25. +2
    -0
      Draft/System Internals Windows and Linux Internals Reference.md
  26. +21
    -86
      Draft/Threat Modeling.md
  27. +6
    -6
      Draft/UX Design - Because we all know how sexy pgp is.md
  28. +95
    -26
      Draft/Web & Browsers.md
  29. +21
    -19
      Draft/Wireless Networks & RF.md
  30. +27
    -3
      Draft/things-added.md

+ 12
- 4
Draft/AnonOpsecPrivacy.md View File

@ -34,13 +34,10 @@
#### Sort/Add
* https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-guri-update.pdf
* [A Technical Description of Psiphon](https://psiphon.ca/en/blog/psiphon-a-technical-description)
* [Invasion of Privacy - HackerFactor](http://www.hackerfactor.com/blog/index.php?/archives/703-Invasion-of-Privacy.html)
* [What Happens Next Will Amaze You](http://idlewords.com/talks/what_happens_next_will_amaze_you.htm#six_fixes)
* [anonymouth](https://github.com/psal/anonymouth)
* Document Anonymization Tool, Version 0.5
* [Protecting Your Sources When Releasing Sensitive Documents](https://source.opennews.org/articles/how-protect-your-sources-when-releasing-sensitive-/)
#### end Sort
@ -56,6 +53,7 @@
* [The Gruqgs blog](http://grugq.tumblr.com/)
* ['I've Got Nothing to Hide' and Other Misunderstandings of Privacy](http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565&)
* We live in a surveillance state. Law enforcement and intelligence agencies have access to a huge amount of data about us, enabling them to learn intimate, private details about our lives. In part, the ease with which they can obtain such information reflects the fact that our laws have failed to keep up with advances in technology. However, privacy enhancing technologies can offer real protections even when the law does not. That intelligence agencies like the NSA are able to collect records about every telephone call made in the United States, or engage in the bulk surveillance of Internet communications is only possible because so much of our data is transmitted in the clear. The privacy enhancing technologies required to make bulk surveillance impossible and targeted surveillance more difficult already exist. We just need to start using them.
* [A Guide to Law Enforcement Spying Technology - EFF](https://www.eff.org/sls)
* **Android/iOS/Mobile**
* [Click and Dragger: Denial and Deception on Android mobile](https://www.slideshare.net/grugq/mobile-opsec/34-WHAT_ARETHEY_GOOD_FOR_Threat)
* [DEFCON 20: Can You Track Me Now? Government And Corporate Surveillance Of Mobile Geo-Location Data](https://www.youtube.com/watch?v=NjuhdKUH6U4)
@ -88,6 +86,16 @@
* **Papers**
* [Speaker Recognition in Encrypted Voice Streams - Michael Backes,Goran Doychev,Markus Durmuth,Boris Kopf](http://software.imdea.org/~gdoychev/publications/esorics10.pdf)
* We develop a novel approach for unveiling the identity of speakers who participate in encrypted voice communication, solely by eavesdropping on the encrypted traffic. Our approach exploits the concept of voice activity detection (VAD), a widely used technique for reducing the bandwidth consumption of voice traffic. We show that the reduction of traffic caused by VAD techniques creates patterns in the encrypted traffic, which in turn reveal the patterns of pauses in the underlying voice stream. We show that these patterns are speaker-characteristic, and that they are sufficient to undermine the anonymity of the speaker in encrypted voice communication. In an empirical setup with 20 speakers our analysis is able to correctly identify an unknown speaker in about 48% of all cases. Our work extends and generalizes existing work that exploits variable bit-rate encoding for identifying the conversation language and content of encrypted voice streams)
* **Documents**
* [anonymouth](https://github.com/psal/anonymouth)
* Document Anonymization Tool, Version 0.5
* [Protecting Your Sources When Releasing Sensitive Documents](https://source.opennews.org/articles/how-protect-your-sources-when-releasing-sensitive-/)
* [F⁠ingerprinting documents​ with steganography​](http://blog.fastforwardlabs.com/2017/06/23/fingerprinting-documents-with-steganography.html)
* [steganos](https://github.com/fastforwardlabs/steganos)
* This is a library to encode bits into text.... steganography in text!
* [Content-preserving Text Watermarking through Unicode Homoglyph Substitution](https://www.researchgate.net/publication/308044170_Content-preserving_Text_Watermarking_through_Unicode_Homoglyph_Substitution)
* Digital watermarking has become crucially important in authentication and copyright protection of the digital contents, since more and more data are daily generated and shared online through digital archives, blogs and social networks. Out of all, text watermarking is a more difficult task in comparison to other media watermarking. Text cannot be always converted into image, it accounts for a far smaller amount of data (eg. social network posts) and the changes in short texts would strongly affect the meaning or the overall visual form. In this paper we propose a text watermarking technique based on homoglyph characters substitution for latin symbols1. The proposed method is able to efficiently embed a password based watermark in short texts by strictly preserving the content. In particular, it uses alternative Unicode symbols to ensure visual indistinguishability and length preservation, namely content-preservation. To evaluate our method, we use a real dataset of 1.8 million New York articles. The results show the effectiveness of our approach providing an average length of 101 characters needed to embed a 64bit password based watermark.
* [Text Authorship Verification through Watermarking - Stefano Giovanni Rizzo, Flavio Bertini, Danilo Montesi](https://pdfs.semanticscholar.org/4028/f904da8e2c50672e6037168bf2bd72bc4cb9.pdf)
* **Identification**
* [Achie­ving an­ony­mi­ty against major face re­co­gni­ti­on al­go­rith­ms - Be­ne­dikt Dries­sen, Mar­kus Dür­muth](http://www.mobsec.rub.de/forschung/veroeffentlichungen/driessen-13-face-rec/)
* **Informative/Educational**


+ 61
- 13
Draft/BIOS UEFI Attacks Defenses.md View File

@ -20,9 +20,24 @@ TOC
#### Sort
http://www.stoned-vienna.com/
Re-categorize/sort stuff
* [All Your Boot Are Belong To Us - Intel Security](https://cansecwest.com/slides/2014/AllYourBoot_csw14-intel-final.pdf)
* [How Many Million BIOSes Would you Like to Infect?](http://conference.hitb.org/hitbsecconf2015ams/sessions/how-many-million-bioses-would-you-like-to-infect/)
* This talk is going to be all about how the automation of BIOS vulnerability exploitation and leveraging of built-in capabilities can yield highly portable UEFI firmware malware. And how millions of systems will be vulnerable for years, because no one cares enough to patch the BIOS bugs we’ve found. So you think you’re doing OPSEC right, right? You’re going to crazy lengths to protect yourself, reinstalling your main OS every month, or using a privacy-conscious live DVD like TAILS. Guess what? BIOS malware doesn’t care! BIOS malware doesn’t give a shit
* [Security Evaluation of Intel's Active Management Technology](http://people.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf)
* [A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers - Filip Wecherowski](http://phrack.org/issues/66/11.html#article)
* The research provided in this paper describes in details how to reverse engineer and modify System Management Interrupt (SMI) handlers in the BIOS system firmware and how to implement and detect SMM keystroke logger. This work also presents proof of concept code of SMM keystroke logger that uses I/O Trap based keystroke interception and a code for detection of such keystroke logger.
* [How to hack a disabled computer or run code in Intel ME](http://blog.ptsecurity.ru/2018/01/intel-me.html)
* [Intel Q3’17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update](https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr)
#### End Sort
@ -36,7 +51,7 @@ http://www.stoned-vienna.com/
* [Extensible Firmware Interface (EFI) and Unified EFI (UEFI)](http://www.intel.com/content/www/us/en/architecture-and-technology/unified-extensible-firmware-interface/efi-homepage-general-technology.html)
* [Understanding AMT, UEFI BIOS and Secure boot relationships](https://communities.intel.com/community/itpeernetwork/vproexpert/blog/2013/08/11/understanding-amt-uefi-bios-and-secure-boot-relationships)
* [Introduction to UEFI](http://x86asm.net/articles/introduction-to-uefi/)
* [What is Intel Mangement Engine?](http://me.bios.io/ME:About)
@ -53,6 +68,25 @@ http://www.stoned-vienna.com/
* [Advanced Threat Research - Intel](http://www.intelsecurity.com/advanced-threat-research/index.html)
---------------------
## Intel Management Engine
* **101**
* [What is Intel Mangement Engine?](http://me.bios.io/ME:About)
* **Articles/Blogposts/Writeups**
* [How to hack a disabled computer or run code in Intel ME](http://blog.ptsecurity.ru/2018/01/intel-me.html)
* [Intel Management Engine Secrets by Igor Skochinsky](https://www.youtube.com/watch?v=Y2_-VXz9E-w)
* **Papers**
* **General**
* [Intel Q3’17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update](https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr)
-------------------------
## UEFI
* **101**
* **Articles/Blogposts/Writeups**
* **Papers**
* **General**
-----------------
## <a name="exploit"></a>Exploitation
@ -107,22 +141,36 @@ Reverse Engineering Router Firmware walk through
* [Meltdown and Spectre - Vulnerabilities in modern computers leak passwords and sensitive data.](https://meltdown.help/)
* Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents. Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider's infrastructure, it might be possible to steal data from other customers.
* [Reading privileged memory with a side-channel](https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html)
* [KPTI-PoC-Collection](https://github.com/turbo/KPTI-PoC-Collection)
* Meltdown/Spectre PoC src collection.
* [Meltdown PoC for Reading Google Chrome Passwords](https://github.com/RealJTG/Meltdown)
* **Meltdown**
* [Meltdown](https://meltdownattack.com/meltdown.pdf)
* The security of computer systems fundamentally relies on memory isolation, e.g., kernel address ranges are marked as non-accessible and are protected from user access. In this paper, we present Meltdown. Meltdown exploits side effects of out-of-order execution on modern processors to read arbitrary kernel-memory locations including personal data and passwords. Out-of-order execution is an indispensable performance feature and present in a wide range of modern processors. The attack is independent of the operating system, and it does not rely on any software vulnerabilities. Meltdown breaks all security assumptions given by address space isolation as well as paravirtualized environments and, thus, every security mechanism building upon this foundation. On affected systems, Meltdown enables an adversary to read memory of other processes or virtual machines in the cloud without any permissions or privileges, affecting millions of customers and virtually every user of a personal computer. We show that the KAISER defense mechanism for KASLR [8] has the important (but inadvertent) side effect of impeding Meltdown. We stress that KAISER must be deployed immediately to prevent large-scale exploitation of this severe information leakage
* [Meltdown Proof-of-Concept](https://github.com/IAIK/meltdown)
* This repository contains several applications, demonstrating the Meltdown bug. For technical information about the bug, refer to the paper:
* Meltdown by Lipp, Schwarz, Gruss, Prescher, Haas, Mangard, Kocher, Genkin, Yarom, and Hamburg
* The applications in this repository are built with libkdump, a library we developed for the paper. This library simplifies exploitation of the bug by automatically adapting to certain properties of the environment.
* **Testing**
* [Am-I-affected-by-Meltdown](https://github.com/raphaelsc/Am-I-affected-by-Meltdown)
* Meltdown Exploit / Proof-of-concept / checks whether system is affected by Variant 3: rogue data cache load (CVE-2017-5754), a.k.a MELTDOWN.
* [Meltdown Proof-of-Concept](https://github.com/IAIK/meltdown)
* This repository contains several applications, demonstrating the Meltdown bug. For technical information about the bug, refer to the paper:
* Meltdown by Lipp, Schwarz, Gruss, Prescher, Haas, Mangard, Kocher, Genkin, Yarom, and Hamburg
* The applications in this repository are built with libkdump, a library we developed for the paper. This library simplifies exploitation of the bug by automatically adapting to certain properties of the environment.
* [Meltdown Exploit PoC](https://github.com/paboldin/meltdown-exploit)
* **Spectre**
* [Spectre Attacks: Exploiting Speculative Execution](https://spectreattack.com/spectre.pdf)
* Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or commits the speculative computation. Speculative logic is unfaithful in how it executes,can access to the victim’s memory and registers, and can perform operations with measurable side effects. Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the adversary. This paper describes practical attacks that combine methodology from side channel attacks, fault attacks, and return-oriented programming that can read arbitrary memory from the victim’s process. More broadly, the paper shows that speculative execution implementations violate the security assumptions underpinning numerous software security mechanisms, including operating system process separation, static analysis, containerization, just-in-time (JIT) compilation, and countermeasures to cache timing/side-channel attacks. These attacks repre- sent a serious threat to actual systems, since vulnerable speculative execution capabilities are found in microprocessors from Intel, AMD, and ARM that are used in billions of devices. While makeshift processor-specific countermeasures are possible in some cases, sound solutions will require fixes to processor designs as well as updates to instruction set architectures (ISAs) to give hardware architects and software developers a common understanding as to what computation state CPU implementations are (and are not) permitted to leak.
* [spec_poc_arm](https://github.com/lgeek/spec_poc_arm)
* PoC code implementing variant 3a of the Meltdown attack for AArch64. This allows reading all (potentially excluding registers whose read has side effects - not verified) system registers from user mode, including those which should only be accessible from the EL1 (kernel), EL2 (hypervisor) and EL3 (secure monitor) modes.
* [SpectrePoC](https://github.com/crozone/SpectrePoC)
* Proof of concept code for the Spectre CPU exploit.
* [spectre-attack](https://github.com/Eugnis/spectre-attack)
* Example of using revealed "Spectre" exploit (CVE-2017-5753 and CVE-2017-5715)
* **Testing**
* [spec_poc_arm](https://github.com/lgeek/spec_poc_arm)
* PoC code implementing variant 3a of the Meltdown attack for AArch64. This allows reading all (potentially excluding registers whose read has side effects - not verified) system registers from user mode, including those which should only be accessible from the EL1 (kernel), EL2 (hypervisor) and EL3 (secure monitor) modes.
* [SpectrePoC](https://github.com/crozone/SpectrePoC)
* Proof of concept code for the Spectre CPU exploit.
* [spectre-attack](https://github.com/Eugnis/spectre-attack)
* Example of using revealed "Spectre" exploit (CVE-2017-5753 and CVE-2017-5715)
* [SpecuCheck](https://github.com/ionescu007/SpecuCheck)
* SpecuCheck is a Windows utility for checking the state of the software mitigations against CVE-2017-5754 (Meltdown) and hardware mitigations against CVE-2017-5715 (Spectre)
* [SpectreExploit](https://github.com/HarsaroopDhillon/SpectreExploit)
* SpectreExploit POC For educational purposes. I am not responsible for any damages or any loss.


+ 4
- 2
Draft/Courses_Training.md View File

@ -180,14 +180,16 @@ These classes are all focused on computer/information security. If you're lookin
* [OWASP Juiceshop](https://www.owasp.org/index.php/OWASP_Juice_Shop_Project)
* [OWASP JuiceShop Gitbook walkthrough](https://www.gitbook.com/book/bkimminich/pwning-owasp-juice-shop/details)
* [Video Walk through by Sunny Wear](https://www.youtube.com/watch?v=zi3yDovd0RY&list=PL-giMT7sGCVI9T4rKhuiTG4EDmUz-arBo)
* [Hacker101](https://github.com/Hacker0x01/hacker101)
* Hacker101 is a free class for web security. Whether you're a programmer with an interest in bug bounties or a seasoned security professional, Hacker101 has something to teach you.
* [hacker101](https://github.com/Hacker0x01/hacker101)
* Hacker101 is structured as a set of video lessons -- some covering multiple topics, some covering a single one -- and can be consumed in two different ways. You can either watch them in the order produced as in a normal class ([§](https://github.com/Hacker0x01/hacker101#sessions) Sessions), or you can watch individual videos ([§](https://github.com/Hacker0x01/hacker101#vulnerabilities) Vulnerabilities). If you're new to security, we recommend the former; this provides a guided path through the content and covers more than just individual bugs.
### Wireless
* [Dissecting Industrial Wireless Implementations - DEF CON 25](https://github.com/voteblake/DIWI)
* https://github.com/vortessence/vortessence
* [RFID INFOSEC](http://rfidsecurity.uark.edu/course/index.html)
* RFID INFOSEC is designed to teach undergraduate students about radio frequency identification (RFID) information systems security (INFOSEC). It provides a system-wide description of a RFID system using a layered reference model that describes the tag, media interface, reader, network, middleware, and application layers. In addition, it addresses RFID security and privacy threats, risks, and mitigation techniques. These materials include lesson plans, slides, homework, laboratories, and assessment rubrics organized into modules.
### <a name="data"></a>Data Science
* [CS 259D Data Mining for Cyber Security Autumn 2014](http://web.stanford.edu/class/cs259d/)


+ 2
- 0
Draft/Cryptography & Encryption.md View File

@ -259,6 +259,8 @@ https://conversations.im/xeps/multi-end.html
* [Blockchain Security research](https://gist.github.com/insp3ctre/403b8cb99eae2f52565874d8547fbc94)
* Open-source blockchain security research (contributions welcome!)
* [Blockchain Graveyard](https://magoo.github..io/Blockchain-Graveyard/)
* [Crypto Canon](https://a16z.com/2018/02/10/crypto-readings-resources/)
* Curatd resources explaining various parts of crypto currencies. Hosted/maintained by a16z.com
* **Bitcoin**
* [Bitcoin Paper](https://bitcoin.org/bitcoin.pdf)
* [Bitcoin Paper Annotated - Genius](https://genius.com/2683753)


+ 65
- 57
Draft/Defense.md View File

@ -24,15 +24,18 @@ z# Defense
### Sort
* [Using an Expanded Cyber Kill Chain Model to Increase Attack Resiliency - Sean Malone - BHUSA16](https://www.youtube.com/watch?v=1Dz12M7u-S8)
* We'll review what actions are taken in each phase, and what's necessary for the adversary to move from one phase to the next. We'll discuss multiple types of controls that you can implement today in your enterprise to frustrate the adversary's plan at each stage, to avoid needing to declare "game over" just because an adversary has gained access to the internal network. The primary limiting factor of the traditional Cyber Kill Chain is that it ends with Stage 7: Actions on Objectives, conveying that once the adversary reaches this stage and has access to a system on the internal network, the defending victim has already lost. In reality, there should be multiple layers of security zones on the internal network, to protect the most critical assets. The adversary often has to move through numerous additional phases in order to access and manipulate specific systems to achieve his objective. By increasing the time and effort required to move through these stages, we decrease the likelihood of the adversary causing material damage to the enterprise.
* [Slides](https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf)
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/
* [Windows ISV Software Security Defenses - msdn](https://msdn.microsoft.com/en-us/library/bb430720.aspx)
* [Common misconfigurations that lead to a breach - Justin Tharpe](https://www.youtube.com/watch?v=fI3mycr5cPg)
* [Mitigate threats by using Windows 10 security features](https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10)
* [SANS Institute Security Consensus Operational Readiness Evaluation](https://www.sans.org/media/score/checklists/LinuxCheatsheet_2.pdf)
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ee791851(v=ws.11)
* [Security Guide for Developers](https://github.com/FallibleInc/security-guide-for-developers)
* [Windows Server guidance to protect against speculative execution side-channel vulnerabilities](https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution?t=1&cn=ZmxleGlibGVfcmVjc18y&refsrc=email&iid=149b9032665345ba890ba51d3bf0d519&fl=4&uid=150127534&nid=244%20281088008)
@ -42,65 +45,29 @@ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server
* [simplewall](https://github.com/henrypp/simplewall)
* Simple tool to configure Windows Filtering Platform (WFP) which can configure network activity on your computer. The lightweight application is less than a megabyte, and it is compatible with Windows Vista and higher operating systems. You can download either the installer or portable version. For correct working, need administrator rights.
* [Catching phishing before they catch you](https://blog.0day.rocks/catching-phishing-using-certstream-97177f0d499a)
* [Certificate Transparency](https://www.certificate-transparency.org/)
* [What is Certificate Transparency?](https://www.certificate-transparency.org/what-is-ct)
* [Practical Approach to Detecting and Preventing Web Application Attacks over HTTP2](https://www.sans.org/reading-room/whitepapers/protocols/practical-approach-detecting-preventing-web-application-attacks-http-2-36877)
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction
* [ketshash](https://github.com/cyberark/ketshash)
* A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.
* [So you want to beat the Red Team - sCameron Moore - Bsides Philly 2016](https://www.youtube.com/watch?list=PLNhlcxQZJSm8IHSE1JzvAH2oUty_yXQHT&v=BYazrXR_DFI&index=10&app=desktop)
* [Grouper](https://github.com/l0ss/Grouper)
* A PowerShell script for helping to find vulnerable settings in AD Group Policy.
* [NorkNork - Tool for identifying Empire persistence payloads](https://github.com/n00py/NorkNork)
* [Removing Backdoors – Powershell Empire Edition - n00py](https://www.n00py.io/2017/01/removing-backdoors-powershell-empire-edition/)
* [Grouper](https://github.com/l0ss/Grouper)
* Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft's Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.
* [Detecting and Preventing PowerShell Downgrade Attacks - leeholmes](http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/)
* [AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It - labofapenetrationtester](http://www.labofapenetrationtester.com/2016/09/amsi.html)
* [NtdsAudit](https://github.com/Dionach/NtdsAudit)
* NtdsAudit is an application to assist in auditing Active Directory databases. It provides some useful statistics relating to accounts and passwords. It can also be used to dump password hashes for later cracking.
* [CERT-NZ SSH Hardening](https://github.com/certnz/ssh_hardening)
* CERT NZ documentation for hardening SSH server and client configuration, and using hardware tokens to protect private keys
* [PhishingKitHunter](https://github.com/t4d/PhishingKitHunter)
* PhishingKitHunter (or PKHunter) is a tool made for identifying phishing kits URLs used in phishing campains targeting your customers and using some of your own website files (as CSS, JS, ...). This tool - write in Python 3 - is based on the analysis of referer's URL which GET particular files on the legitimate website (as some style content) or redirect user after the phishing session. Log files (should) contains the referer URL where the user come from and where the phishing kit is deployed. PhishingKitHunter parse your logs file to identify particular and non-legitimate referers trying to get legitimate pages based on regular expressions you put into PhishingKitHunter's config file.
* [Catching phishing before they catch you](https://blog.0day.rocks/catching-phishing-using-certstream-97177f0d499a)
* [Windows Event Forwarding Guidance](https://github.com/palantir/windows-event-forwarding)
* Over the past few years, Palantir has a maintained an internal Windows Event Forwarding (WEF) pipeline for generating and centrally collecting logs of forensic and security value from Microsoft Windows hosts. Once these events are collected and indexed, alerting and detection strategies (ADS) can be constructed not only on high-fidelity security events (e.g. log deletion), but also for deviations from normalcy, such as unusual service account access, access to sensitive filesystem or registry locations, or installation of malware persistence. The goal of this project is to provide the necessary building blocks for organizations to rapidly evaluate and deploy WEF to a production environment, and centralize public efforts to improve WEF subscriptions and encourage adoption. While WEF has become more popular in recent years, it is still dramatically underrepresented in the community, and it is our hope that this project may encourage others to adopt it for incident detection and response purposes. We acknowledge the efforts that Microsoft, IAD, and other contributors have made to this space and wish to thank them for providing many of the subscriptions, ideas, and techniques that will be covered in this post.
* [PoSH-R2](https://github.com/WiredPulse/PoSh-R2)
* PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.
* [CIRClean](http://circl.lu/projects/CIRCLean/#technical-details)
* CIRCLean is an independent hardware solution to clean documents from untrusted (obtained) USB keys / USB sticks. The device automatically converts untrusted documents into a readable but disarmed format and stores these clean files on a trusted (user owned) USB key/stick.
* [Github](https://github.com/CIRCL/Circlean)
* [Capirca](https://github.com/google/capirca)
* Capirca is a tool designed to utilize common definitions of networks, services and high-level policy files to facilitate the development and manipulation of network access control lists (ACLs) for various platforms. It was developed by Google for internal use, and is now open source.
* [Block or unblock external content in Office documents - support.office](https://support.office.com/en-us/article/block-or-unblock-external-content-in-office-documents-10204ae0-0621-411f-b0d6-575b0847a795)
* [Enable Attack surface reduction - docs.ms](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction)
* Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
* [Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/?source=mmpc)
* [Automating security with PowerShell, Jaap Brasser (@Jaap_Brasser)](https://www.youtube.com/watch?v=WOC8vC2KoNs&index=12&list=PLwZycuzv10iLBFwRIWNAR-s4iuuUMRuEB)
* There is no doubt that security has been in the spotlight over the last few years, recent events have been responsible for the increased demand for better and more secure systems. Security was often treated as an afterthought or something that could be implemented ‘later’. In this session, we will go over some best practices, using existing tools and frameworks to help you set up a more secure environment and to get a grasp of what is happening in your environment. We will leverage your existing automation skills to secure and automate these workflows. Expect a session with a lot of demos and resources that can directly be implemented.
* [PhishingKitHunter](https://github.com/t4d/PhishingKitHunter)
* PhishingKitHunter (or PKHunter) is a tool made for identifying phishing kits URLs used in phishing campains targeting your customers and using some of your own website files (as CSS, JS, ...). This tool - write in Python 3 - is based on the analysis of referer's URL which GET particular files on the legitimate website (as some style content) or redirect user after the phishing session. Log files (should) contains the referer URL where the user come from and where the phishing kit is deployed. PhishingKitHunter parse your logs file to identify particular and non-legitimate referers trying to get legitimate pages based on regular expressions you put into PhishingKitHunter's config file.
* [PoSH-R2](https://github.com/WiredPulse/PoSh-R2)
* PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.
* Add User Awareness Training
@ -109,21 +76,43 @@ https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-expl
-----------------------
### <a name="acl"></a>Access Control
* [Capirca](https://github.com/google/capirca)
* Capirca is a tool designed to utilize common definitions of networks, services and high-level policy files to facilitate the development and manipulation of network access control lists (ACLs) for various platforms. It was developed by Google for internal use, and is now open source.
-----------------------
### <a name="s3"></a>Amazon S3
* [Amazon S3 Bucket Public Access Considerations](https://aws.amazon.com/articles/5050)
--------------------
### Anti-Redteam Tactics
* [So you want to beat the Red Team - sCameron Moore - Bsides Philly 2016](https://www.youtube.com/watch?list=PLNhlcxQZJSm8IHSE1JzvAH2oUty_yXQHT&v=BYazrXR_DFI&index=10&app=desktop)
* [NorkNork - Tool for identifying Empire persistence payloads](https://github.com/n00py/NorkNork)
* [Removing Backdoors – Powershell Empire Edition - n00py](https://www.n00py.io/2017/01/removing-backdoors-powershell-empire-edition/)
* [ketshash](https://github.com/cyberark/ketshash)
* A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.
* [Sysinternals Sysmon suspicious activity guide - blogs.technet](https://blogs.technet.microsoft.com/motiba/2017/12/07/sysinternals-sysmon-suspicious-activity-guide/)
* [Using an Expanded Cyber Kill Chain Model to Increase Attack Resiliency - Sean Malone - BHUSA16](https://www.youtube.com/watch?v=1Dz12M7u-S8)
* We'll review what actions are taken in each phase, and what's necessary for the adversary to move from one phase to the next. We'll discuss multiple types of controls that you can implement today in your enterprise to frustrate the adversary's plan at each stage, to avoid needing to declare "game over" just because an adversary has gained access to the internal network. The primary limiting factor of the traditional Cyber Kill Chain is that it ends with Stage 7: Actions on Objectives, conveying that once the adversary reaches this stage and has access to a system on the internal network, the defending victim has already lost. In reality, there should be multiple layers of security zones on the internal network, to protect the most critical assets. The adversary often has to move through numerous additional phases in order to access and manipulate specific systems to achieve his objective. By increasing the time and effort required to move through these stages, we decrease the likelihood of the adversary causing material damage to the enterprise.
* [Slides](https://www.blackhat.com/docs/us-16/materials/us-16-Malone-Using-An-Expanded-Cyber-Kill-Chain-Model-To-Increase-Attack-Resiliency.pdf)
------------------
### <a name="whitelist"></a>Application Whitelisting
* [Guide to Application Whitelisting - NIST Special Publication 800 - 167](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf)
---------------
### <a name="asa"></a>Attack Surface Analysis/Reduction
* **General**
* [Intrigue-core](https://github.com/intrigueio/intrigue-core)
* Intrigue-core is a framework for automated attack surface discovery.
------------------
### <a name="aapp"></a>(General)Auditing Account Passwords/Privileges
@ -156,6 +145,8 @@ https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-expl
* [ssh-audit](https://github.com/arthepsy/ssh-audit)
* SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
* [Mozilla's OpenSSH Configuration guide](https://wiki.mozilla.org/Security/Guidelines/OpenSSH)
* [CERT-NZ SSH Hardening](https://github.com/certnz/ssh_hardening)
* CERT NZ documentation for hardening SSH server and client configuration, and using hardware tokens to protect private keys
* **Linux**
* [Linux workstation security checklist](https://github.com/lfit/itpol/blob/master/linux-workstation-security.md)
* **OS X**
@ -230,6 +221,10 @@ https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-expl
* [Decryptonite](https://github.com/DecryptoniteTeam/Decryptonite)
* Decryptonite is a tool that uses heuristics and behavioural analysis to monitor for and stop ransomware.
---------------------
### Web
* [Practical Approach to Detecting and Preventing Web Application Attacks over HTTP2](https://www.sans.org/reading-room/whitepapers/protocols/practical-approach-detecting-preventing-web-application-attacks-http-2-36877)
-----------------
### <a name="waf"></a>WAF
* **NAXSI**
@ -250,6 +245,7 @@ https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-expl
* [The Effectiveness of Tools in Detecting the 'Maleficent Seven' Privileges in the Windows Environment](https://www.sans.org/reading-room/whitepapers/sysadmin/effectiveness-tools-detecting-039-maleficent-seven-039-privileges-windows-environment-38220)
* [Windows DACL Enum Project](https://github.com/nccgroup/WindowsDACLEnumProject)
* A collection of tools to enumerate and analyse Windows DACLs
* [AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It - labofapenetrationtester](http://www.labofapenetrationtester.com/2016/09/amsi.html)
* **Account Credentials**
* **General**
* [Blocking Remote Use of Local Accounts](https://blogs.technet.microsoft.com/secguide/2014/09/02/blocking-remote-use-of-local-accounts/)
@ -271,6 +267,8 @@ https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-expl
* [Protect derived domain credentials with Windows Defender Credential Guard](https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard)
* [Using a hypervisor to secure your desktop – Credential Guard in Windows 10 - blogs.msdn](https://blogs.msdn.microsoft.com/virtual_pc_guy/2015/10/26/using-a-hypervisor-to-secure-your-desktop-credential-guard-in-windows-10/)
* [Credential Guard lab companion - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2017/05/15/credential-guard-lab-companion/)
* [DeviceGuardBypassMitigationRules](https://github.com/mattifestation/DeviceGuardBypassMitigationRules)
* A reference Device Guard code integrity policy consisting of FilePublisher deny rules for published Device Guard configuration bypasses.
* **Golden/Silver Tickets**
* [Defending against mimikatz](https://jimshaver.net/2016/02/14/defending-against-mimikatz/)
* [Kerberos Golden Ticket: Mitigating pass the ticket on Active Directory](http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf)
@ -289,6 +287,11 @@ https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-expl
* **Active Directory**
* [What would a real hacker do to your Active Directory](https://www.youtube.com/watch?v=DH3v8bO-NCs)
* [Securing Microsoft Active Directory Federation Server (ADFS)](https://adsecurity.org/?p=3782)
* **Awareness**
* [NtdsAudit](https://github.com/Dionach/NtdsAudit)
* NtdsAudit is an application to assist in auditing Active Directory databases. It provides some useful statistics relating to accounts and passwords. It can also be used to dump password hashes for later cracking.
* [Grouper](https://github.com/l0ss/Grouper)
* Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft's Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.
* **Building/Designing Infrastructure**
* [How to Build Super Secure Active Directory Infrastructure* - BlackHills](https://www.blackhillsinfosec.com/build-super-secure-active-directory-infrastructure/)
* [Active Directory Design Best Practices](https://krva.blogspot.com/2008/04/ad-design-best-practices.html)
@ -333,6 +336,9 @@ https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-expl
* **Event Log**
* General
* [Windows Event Logs Zero to Hero Nate Guagenti Adam Swan - Bloomcon2017](https://www.youtube.com/watch?v=H3t_kHQG1Js)
* **Event Forwarding**
* [Windows Event Forwarding Guidance](https://github.com/palantir/windows-event-forwarding)
* Over the past few years, Palantir has a maintained an internal Windows Event Forwarding (WEF) pipeline for generating and centrally collecting logs of forensic and security value from Microsoft Windows hosts. Once these events are collected and indexed, alerting and detection strategies (ADS) can be constructed not only on high-fidelity security events (e.g. log deletion), but also for deviations from normalcy, such as unusual service account access, access to sensitive filesystem or registry locations, or installation of malware persistence. The goal of this project is to provide the necessary building blocks for organizations to rapidly evaluate and deploy WEF to a production environment, and centralize public efforts to improve WEF subscriptions and encourage adoption. While WEF has become more popular in recent years, it is still dramatically underrepresented in the community, and it is our hope that this project may encourage others to adopt it for incident detection and response purposes. We acknowledge the efforts that Microsoft, IAD, and other contributors have made to this space and wish to thank them for providing many of the subscriptions, ideas, and techniques that will be covered in this post.
* **Guarded Fabric/Shielded VMs**
* [Guarded fabric and shielded VMs](https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node)
* [Shielded VMs – additional considerations when running a guarded fabric - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2017/04/21/shielded-vms-additional-considerations-when-running-a-guarded-fabric/)
@ -389,12 +395,25 @@ https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-expl
* **Office Documents/Macros/DDE/Flavor-of-the-week**
* [Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields](https://technet.microsoft.com/library/security/4053440)
* [Disable DDEAUTO for Outlook, Word, OneNote, and Excel versions 2010, 2013, 2016](https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b)
* [Block or unblock external content in Office documents - support.office](https://support.office.com/en-us/article/block-or-unblock-external-content-in-office-documents-10204ae0-0621-411f-b0d6-575b0847a795)
* **Privileged Access Workstation**
* [How Microsoft IT used Windows 10 and Windows Server 2016 to implement privileged access workstations](https://myignite.microsoft.com/sessions/54896)
* As part of the security strategy to protect administrative privilege, Microsoft recommends using a dedicated machine, referred to as PAW (privileged access workstation), for administrative tasks; and using a separate device for the usual productivity tasks such as Outlook and Internet browsing. This can be costly for the company to acquire machines just for server administrative tasks, and inconvenient for the admins to carry multiple machines. In this session, we show you how MSIT uses shielded VMs on the new release of Windows client to implement a PAW.
* [Privileged Access Workstation(PAW) - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2017/10/13/privileged-access-workstationpaw/)
* [PAW host buildout - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2017/10/17/paw-host-buildout/)
* [How to deploy a VM template for PAW - blogs.technet](https://blogs.technet.microsoft.com/datacentersecurity/2017/11/01/how-to-create-a-vm-template-for-paw/)
* **PowerShell**
* [Automating security with PowerShell, Jaap Brasser (@Jaap_Brasser)](https://www.youtube.com/watch?v=WOC8vC2KoNs&index=12&list=PLwZycuzv10iLBFwRIWNAR-s4iuuUMRuEB)
* There is no doubt that security has been in the spotlight over the last few years, recent events have been responsible for the increased demand for better and more secure systems. Security was often treated as an afterthought or something that could be implemented ‘later’. In this session, we will go over some best practices, using existing tools and frameworks to help you set up a more secure environment and to get a grasp of what is happening in your environment. We will leverage your existing automation skills to secure and automate these workflows. Expect a session with a lot of demos and resources that can directly be implemented.
* [PowerShell ♥ the Blue Team](https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/)
* [Powershell Security at Enterprise Customers - blogs.msdn](https://blogs.msdn.microsoft.com/daviddasneves/2017/05/25/powershell-security-at-enterprise-customers/)
* [More Detecting Obfuscated PowerShell](http://www.leeholmes.com/blog/2016/10/22/more-detecting-obfuscated-powershell/)
* [Revoke-Obfuscation - tool](https://github.com/danielbohannon/Revoke-Obfuscation)
* PowerShell v3.0+ compatible PowerShell obfuscation detection framework.
* [Revoke Obfuscation PowerShell Obfuscation Detection And Evasion Using Science Lee Holmes Daniel - Derbycon7 - talk](https://www.youtube.com/watch?v=7XnkDsOZM3Y&index=16&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3)
* [PSRecon](https://github.com/gfoss/PSRecon/)
* 🚀 PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
* [Detecting and Preventing PowerShell Downgrade Attacks - leeholmes](http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/)
* **SMB**
* [SMB Security Best Practices - US CERT](https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices)
* [SMB Packet Signing](https://technet.microsoft.com/en-us/library/cc180803.aspx)
@ -426,18 +445,7 @@ https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-expl
* [WMIEvent](https://github.com/Invoke-IR/WMIEvent)
* A PowerShell module to abstract the complexities of Permanent WMI Event Subscriptions
-----------------
#### <a name="powershell"></a>PowerShell
* General
* [PowerShell ♥ the Blue Team](https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/)
* [Powershell Security at Enterprise Customers - blogs.msdn](https://blogs.msdn.microsoft.com/daviddasneves/2017/05/25/powershell-security-at-enterprise-customers/)
* [More Detecting Obfuscated PowerShell](http://www.leeholmes.com/blog/2016/10/22/more-detecting-obfuscated-powershell/)
* [Revoke-Obfuscation - tool](https://github.com/danielbohannon/Revoke-Obfuscation)
* PowerShell v3.0+ compatible PowerShell obfuscation detection framework.
* [Revoke Obfuscation PowerShell Obfuscation Detection And Evasion Using Science Lee Holmes Daniel - Derbycon7 - talk](https://www.youtube.com/watch?v=7XnkDsOZM3Y&index=16&list=PLNhlcxQZJSm-PKUZTYe1C94ymf0omysM3)
* [PSRecon](https://github.com/gfoss/PSRecon/)
* 🚀 PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.


+ 11
- 5
Draft/Documentation & Reports -.md View File

@ -35,6 +35,8 @@ Other Materials:
* [Learn Technical Writing in Two Hours per Week - Norman Ramsey](http://www.cs.tufts.edu/~nr/pubs/learn-two.pdf)
* [Politics and the English Language - George Orwell](http://www.npr.org/blogs/ombudsman/Politics_and_the_English_Language-1.pdf)
* [Tips for Writing Better Infosec Job Descriptions](https://www.darkreading.com/cloud/tips-for-writing-better-infosec-job-descriptions/d/d-id/1330534?piddl_msgid=330184#msg_330184)
* **Language**
* [Bishop Fox Cybersecurity Style Guide](https://www.bishopfox.com/blog/2018/02/hello-world-introducing-the-bishop-fox-cybersecurity-style-guide/)
* **Tools**
* [Ronn](https://github.com/rtomayko/ronn)
* Ronn builds manuals. It converts simple, human readable textfiles to roff for terminal display, and also to HTML for the web. The source format includes all of Markdown but has a more rigid structure and syntax extensions for features commonly found in manpages (definition lists, link notation, etc.). The ronn-format(7) manual page defines the format in detail.
@ -70,12 +72,15 @@ Other Materials:
* [Mastering Markdown](https://guides.github.com/features/mastering-markdown/)
* [vim-wordy](https://github.com/reedes/vim-wordy/blob/master/README.markdown)
* wordy is not a grammar checker. Nor is it a guide to proper word usage. Rather, wordy is a lightweight tool to assist you in identifying those words and phrases known for their history of misuse, abuse, and overuse, at least according to usage experts.
* [tldr](https://github.com/tldr-pages/tldr)
* A collection of simplified and community-driven man pages.
-----
### <a name="collab">Penetration Testing / Collaboration Tools</a>
### <a name="collab">Penetration Testing Collaboration/Documenation Tools</a>
* [Kvasir](https://github.com/KvasirSecurity/Kvasir)
* Kvasir is a vulnerability / penetration testing data management system designed to help mitigate the issues found when performing team-based assessments. Kvasir does this by homogenizing data sources into a pre-defined structure. Currently the following sources are supported:
* Kvasir is a vulnerability / penetration testing data management system designed to help mitigate the issues found when performing team-based assessments. Kvasir does this by homogenizing data sources into a pre-defined structure.
* [Dradis](https://github.com/dradis/dradisframework#welcome-to-dradis)
* Dradis is an open source collaboration framework, tailored to InfoSec teams.
* It can integrate with a lot of existing tools you probably are using if you're reading this.
@ -85,9 +90,10 @@ Other Materials:
* Lair is a reactive attack collaboration framework and web application built with meteor.
* [CrScreenshotDxe](https://github.com/NikolajSchlej/CrScreenshotDxe)
* UEFI DXE driver to take screenshots from GOP-compatible graphic console
* [DART](https://github.com/lmco/dart/blob/master/README.md)
* DART is a test documentation tool created by the Lockheed Martin Red Team to document and report on penetration tests, especially in isolated network environments.
* [Serpico](https://github.com/SerpicoProject/Serpico)
* Serpico is a penetration testing report generation and collaboration tool. It was developed to cut down on the amount of time it takes to write a penetration testing report.
-----
### <a name="video">Video Recording/Recording</a>


+ 3
- 0
Draft/Embedded Device & Hardware Hacking -.md View File

@ -18,6 +18,9 @@ http://greatscottgadgets.com/infiltrate2013/
* Software Fault Isolation (SFI) is an effective approach to sandboxing binary code of questionable provenance, an interesting use case for native plugins in a Web browser. We present software fault isolation schemes for ARM and x86-64 that provide control-flow and memory integrity with average performance overhead of under 5% on ARM and 7% on x86-64. We believe these are the best known SFI implementations for these architectures, with significantly lower overhead than previous systems for similar architectures. Our experience suggests that these SFI implementations benefit from instruction-level parallelism, and have particularly small impact for work- loads that are data memory-bound, both properties that tend to reduce the impact of our SFI systems for future CPU implementations.
* [nexmon](https://github.com/seemoo-lab/nexmon)
* Nexmon is our C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection.
* [dfu-programmer](https://github.com/dfu-programmer/dfu-programmer)
* dfu-programmer is an implementation of the Device Firmware Upgrade class USB driver that enables firmware upgrades for various USB enabled (with the correct bootloader) Atmel chips. This program was created because the Atmel "FLIP" program for flashing devices does not support flashing via USB on Linux, and because standard DFU loaders do not work for Atmel's chips.
* [Exploiting Qualcomm EDL Programmers (1): Gaining Access & PBL Internals](https://alephsecurity.com/2018/01/22/qualcomm-edl-1/)
#### end sort


+ 5
- 0
Draft/Exfiltration.md View File

@ -12,6 +12,9 @@
##### Sort
Sort tools into categories of type, i.e. physical network, wireless(types thereof) etc.
##### End Sort
@ -99,6 +102,8 @@
* Transfer files from Air gapped machines using QR codes
* [icmptunnel](https://github.com/DhavalKapil/icmptunnel)
* 'icmptunnel' works by encapsulating your IP traffic in ICMP echo packets and sending them to your own proxy server. The proxy server decapsulates the packet and forwards the IP traffic. The incoming IP packets which are destined for the client are again encapsulated in ICMP reply packets and sent back to the client. The IP traffic is sent in the 'data' field of ICMP packets. [RFC 792](http://www.ietf.org/rfc/rfc792.txt), which is IETF's rules governing ICMP packets, allows for an arbitrary data length for any type 0 (echo reply) or 8 (echo message) ICMP packets. So basically the client machine uses only the ICMP protocol to communicate with the proxy server. Applications running on the client machine are oblivious to this fact and work seamlessly.
* [org.quietmodem.Quiet](https://github.com/quiet/org.quietmodem.Quiet)
* org.quietmodem.Quiet allows you to pass data through the speakers on your Android device. This library can operate either as a raw frame layer or as a UDP/TCP stack.
* **Articles/Papers/Writeups**
* [Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control](http://ericchen.me/self_exfiltration.pdf)
* Abstract —Since the early days of Netscape, browser vendors and web security researchers have restricted out-going data based on its destination. The security argument accompanying these mechanisms is that they prevent sensitive user data from being sent to the attacker’s domain. However, in this paper, we show that regulating web information flow based on its destination server is an inherently flawed security practice. It is vulnerable to self-exfiltration attacks, where an adversary stashes stolen information in the database of a whitelisted site, then later independently connects to the whitelisted site to retrieve the information. We describe eight existing browser security mechanisms that are vulnerable to these “self-exfiltration” attacks. Furthermore, we discovered at least one exfiltration channel for each of the Alexa top 100 websites. None of the existing information flow control mechanisms we surveyed are sufficient to protect data from being leaked to the attacker. Our goal is to prevent browser vendors and researchers from falling into this trap by designing more systems that are vulnerable to self-exfiltration.


+ 35
- 37
Draft/Exploit Development.md View File

@ -78,7 +78,6 @@
* [Code Execution (CVE-2018-5189) Walkthrough On JUNGO Windriver 12.5.1](https://www.fidusinfosec.com/jungo-windriver-code-execution-cve-2018-5189)
* [Android Security Ecosystem Investments Pay Dividends for Pixel](https://android-developers.googleblog.com/2018/01/android-security-ecosystem-investments.html)
* [RAP: RIP ROP (GRSEC/PaX team)](https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf)
* [Funky File Formats - Advanced Binary Exploitation](http://media.ccc.de/browse/congress/2014/31c3_-_5930_-_en_-_saal_6_-_201412291400_-_funky_file_formats_-_ange_albertini.html#video)
* [Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System - Slides](https://www.defcon.org/images/defcon-22/dc-22-presentations/Macaulay/DEFCON-22-Shane-Macaulay-Weird-Machine-Motivated-Practical-Page-Table-Shellcode-UPDATED.pdf)
* [Counterfeit Object-oriented Programming](http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pdf)
@ -92,25 +91,10 @@
* This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
* [SCANSPLOIT](https://github.com/huntergregal/scansploit)
* Exploit using barcodes, QRcodes, earn13, datamatrix
* **ARM Exploitation**
* [A SysCall to ARMs - Brendan Watters - Brendan Watters -Derbycon 2013](https://www.irongeek.com/i.php?page=videos/derbycon3/3304-a-syscall-to-arms-brendan-watters)
* Description:ARM processors are growing more and more prevalent in the world; ARM itself claims that more than 20 billion chips have been shipped. Take a moment to appreciate that is about three chips for every man, woman, and child on earth. The three main topics I aim to cover are (1) how to perform a Linux system call on an ARM processor via assembly, ARM pipelining used in most modern ARM processors and how it came about, and (3) the really cool way ARM can avoid branching, even with conditional control flow. These will be explained in both code, English, and (hopefully successful) live demos using an ARM development board. The end result is to get the audience to understand how to create a simple socket program written in ARM assembly.
https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow
* [Automating VMware RPC Request Sniffing - Abdul-Aziz Hariri - ZDI](https://www.zerodayinitiative.com/blog/2018/1/19/automating-vmware-rpc-request-sniffing)
* In this blog, I will discuss how I was able to write a PyKD script to sniff RPC requests that helped me tremendously while writing VMware RPC exploits.
* [MorphAES](https://github.com/cryptolok/MorphAES)
* IDPS & SandBox & AntiVirus STEALTH KILLER. MorphAES is the world's first polymorphic shellcode engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent.
* [OWASP ZSC](https://github.com/viraintel/OWASP-ZSC)
* OWASP ZSC is open source software written in python which lets you generate customized shellcode and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX with python.
* [Meltdown PoC for Reading Google Chrome Passwords](https://github.com/RealJTG/Meltdown)
* [kernelpop](https://github.com/spencerdodd/kernelpop)
* kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation on OSX and Linux
@ -121,7 +105,7 @@ https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow
* A macOS kernel exploit based on an IOHIDFamily 0day.
* [Writeup](https://siguza.github.io/IOHIDeous/)
https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow
@ -145,8 +129,9 @@ https://github.com/k0keoyo/Dark_Composition_case_study_Integer_Overflow
* [Unusual Bugs(23C3)](https://www.youtube.com/watch?v=qj79Qdmw0Pk)
* In this presentation I'll present a series of unusual security bugs. Things that I've ran into at some point and went "There's gotta be some security consequence here". None of these are really a secret, and most of them are even documented somewhere. But apparently most people don't seem to know about them. What you'll see in this presentation is a list of bugs and then some explanation of how these could be exploited somehow. Some of the things I'll be talking about are (recursive) stack overflow, NULL pointer dereferences, regular expressions and more.
* [From MS08 067 To EternalBlue by Denis Isakov - BSides Manchester2017](https://www.youtube.com/watch?v=LZ_G6RdqrHA&index=13&list=PLcgqQkap1lNrOBNCXqpPqpPAqckxv0XhP)
* [RAP: RIP ROP (GRSEC/PaX team)](https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf)
* **Tools**
* Testing Payloads
* **Testing Payloads**
* [pop-nedry](https://github.com/zznop/pop-nedry)
* Why pop calc, when you can pop Nedry!? This repository contains an x86-64 payload that recreates the Jurassic Park scene in which Dennis Nedry locks Ray Arnold out of his terminal.
* [Vivisect](https://github.com/vivisect/vivisect)
@ -443,35 +428,38 @@ Other:
* **General**
* **Reference/Resources**
* [Shellcodes database for study cases](http://shell-storm.org/shellcode/)
* **REPLs**
* [rappel](https://github.com/yrp604/rappel/)
* Rappel is a pretty janky assembly REPL. It works by creating a shell ELF, starting it under ptrace, then continiously rewriting/running the .text section, while showing the register states. It's maybe half done right now, and supports Linux x86, amd64, armv7 (no thumb), and armv8 at the moment.(As of Aug 2017)
* [WinREPL](https://github.com/zerosum0x0/WinREPL)
* x86 and x64 assembly "read-eval-print loop" shell for Windows
* **Tools**
* **General**
* [Sickle](https://github.com/wetw0rk/Sickle)
* Sickle is a shellcode development tool, created to speed up the various steps needed to create functioning shellcode.
* [meterssh](https://github.com/trustedsec/meterssh)
* MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection.
* [Shellcode_Tools](https://github.com/MarioVilas/shellcode_tools)
* Miscellaneous tools written in Python, mostly centered around shellcodes.
* bin2py: Embed binary files into Python source code.
* shellcode2exe: Convert shellcodes into executable files for multiple platforms.
* [ShellSploit Framework](https://github.com/b3mb4m/shellsploit-framework)
* [shellnoob](https://github.com/reyammer/shellnoob)
* A shellcode writing toolkit
* [rex](https://github.com/shellphish/rex)
* Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge.
* [Patcherex](https://github.com/shellphish/patcherex)
* Shellphish's automated patching engine, originally created for the Cyber Grand Challenge.
* [sRDI](https://github.com/monoxgas/sRDI)
* Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
* [ShellcodeStdio](https://github.com/jackullrich/ShellcodeStdio)
* An extensible framework for easily writing debuggable, compiler optimized, position independent, x86 shellcode for windows platforms.
* [OWASP ZSC](https://github.com/viraintel/OWASP-ZSC)
* OWASP ZSC is open source software written in python which lets you generate customized shellcode and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX with python.
* **Encoders**
* **Obfuscators**
* [UniByAv](https://github.com/Mr-Un1k0d3r/UniByAv)
* UniByAv is a simple obfuscator that take raw shellcode and generate executable that are Anti-Virus friendly. The obfuscation routine is purely writtend in assembly to remain pretty short and efficient. In a nutshell the application generate a 32 bits xor key and brute force the key at run time then perform the decryption of the actually shellcode.
* [Shellcode_Tools](https://github.com/MarioVilas/shellcode_tools)
* Miscellaneous tools written in Python, mostly centered around shellcodes.
* bin2py: Embed binary files into Python source code.
* shellcode2exe: Convert shellcodes into executable files for multiple platforms.
* [ShellSploit Framework](https://github.com/b3mb4m/shellsploit-framework)
* [shellnoob](https://github.com/reyammer/shellnoob)
* A shellcode writing toolkit
* [rex](https://github.com/shellphish/rex)
* Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge.
* [Patcherex](https://github.com/shellphish/patcherex)
* Shellphish's automated patching engine, originally created for the Cyber Grand Challenge.
* [rappel](https://github.com/yrp604/rappel/)
* Rappel is a pretty janky assembly REPL. It works by creating a shell ELF, starting it under ptrace, then continiously rewriting/running the .text section, while showing the register states. It's maybe half done right now, and supports Linux x86, amd64, armv7 (no thumb), and armv8 at the moment.(As of Aug 2017)
* [sRDI](https://github.com/monoxgas/sRDI)
* Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
* [ShellcodeStdio](https://github.com/jackullrich/ShellcodeStdio)
* An extensible framework for easily writing debuggable, compiler optimized, position independent, x86 shellcode for windows platforms.
* [WinREPL](https://github.com/zerosum0x0/WinREPL)
* x86 and x64 assembly "read-eval-print loop" shell for Windows
* **Miscellaneous**
@ -551,6 +539,16 @@ Other:
--------------------
### Exploit Development
* **<a name="armspecific">ARM Specific Exploit Development</a>**
* **101**
* **Articles/Blogposts/Writeups**
* **Educational/Informative**
* [A SysCall to ARMs - Brendan Watters - Brendan Watters -Derbycon 2013](https://www.irongeek.com/i.php?page=videos/derbycon3/3304-a-syscall-to-arms-brendan-watters)
* Description:ARM processors are growing more and more prevalent in the world; ARM itself claims that more than 20 billion chips have been shipped. Take a moment to appreciate that is about three chips for every man, woman, and child on earth. The three main topics I aim to cover are (1) how to perform a Linux system call on an ARM processor via assembly, ARM pipelining used in most modern ARM processors and how it came about, and (3) the really cool way ARM can avoid branching, even with conditional control flow. These will be explained in both code, English, and (hopefully successful) live demos using an ARM development board. The end result is to get the audience to understand how to create a simple socket program written in ARM assembly.
* **Papers**
* **Tools**
* **Miscellaneous**
* **<a name="linuxspec">Linux Specific Exploit Development</a>**
* **101**
* **Articles/Blogposts/Writeups**


+ 295
- 288
Draft/Forensics Incident Response.md View File

@ -2,33 +2,39 @@
## Table of Contents
* General
* Tools
* [Presentations/Talks](#talks)
* [Anti-Forensics](#anti)
* [Mobile Device Forensics](#mobile)
* [Android](#android)
* [iOS](#ios)
* [Blackberry](#bb)
[PDF Forensics](#pdf)
[Photo Forensics](#photo)
[Tools](#tools)
[OS Forensics](#os)
* [Linux Forensics](#linux)
* [OS X Forensics](#osx)
* [Windows Forensics](#windows)
* WIP
#### Sort
* Sort sections alphabetically
* Update ToC
https://forensiccontrol.com/resources/free-software/
* [usbkill](https://github.com/hephaest0s/usbkill)
* usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.
#### End Sort
* [Forensic Imager Tools: You don't have the Evidence - Shmoocon 2014](https://www.youtube.com/watch?v=zYYCv21I-1I)*
* [Attrition Forensics](http://2014.video.sector.ca/video/110334184)
* [Happy DPAPI!](http://blog.digital-forensics.it/2015/01/happy-dpapi.html)
Ghiro
* [ENISA CERT Exercises and Training](http://www.enisa.europa.eu/activities/cert/support/exercise)
* ENISA CERT Exercises and training material was introduced in 2008, in 2012 and 2013 it was complemented with new exercise scenarios containing essential material for success in the CERT community and in the field of information security. In this page you will find the ENISA CERT Exercise material, containing Handbook for teachers, Toolset for students and Virtual Image to support hands on training sessions.
* [Rapier](https://code.google.com/p/rapier/)
* RAPIER is a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst
* [triage-ir](https://code.google.com/p/triage-ir/)
* Triage: Incident Response automatically collect information from a system that needs basic triage functions performed upon it. The script allows for easy modification for customization to your needs, in an easy to comprehend and implement language. This tool uses a lot others to get its information. Eventually I hope to eliminate the need for them, but use them as verification. This tool requires you to download the Sysinternals Suite if you want full functionality to it.
* [Fully Integrated Defense Operation (FIDO)](https://github.com/Netflix/Fido)
* FIDO is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them. As an orchestration platform FIDO can make using your existing security tools more efficient and accurate by heavily reducing the manual effort needed to detect, notify and respond to attacks against a network.
* [MIG: Mozilla InvestiGator](https://http://mig.mozilla.org/)
* Mozilla's real-time digital forensics and investigation platform.
* [Invoke-IR](http://www.invoke-ir.com/)
* [Practical Comprehensive Bounds on Surreptitious Communication Over DNS](http://www.icir.org/vern/papers/covert-dns-usec13.pdf)
* Better security -> Mean time to detect/Mean time to respond
#### End Sort
@ -38,120 +44,143 @@ https://forensiccontrol.com/resources/free-software/
--------------
#### Sniper Forensics
http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
* [Malware Management Framework - Sniper Forensics Toolkit](http://sniperforensicstoolkit.squarespace.com/malwaremanagementframework/)
* [The Malware Management Framework](https://malwarearchaeology.squarespace.com/mmf/)
* The Malware Reporting Standard](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55220280e4b0170ec8b526b6/1428292224531/Malware+Reporting+Standard+vApril+2015.pdf)
* [BSidesLV Presentation](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/552200afe4b0e4ad5008b943/1428291802554/Malware+Mgmt+Framework+v2.0.pdf)
* [Sniper Forensics](https://digital-forensics.sans.org/summit-archives/2010/2-newell-spiderlabs-sniper-forensics.pdf)
* Pg10 and onward
* [Link](https://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1.1.pdf)
### <a name="ir"></a>Incident Response
* **101**
* [Introduction to DFIR](https://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/)
* [Computer Security Incident Handling Guide - NIST](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf)
* **Articles/Papers/Talks/Writeups**
* [No Easy Breach: Challenges and Lessons Learned from an Epic Investigation](https://archive.org/details/No_Easy_Breach#)
* [An Incident Handling Process for Small and Medium Businesses - SANS 2007](https://www.sans.org/reading-room/whitepapers/incident/incident-handling-process-small-medium-businesses-1791)
* [Handler Diaries - Another Hunting Post(DFIR)](http://blog.handlerdiaries.com/?p=775)
* Good post on not only knowing the layout, but knowing expected behaviours.
* [Triaging Malware Incidents](http://journeyintoir.blogspot.com/2013/09/triaging-malware-incidents.html)
* Good writeup/blogpost from Journey into Incidence Response
* [Commercial Spyware - Detecting the Undetectable](https://www.blackhat.com/docs/us-15/materials/us-15-Dalman-Commercial-Spyware-Detecting-The-Undetectable-wp.pdf)
* [Fraud detection and forensics on telco networks - Hack.lu 2016](https://www.youtube.com/watch?v=09EAWT_F1ZA&app=desktop)
* [Investigating PowerShell Attacks - Ryan Kazanciyan and Matt Hastings - DEFCON22](https://www.youtube.com/watch?v=qF06PFcezLs)
* This presentation will focus on common attack patterns performed through PowerShell - such as lateral movement, remote command execution, reconnaissance, file transfer, etc. - and the sources of evidence they leave behind. We'll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we'll include examples from real-world incidents and recommendations on how to limit exposure to these attacks.
* **Windows**
* [Know your Windows Processes or Die Trying](https://sysforensics.org/2014/01/know-your-windows-processes.html)
* Excellent quick reference on Windows proccesses with a focus on Win7. Good resource.
* [License to Kill: Malware Hunting with the Sysinternals Tools](http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B308)
* [Windows Program Automatic Startup Locations](http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/)
* [Collection of Windows Autostart locations](http://gladiator-antivirus.com/forum/index.php?showtopic=24610)
* [Spotting the Adversary with Windows Event Log Monitoring - NSA](http://cryptome.org/2014/01/nsa-windows-event.pdf)
* NSA 70-page writeup on windows event log monitoring
* [Ways to Identify Malware on a System Ryan Irving](http://www.irongeek.com/i.php?page=videos/bsidestampa2015/201-ways-to-identify-malware-on-a-system-ryan-irving)
* **General**
* [IRM (Incident Response Methodologies)](https://github.com/certsocietegenerale/IRM)
* CERT Societe Generale provides easy to use operational incident best practices. These cheat sheets are dedicated to incident handling and cover multiple fields in which a CERT team can be involved. One IRM exists for each security incident we're used to dealing with.
* **Tools**
* [binwally](https://github.com/bmaia/binwally)
* Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)
* [IRMA - Incident Response & Malware Analysis](http://irma.quarkslab.com/index.html)
* IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files. However, today's defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it, ... An important value with IRMA comes from you keep control over where goes / who gets your data. Once you install IRMA on your network, your data stays on your network. Each submitted files is analyzed in various ways. For now, we focus our efforts on multiple anti-virus engines, but we are working on other "probes" (feel free to submit your own).
* **Miscellaneous**
* [Human Hunting](http://www.irongeek.com/i.php?page=videos/bsidessf2015/108-human-hunting-sean-gillespie)
* Much of what appears to be happening in information security seems to be focused on replacing humans with magic boxes and automation rather than providing tools to augment human capabilities. However, when we look at good physical security we see technology is being used to augment human capabilities rather than simply replace them. The adversary is human so we are ultimately looking for human directed behaviors. If analysts don't know how to go looking for evil without automated detection tools then they are not going to be able to effectively evaluate if the detection tools are working properly or if the deployment was properly engineered. An over reliance on automated detection also puts organizations in a position of paying protection money if they want to remain secure. We should be spending more resources on honing analyst hunting skills to find human adversaries rather than purchasing more automated defenses for human adversaries to bypass.
-----------
### <a name="general"></a>General
* Better security -> Mean time to detect/Mean time to respond
* [IRM (Incident Response Methodologies)](https://github.com/certsocietegenerale/IRM)
* CERT Societe Generale provides easy to use operational incident best practices. These cheat sheets are dedicated to incident handling and cover multiple fields in which a CERT team can be involved. One IRM exists for each security incident we're used to dealing with.
* [Introduction to DFIR](https://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/)
* [File Signature Table](http://www.garykessler.net/library/file_sigs.html)
* This table of file signatures (aka "magic numbers") is a continuing work-in-progress. I have found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Sammes & B. Jenkinson (Springer, 2000); that was my inspiration to start this list in 2002. See also Wikipedia's List of file signatures. Comments, additions, and queries can be sent to Gary Kessler at gck@garykessler.net.
* [IRMA - Incident Response & Malware Analysis](http://irma.quarkslab.com/index.html)
* IRMA intends to be an open-source platform designed to help identifying and analyzing malicious files. However, today's defense is not only about learning about a file, but it is also getting a fine overview of the incident you dealt with: where / when a malicious file has been seen, who submitted a hash, where a hash has been noticed, which anti-virus detects it, ... An important value with IRMA comes from you keep control over where goes / who gets your data. Once you install IRMA on your network, your data stays on your network. Each submitted files is analyzed in various ways. For now, we focus our efforts on multiple anti-virus engines, but we are working on other "probes" (feel free to submit your own).
* [No Easy Breach: Challenges and Lessons Learned from an Epic Investigation](https://archive.org/details/No_Easy_Breach#)
* [Forensics on Amazon’s EC2](https://sysforensics.org/2014/10/forensics-in-the-amazon-cloud-ec2.html)
* [Attrition Forensics](http://2014.video.sector.ca/video/110334184)
* [Less is More, Exploring Code/Process-less Techniques and Other Weird Machine Methods to Hide Code (and How to Detect Them)](https://cansecwest.com/slides/2014/less%20is%20more3.pptx)
--------------
### <a name="writeups"></a>Writeups
* [Handler Diaries - Another Hunting Post(DFIR)](http://blog.handlerdiaries.com/?p=775)
* Good post on not only knowing the layout, but knowing expected behaviours.
* [Automating DFIR - How to series on programming libtsk with python Part 3](http://www.hecfblog.com/2015/02/automating-dfir-how-to-series-on_21.html)
* [Happy DPAPI!](http://blog.digital-forensics.it/2015/01/happy-dpapi.html)
### <a name="anti">Anti-Forensics</a>
* **101**
* **Articles/Talks/Writeups**
* [Destroying Evidence Before Its Evidence](https://www.youtube.com/watch?v=lqBVAcxpwio&spfreload=1)
* [And That's How I Lost My Other Eye...Explorations in Data Destruction](https://www.youtube.com/watch?v=-bpX8YvNg6Y)
* [An Anti-Forensics Primer - Jason Andress](http://www.irongeek.com/i.php?page=videos/derbycon3/s216-an-anti-forensics-primer-jason-andress)
* This talk will cover the basics of anti-forensics, the tools and techniques that can be used to make life harder for computer forensic examiners. We will cover some of the basic methods that are used (disk wiping, time stomping, encryption, etc…) and talk about which of these methods might actually work and which are easily surmounted with common forensic tools.
* [Forensics Impossible: Self-Destructing Thumb Drives - Brandon Wilson](https://www.youtube.com/watch?v=NRMqwc5YEu4)
* [Anti-Forensics and Anti-Anti-Forensics Attacks - Michael Perkins](https://www.youtube.com/watch?v=J4x8Hz6_hq0)
* Everyone's heard the claim: Security through obscurity is no security at all. Challenging this claim is the entire field of steganography itself - the art of hiding things in plain sight. Most people know you can hide a text file inside a photograph, or embed a photograph inside an MP3. But how does this work under the hood? What's new in the stego field? This talk will explore how various techniques employed by older steganographic tools work and will discuss a new technique developed by the speaker which embodies both data hiding and data enciphering properties by encoding data inside NTFS volumes. A new tool will be released during this talk that will allow attendees to both encode and decode data with this new scheme.
* Slides: [Slides(link)](http://www.slideshare.net/the_netlocksmith/defcon-20-antiforensics-and-antiantiforensics)
* [Beyond The CPU:Defeating Hardware Based RAM Acquisition](https://www.blackhat.com/presentations/bh-dc-07/Rutkowska/Presentation/bh-dc-07-Rutkowska-up.pdf)
* [Hardware Backdooring is Practical** -Jonathan Brossard](https://www.youtube.com/watch?v=umBruM-wFUw)
* [Hiding the breadcrumbs: Forensics and anti-forensics on SAP systems - Juan Perez-Etchegoyen](http://www.irongeek.com/i.php?page=videos/derbycon4/t508-hiding-the-breadcrumbs-forensics-and-anti-forensics-on-sap-systems-juan-perez-etchegoyen)
* The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customer data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there and attackers know it. For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim’s SAP platforms. SAP systems need to be ready for Forensic Analysis, so the big question is: Are your systems prepared to retain the attackers breadcrumbs in the event of an attack? Join us and learn how to do a forensic analysis of an SAP system, looking for traces of a security breach We will also show novel techniques being used by attackers to avoid being detected during post attack forensic investigations. Vulnerabilities related to anti-forensic techniques will be presented together with their mitigation. **NEW** New attacks never presented before will be shown. JAVA, ABAP and BO systems will be covered.
* [Anti-Forensics for the Louise - Derbycon - int0x80 (of Dual Core)](https://www.youtube.com/watch?v=-HK1JHR7LIM )
* **General**
* **Papers**
* [Secure Deletion of Data from Magnetic and Solid-State Memory](http://static.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann
* [Hiding Data in Hard-Drive's Service Areas](http://recover.co.il/SA-cover/SA-cover.pdf)
* In this paper we will demonstrate how spinning hard-drives’ serv ice areas 1 can be used to hide data from the operating-system (or any software using the standard OS’s API or the standard ATA commands to access the hard- drive)
* **Tools**
* [usbkill](https://github.com/stemid/usbkill)
* A tool that shuts down your computer if USB devices change, for example if you unplug or plug-in a device.
* [CleanAfterMe](https://www.nirsoft.net/utils/clean_after_me.html )
* CleanAfterMe allows you to easily clean files and Registry entries that are automatically created by the Windows operating system during your regular computer work. With CleanAfterMe, you can clean the cookies/history/cache/passwords of Internet Explorer, the 'Recent' folder, the Registry entries that record the last opened files, the temporary folder of Windows, the event logs, the Recycle Bin, and more.
* **Miscellaneous**
-----------
#### Hacking Exposed - Automating DFIR Series
* [Automating DFIR - How to series on programming libtsk with python Part 1 - ](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on.html)
* [Automating DFIR - How to series on programming libtsk with python Part 2](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_19.html)
[Automating DFIR - How to series on programming libtsk with python Part 3](http://
* [THE CIDER PRESS:EXTRACTING FORENSIC ARTIFACTS FROM APPLE CONTINUITY](https://www.sans.org/summit-archives/file/summit-archive-1498146226.pdf)
### <a name="tools"></a>Tools
* [MIG: Mozilla InvestiGator](https://http://mig.mozilla.org/)
* Mozilla's real-time digital forensics and investigation platform.
* [SSDeep](http://ssdeep.sourceforge.net/)
* ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.
* [binwally](https://github.com/bmaia/binwally)
* Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)
* [PDF Tools - Didier Stevens](http://blog.didierstevens.com/programs/pdf-tools/)
* [Xmount](https://www.pinguin.lu/xmount)
* What is xmount? xmount allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, DMG, VHD, VirtualBox's virtual disk file format or in VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file. This makes it possible to boot acquired harddisk images using QEMU, KVM, VirtualBox, VmWare or alike.
* [Extensible Metadata Platform](https://en.wikipedia.org/wiki/Extensible_Metadata_Platform)
* The Extensible Metadata Platform (XMP) is an ISO standard, originally created by Adobe Systems Inc., for the creation, processing and interchange of standardized and custom metadata for digital documents and data sets.
* [PEview](http://wjradburn.com/software/)
* PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files. This PE/COFF file viewer displays header, section, directory, import table, export table, and resource information within EXE, DLL, OBJ, LIB, DBG, and other file types.
* [firepwd.py](https://github.com/lclevy/firepwd)
* firepwd.py, an open source tool to decrypt Mozilla protected passwords
* [osxcollector](https://github.com/Yelp/osxcollector)
* OSXCollector is a forensic evidence collection & analysis toolkit for OSX.
* [Jeffrey's Image Metadata Viewer](http://exif.regex.info/exif.cgi)
* **Android**
* [wechat-dump](https://github.com/ppwwyyxx/wechat-dump)
* Dump wechat messages from android. Right now it can dump messages in text-only mode, or generate a single-file html containing voice messages, images, emoji, etc.
--------------
### <a name="firmware"></a>Firmware
* [Firmware Forensics: Diffs, Timelines, ELFs and Backdoors](http://w00tsec.blogspot.com/2015/02/firmware-forensics-diffs-timelines-elfs.html)
--------------
### <a name="bitlocker"></a>Bitlocker
* [NVbit : Accessing Bitlocker volumes from linux](http://www.nvlabs.in/index.php?/archives/1-NVbit-Accessing-Bitlocker-volumes-from-linux.html)
----------------
### General Forensics(Systems Agnostic - as much as one can be)
* **101**
* **Articles/Papers/Talks/Writeups**
* [Chromebook Forensics](http://www.dataforensics.org/google-chromebook-forensics/)
* [Forensics on Amazon’s EC2](https://sysforensics.org/2014/10/forensics-in-the-amazon-cloud-ec2.html)
* [Less is More, Exploring Code/Process-less Techniques and Other Weird Machine Methods to Hide Code (and How to Detect Them)](https://cansecwest.com/slides/2014/less%20is%20more3.pptx)
* **General**
* [File Signature Table](http://www.garykessler.net/library/file_sigs.html)
* This table of file signatures (aka "magic numbers") is a continuing work-in-progress. I have found little information on this in a single place, with the exception of the table in Forensic Computing: A Practitioner's Guide by T. Sammes & B. Jenkinson (Springer, 2000); that was my inspiration to start this list in 2002.
* **Tools**
* [binwally](https://github.com/bmaia/binwally)
* Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)
* [SSDeep](http://ssdeep.sourceforge.net/)
* ssdeep is a program for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.
* [Xmount](https://www.pinguin.lu/xmount)
* What is xmount? xmount allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, DMG, VHD, VirtualBox's virtual disk file format or in VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file. This makes it possible to boot acquired harddisk images using QEMU, KVM, VirtualBox, VmWare or alike.
* [PEview](http://wjradburn.com/software/)
* PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files. This PE/COFF file viewer displays header, section, directory, import table, export table, and resource information within EXE, DLL, OBJ, LIB, DBG, and other file types.
* **Training**
* [Automating DFIR - How to series on programming libtsk with python Part 1 - ](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on.html)
* [Automating DFIR - How to series on programming libtsk with python Part 2](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_19.html)
* [Automating DFIR - How to series on programming libtsk with python Part 3](http://www.hecfblog.com/2015/02/automating-dfir-how-to-series-on_21.html)
* **Miscellaneous**
* [The Sleuth Kit](https://github.com/sleuthkit/sleuthkit)
* The Sleuth Kit is an open source forensic toolkit for analyzing Microsoft and UNIX file systems and disks. The Sleuth Kit enables investigators to identify and recover evidence from images acquired during incident response or from live systems. The Sleuth Kit is open source, which allows investigators to verify the actions of the tool or customize it to specific needs. The Sleuth Kit uses code from the file system analysis tools of The Coroner's Toolkit (TCT) by Wietse Venema and Dan Farmer. The TCT code was modified for platform independence. In addition, support was added for the NTFS (see docs/ntfs.README) and FAT (see docs/fat.README) file systems. Previously, The Sleuth Kit was called The @stake Sleuth Kit (TASK). The Sleuth Kit is now independent of any commercial or academic organizations.
--------------
### <a name="ir"></a>IR
* [Rapier](https://code.google.com/p/rapier/)
* RAPIER is a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst
* [triage-ir](https://code.google.com/p/triage-ir/)
* Triage: Incident Response automatically collect information from a system that needs basic triage functions performed upon it. The script allows for easy modification for customization to your needs, in an easy to comprehend and implement language. This tool uses a lot others to get its information. Eventually I hope to eliminate the need for them, but use them as verification. This tool requires you to download the Sysinternals Suite if you want full functionality to it.
* [Fully Integrated Defense Operation (FIDO)](https://github.com/Netflix/Fido)
* FIDO is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them. As an orchestration platform FIDO can make using your existing security tools more efficient and accurate by heavily reducing the manual effort needed to detect, notify and respond to attacks against a network.
* [Triaging Malware Incidents](http://journeyintoir.blogspot.com/2013/09/triaging-malware-incidents.html)
* Good writeup/blogpost from Journey into Incidence Response
* [Computer Security Incident Handling Guide - NIST](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf)
* [An Incident Handling Process for Small and Medium Businesses - SANS 2007](https://www.sans.org/reading-room/whitepapers/incident/incident-handling-process-small-medium-businesses-1791)
* [PowerForensics - PowerShell Digital Forensics](https://github.com/Invoke-IR/PowerForensics)
* The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support.
* [Invoke-IR](http://www.invoke-ir.com/)
* [Practical Comprehensive Bounds on Surreptitious Communication Over DNS](http://www.icir.org/vern/papers/covert-dns-usec13.pdf)
--------------
### <a name="ioc"></a>IOC
* [IOC Bucket](https://www.iocbucket.com/)
* IOC sharing platform
----------------------
### <a name="android">Android Forensics</a>
* **101**
* [How to Perform a Physical Acquisition in Android Forensics?](https://infosecaddicts.com/perform-physical-acquisition-android-forensics/)
* **Articles/Papers/Talks/Writeups**
* **General**
* **Tools**
* [wechat-dump](https://github.com/ppwwyyxx/wechat-dump)
* Dump wechat messages from android. Right now it can dump messages in text-only mode, or generate a single-file html containing voice messages, images, emoji, etc.
* [Androick](https://github.com/Flo354/Androick)
* Androick is a python tool to help in forensics analysis on android. Put the package name, some options and the program will download automatically apk, datas, files permissions, manifest, databases and logs. It is easy to use and avoid all repetitive tasks!
* **Training**
* [Android Forensics class - OpenSecurity Training](http://opensecuritytraining.info/AndroidForensics.html)
* This class serves as a foundation for mobile digital forensics, forensics of Android operating systems, and penetration testing of Android applications.
* **Miscellaneous**
@ -173,18 +202,46 @@ http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
* Volatility plugin designed to extract useful information from Google Chrome's address space. The goal of this plugin is to make possible the analysis of a Google Chrome running instance. Starting from a memory dump, Chrome Ragamuffin can list which page was open on which tab and it is able to extract the DOM Tree in order to analyze the full page structure.
* [firefox_decrypt](https://github.com/unode/firefox_decrypt)
* Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox/Thunderbird/Seabird) profiles
* [firepwd.py](https://github.com/lclevy/firepwd)
* firepwd.py, an open source tool to decrypt Mozilla protected passwords
* **Miscellaneous**
--------------
### <a name="firmware"></a>Firmware
* [Firmware Forensics: Diffs, Timelines, ELFs and Backdoors](http://w00tsec.blogspot.com/2015/02/firmware-forensics-diffs-timelines-elfs.html)
--------------
####<a name="ios">iOS Forensics</a>
* **101**
* **Articles/Papers/Talks/Writeups**
* **General**
* **Tools**
* **Miscellaneous**
http://www.forensicswiki.org/wiki/Apple_iPhone
http://www.iosresearch.org/
* [iOSForensic](https://github.com/Flo354/iOSForensic)
* iosForensic is a python tool to help in forensics analysis on iOS. It get files, logs, extract sqlite3 databases and uncompress .plist files in xml.
* [iOS Forensics Analyis(2012) SANS Whitepaper](https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092)
* [iOS Forensic Investigative Methods Guide](http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf)
* [The art of iOS and iCloud forensics](https://blog.elcomsoft.com/2017/11/the-art-of-ios-and-icloud-forensics/)
--------------
### Chrome Book Forensics
* [Chromebook Forensics](http://www.dataforensics.org/google-chromebook-forensics/)
### <a name="linux">Linux Forensics</a>
* **101**
* **Articles/Papers/Talks/Writeups**
* **General**
* **Tools**
* **Miscellaneous**
* [Santoku Linux How-Tos'](https://santoku-linux.com/howtos)
--------------
@ -197,12 +254,18 @@ http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
* [Windows Memory Analysis Checklist](http://www.dumpanalysis.org/windows-memory-analysis-checklist)
* [Mem forenics cheat sheet](http://forensicmethods.com/wp-content/uploads/2012/04/Memory-Forensics-Cheat-Sheet-v1.pdf)
* **Tools**
* [lmg - Linux Memory Grabber](https://github.com/halpomeranz/lmg)
* A script for dumping Linux memory and creating Volatility(TM) profiles.
* [Detekt](https://github.com/botherder/detekt)
* Detekt is a Python tool that relies on Yara, Volatility and Winpmem to scan the memory of a running Windows system (currently supporting Windows XP to Windows 8 both 32 and 64 bit and Windows 8.1 32bit). Detekt tries to detect the presence of pre-defined patterns that have been identified through the course of our research to be unique identifiers that indicate the presence of a given malware running on the computer.
* [Dshell](https://github.com/USArmyResearchLab/Dshell)
* An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.
* [LiME - Linux Memory Extractor](https://github.com/504ensicsLabs/LiME)
* A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
* Vortessence is a tool, whose aim is to partially automate memory forensics analysis. Vortessence is a project of the Security Engineering Lab of the Bern University of Applied Sciences.
* **Miscellaneous**
* **Volatility**
* [Volatility](https://github.com/volatilityfoundation/volatility)
* An advanced memory forensics framework
* [VolUtility](https://github.com/kevthehermit/VolUtility)
@ -210,108 +273,105 @@ http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
* [evolve](https://github.com/JamesHabben/evolve)
* Web interface for the Volatility Memory Forensics Framework
* [Vortessence](https://github.com/vortessence/vortessence)
* Vortessence is a tool, whose aim is to partially automate memory forensics analysis. Vortessence is a project of the Security Engineering Lab of the Bern University of Applied Sciences.
* **Miscellaneous**
--------------
### <a name="training"></a>Training material
* [ENISA CERT Exercises and Training](http://www.enisa.europa.eu/activities/cert/support/exercise)
* ENISA CERT Exercises and training material was introduced in 2008, in 2012 and 2013 it was complemented with new exercise scenarios containing essential material for success in the CERT community and in the field of information security. In this page you will find the ENISA CERT Exercise material, containing Handbook for teachers, Toolset for students and Virtual Image to support hands on training sessions.
* [Packet Capture Examples from "Practical Packet Analysis"](http://www.chrissanders.org/captures/)
--------------
### Transport Neutral Encapsulation Format
* [Transport Neutral Encapsulation Format - Wikipedia](https://en.wikipedia.org/wiki/Transport_Neutral_Encapsulation_Format)
* [Analyzing TNEF files](https://isc.sans.edu/diary/rss/23175)
--------------
### <a name="talks">Presentations & Talks</a>
* [Forensic Imager Tools: You don't have the Evidence - Shmoocon 2014](https://www.youtube.com/watch?v=zYYCv21I-1I)*
* [Ways to Identify Malware on a System Ryan Irving](http://www.irongeek.com/i.php?page=videos/bsidestampa2015/201-ways-to-identify-malware-on-a-system-ryan-irving)
* [Investigating PowerShell Attacks - Ryan Kazanciyan and Matt Hastings - DEFCON22](https://www.youtube.com/watch?v=qF06PFcezLs)
* This presentation will focus on common attack patterns performed through PowerShell - such as lateral movement, remote command execution, reconnaissance, file transfer, etc. - and the sources of evidence they leave behind. We'll demonstrate how to collect and interpret these forensic artifacts, both on individual hosts and at scale across the enterprise. Throughout the presentation, we'll include examples from real-world incidents and recommendations on how to limit exposure to these attacks.
* [Human Hunting](http://www.irongeek.com/i.php?page=videos/bsidessf2015/108-human-hunting-sean-gillespie)
* Much of what appears to be happening in information security seems to be focused on replacing humans with magic boxes and automation rather than providing tools to augment human capabilities. However, when we look at good physical security we see technology is being used to augment human capabilities rather than simply replace them. The adversary is human so we are ultimately looking for human directed behaviors. If analysts don't know how to go looking for evil without automated detection tools then they are not going to be able to effectively evaluate if the detection tools are working properly or if the deployment was properly engineered. An over reliance on automated detection also puts organizations in a position of paying protection money if they want to remain secure. We should be spending more resources on honing analyst hunting skills to find human adversaries rather than purchasing more automated defenses for human adversaries to bypass.
* [Finding Bad Guys with 35 million Flows, 2 Analysts, 5 Minutes and 0 Dollars](http://www.irongeek.com/i.php?page=videos/bsidesknoxville2015/103-finding-bad-guys-with-35-million-flows-2-analysts-5-minutes-and-0-dollars-russell-butturini)
* There are a lot of proof of concepts out there for building open source networks forensics analysis environments. Taking them into production in an enterprise? Another story entirely. This talk will focus on my journey into constructing a large scale Netflow security analytics platform for a large healthcare management company's complex environment on no additional budget. Important points to be covered were technology considerations, scalability, and how to quickly break the collected data down to find malicious activity on the network with minimal effort.
* [Fraud detection and forensics on telco networks - Hack.lu 2016](https://www.youtube.com/watch?v=09EAWT_F1ZA&app=desktop)
* [Commercial Spyware - Detecting the Undetectable](https://www.blackhat.com/docs/us-15/materials/us-15-Dalman-Commercial-Spyware-Detecting-The-Undetectable-wp.pdf)
--------------
### <a name="anti">Anti-Forensics</a>
* [Destroying Evidence Before Its Evidence](https://www.youtube.com/watch?v=lqBVAcxpwio&spfreload=1)
* [And That's How I Lost My Other Eye...Explorations in Data Destruction](https://www.youtube.com/watch?v=-bpX8YvNg6Y)
* [Secure Deletion of Data from Magnetic and Solid-State Memory](http://static.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/index.html)
* [usbkill](https://github.com/stemid/usbkill)
* A tool that shuts down your computer if USB devices change, for example if you unplug or plug-in a device.
* [An Anti-Forensics Primer - Jason Andress](http://www.irongeek.com/i.php?page=videos/derbycon3/s216-an-anti-forensics-primer-jason-andress)
* This talk will cover the basics of anti-forensics, the tools and techniques that can be used to make life harder for computer forensic examiners. We will cover some of the basic methods that are used (disk wiping, time stomping, encryption, etc…) and talk about which of these methods might actually work and which are easily surmounted with common forensic tools.
* [OpenPuff Steganography](http://embeddedsw.net/OpenPuff_Steganography_Home.html)
* [Forensics Impossible: Self-Destructing Thumb Drives - Brandon Wilson](https://www.youtube.com/watch?v=NRMqwc5YEu4)
* [CleanAfterMe](https://www.nirsoft.net/utils/clean_after_me.html )
* CleanAfterMe allows you to easily clean files and Registry entries that are automatically created by the Windows operating system during your regular computer work. With CleanAfterMe, you can clean the cookies/history/cache/passwords of Internet Explorer, the 'Recent' folder, the Registry entries that record the last opened files, the temporary folder of Windows, the event logs, the Recycle Bin, and more.| http://
* [Hiding Data in Hard-Drive's Service Areas](http://recover.co.il/SA-cover/SA-cover.pdf)
* In this paper we will demonstrate how spinning hard-drives’ serv ice areas 1 can be used to hide data from the operating-system (or any software using the standard OS’s API or the standard ATA commands to access the hard- drive)
* [Anti-Forensics and Anti-Anti-Forensics Attacks - Michael Perkins](https://www.youtube.com/watch?v=J4x8Hz6_hq0)
* Everyone's heard the claim: Security through obscurity is no security at all. Challenging this claim is the entire field of steganography itself - the art of hiding things in plain sight. Most people know you can hide a text file inside a photograph, or embed a photograph inside an MP3. But how does this work under the hood? What's new in the stego field? This talk will explore how various techniques employed by older steganographic tools work and will discuss a new technique developed by the speaker which embodies both data hiding and data enciphering properties by encoding data inside NTFS volumes. A new tool will be released during this talk that will allow attendees to both encode and decode data with this new scheme.
* Slides: [Slides(link)](http://www.slideshare.net/the_netlocksmith/defcon-20-antiforensics-and-antiantiforensics)
* [Beyond The CPU:Defeating Hardware Based RAM Acquisition](https://www.blackhat.com/presentations/bh-dc-07/Rutkowska/Presentation/bh-dc-07-Rutkowska-up.pdf)
* [Hardware Backdooring is Practical** -Jonathan Brossard](https://www.youtube.com/watch?v=umBruM-wFUw)
* [Hiding the breadcrumbs: Forensics and anti-forensics on SAP systems - Juan Perez-Etchegoyen](http://www.irongeek.com/i.php?page=videos/derbycon4/t508-hiding-the-breadcrumbs-forensics-and-anti-forensics-on-sap-systems-juan-perez-etchegoyen)
* The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customer data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there and attackers know it. For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim’s SAP platforms. SAP systems need to be ready for Forensic Analysis, so the big question is: Are your systems prepared to retain the attackers breadcrumbs in the event of an attack? Join us and learn how to do a forensic analysis of an SAP system, looking for traces of a security breach We will also show novel techniques being used by attackers to avoid being detected during post attack forensic investigations. Vulnerabilities related to anti-forensic techniques will be presented together with their mitigation. **NEW** New attacks never presented before will be shown. JAVA, ABAP and BO systems will be covered.
* [int0x80 (of Dual Core) -- Anti-Forensics for the Louise - Derbycon](https://www.youtube.com/watch?v=-HK1JHR7LIM )
--------------
### <a name="mobile">Mobile Device Forensics</a>
#### <a name="android">Android Forensics</a>
* [Android Forensics class - OpenSecurity Training](http://opensecuritytraining.info/AndroidForensics.html)
* This class serves as a foundation for mobile digital forensics, forensics of Android operating systems, and penetration testing of Android applications.
* [Androick](https://github.com/Flo354/Androick)
* Androick is a python tool to help in forensics analysis on android. Put the package name, some options and the program will download automatically apk, datas, files permissions, manifest, databases and logs. It is easy to use and avoid all repetitive tasks!
* [How to Perform a Physical Acquisition in Android Forensics?](https://infosecaddicts.com/perform-physical-acquisition-android-forensics/)
-----------------------
### Network Forensics
* See also: Network Security Monitoring/Logging
* **101**
* **Articles/Papers/Talks/Writeups**
* [Analyzing TNEF files](https://isc.sans.edu/diary/rss/23175)
* [Finding Bad Guys with 35 million Flows, 2 Analysts, 5 Minutes and 0 Dollars](http://www.irongeek.com/i.php?page=videos/bsidesknoxville2015/103-finding-bad-guys-with-35-million-flows-2-analysts-5-minutes-and-0-dollars-russell-butturini)
* There are a lot of proof of concepts out there for building open source networks forensics analysis environments. Taking them into production in an enterprise? Another story entirely. This talk will focus on my journey into constructing a large scale Netflow security analytics platform for a large healthcare management company's complex environment on no additional budget. Important points to be covered were technology considerations, scalability, and how to quickly break the collected data down to find malicious activity on the network with minimal effort.
* **General**
* **Tools**
* **Miscellaneous**
* [Packet Capture Examples from "Practical Packet Analysis"](http://www.chrissanders.org/captures/)
* [Transport Neutral Encapsulation Format - Wikipedia](https://en.wikipedia.org/wiki/Transport_Neutral_Encapsulation_Format)
--------------
####<a name="ios">iOS Forensics</a>
http://www.forensicswiki.org/wiki/Apple_iPhone
----------------
### OS X Forensics
* **101**
* **Articles/Papers/Talks/Writeups**
* [The Cider Press:Extracting Forensic Artifacts From Apple Continuity](https://www.sans.org/summit-archives/file/summit-archive-1498146226.pdf)
* **General**
* **Tools**
* [osxcollector](https://github.com/Yelp/osxcollector)
* OSXCollector is a forensic evidence collection & analysis toolkit for OSX.
* [Mac OS X Keychain Forensic Tool](https://github.com/n0fate/chainbreaker)
* The chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner. Master Key candidates can be extracted from volafox or volatility keychaindump module. Supports: Snow Leopard, Lion, Mountain Lion, Mavericks, Yosemite, El Capitan, (High) Sierra
* [OS X Audiotr](https://github.com/jipegit/OSXAuditor)
* OS X Auditor is a free Mac OS X computer forensics tool.
* [OS X Forensics Generals](https://davidkoepi.wordpress.com/category/os-x-forensics-10-8/)
* [OSX Lion User Interface Preservation Analysis](https://digital-forensics.sans.org/blog/2011/10/03/osx-lion-user-interface-preservation-analysis#)
* [Knock Knock](https://github.com/synack/knockknock)
* KnockKnock displays persistent items (scripts, commands, binaries, etc.), that are set to execute automatically on OS X
* [Pac4Mac](https://github.com/sud0man/pac4mac)
* Pac4Mac (Plug And Check for Mac OS X) is a portable Forensics framework (to launch from USB storage) allowing extraction and analysis session informations in highlighting the real risks in term of information leak (history, passwords, technical secrets, business secrets, ...). Pac4Mac can be used to check security of your Mac OS X system or to help you during forensics investigation.
* **Miscellaneous**
http://www.iosresearch.org/
* [iOSForensic](https://github.com/Flo354/iOSForensic)
* iosForensic is a python tool to help in forensics analysis on iOS. It get files, logs, extract sqlite3 databases and uncompress .plist files in xml.
* [iOS Forensics Analyis(2012) SANS Whitepaper](https://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092)
* [iOS Forensic Investigative Methods Guide](http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-Forensic-Investigative-Methods.pdf)
* [The art of iOS and iCloud forensics](https://blog.elcomsoft.com/2017/11/the-art-of-ios-and-icloud-forensics/)
------------
### .NET Forensics
* [dotNET_WinDBG](https://github.com/Cisco-Talos/dotNET_WinDBG)
* This python script is designed to automate .NET analysis with WinDBG. It can be used to analyse a PowerShell script or to unpack a binary packed using a .NET packer.
* [Unravelling .NET with the Help of WinDBG - TALOS](http://blog.talosintelligence.com/2017/07/unravelling-net-with-help-of-windbg.html)
* This article describes: How to analyse PowerShell scripts by inserting a breakpoint in the .NET API; How to easily create a script to automatically unpack .NET samples following analysis of the packer logic.
----------------
### <a name="windows">Windows Forensics</a>
* **101**
* **Articles/Papers/Talks/Writeups**
* [How to parse Windows Eventlog](http://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/)
* [Techniques for fast windows forensics investigations](https://www.youtube.com/watch?v=eI4ceLgO_CE)
* Look at sniper forensics, skip around, 18min has resources you want to grab for snapshots
* [Event Tracing for Windows and Network Monitor](http://blogs.technet.com/b/netmon/archive/2009/05/13/event-tracing-for-windows-and-network-monitor.aspx)
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
* [NVbit : Accessing Bitlocker volumes from linux](http://www.nvlabs.in/index.php?/archives/1-NVbit-Accessing-Bitlocker-volumes-from-linux.html)
* **Educational**
* **General**
* [SANS CHEAT SHEET- Windows Artifact Analysis](https://uk.sans.org/posters/windows_artifact_analysis.pdf)
* **Tools**
* **Autoruns**
* [AutoRuns PowerShell Module](https://github.com/p0w3rsh3ll/AutoRuns)
* AutoRuns module was designed to help do live incident response and enumerate autoruns artifacts that may be used by legitimate programs as well as malware to achieve persistence.
* [WMI_Forensics](https://github.com/davidpany/WMI_Forensics)
* This repository contains scripts used to find evidence in WMI repositories
* [NTDSXtract - Active Directory Forensics Framework](http://www.ntdsxtract.com/)
* Description from the page: This framework was developed by the author in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT).
* [Did it Execute? - Mandiant](https://www.mandiant.com/blog/execute/)
* You found a malicious executable! Now you’ve got a crucial question to answer: did the file execute? We’ll discuss a few sources of evidence you can use to answer this question. In this post, we will focus on static or “dead drive” forensics on Windows systems. We will cover four main sources of evidence: Windows Prefetch, Registry, Log Files, and File Information.
* [Get-InjectedThread.ps1](https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2)
* Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
* [HowTo: Determine Program Execution](http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html)
* [Kansa -A Powershell incident response framework ](https://github.com/davehull/Kansa)
* A modular incident response framework in Powershell. Note there's a bug that's currently cropping up in PowerShell version 2 systems, but version 3 and later should be fine
* [DPAPIck](http://dpapick.com/)
* This is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API
* [WinPrefetchView v1.25](http://www.nirsoft.net/utils/win_prefetch_view.html)
* Each time that you run an application in your system, a Prefetch file which contains information about the files loaded by the application is created by Windows operating system. The information in the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. WinPrefetchView is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.
* [BTA - AD Security Audit Framework](https://bitbucket.org/iwseclabs/bta)
* BTA is an open-source Active Directory security audit framework. Its goal is to help auditors harvest the information they need to answer such questions as:
* Who has rights over a given object (computer, user account, etc.) ?
* Who can read a given mailbox ?
* Which are the accounts with domain admin rights ?
* Who has extended rights (userForceChangePassword, SendAs, etc.) ?
* What are the changes done on an AD between two points in time ?
* [PowerForensics - PowerShell Digital Forensics](https://github.com/Invoke-IR/PowerForensics)
* The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support.
* [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector)
* This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.
* [FastIR Collector on advanced threats](http://www.sekoia.fr/blog/wp-content/uploads/2015/10/FastIR-Collector-on-advanced-threats_v1.4.pdf)
* [Windows Attribute changer](http://www.petges.lu/home/)
* [PowerForensics - PowerShell Digital Forensics](https://github.com/Invoke-IR/PowerForensics)
* The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support.
* [LogonTracer](https://github.com/JPCERTCC/LogonTracer)
* Investigate malicious Windows logon by visualizing and analyzing Windows event log
* [PoSH-R2](https://github.com/WiredPulse/PoSh-R2)
* PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.
* **Miscellaneous**
@ -319,126 +379,64 @@ http://www.iosresearch.org/
--------------
### <a name="pdf">PDF Forensics</a>
http://countuponsecurity.com/2014/09/22/malicious-documents-pdf-analysis-in-5-steps/
* [Didier Stevens Blog](https://blog.didierstevens.com/)
* [PDF Forensics](http://countuponsecurity.com/2014/09/22/malicious-documents-pdf-analysis-in-5-steps/)
* [Analyzing Malicious Documents Cheat Sheet](https://zeltser.com/analyzing-malicious-documents/)
* **101**
* **Articles/Papers/Talks/Writeups**
* [PDF Forensics](http://countuponsecurity.com/2014/09/22/malicious-documents-pdf-analysis-in-5-steps/)
* **General**
* **Tools**
* [PDF Tools - Didier Stevens](http://blog.didierstevens.com/programs/pdf-tools/)
* **Miscellaneous**
* [Didier Stevens Blog](https://blog.didierstevens.com/)
* [Analyzing Malicious Documents Cheat Sheet](https://zeltser.com/analyzing-malicious-documents/)
--------------
###< a name="photo">Photo Forensics</a>
* [jhead](http://www.sentex.net/~mwandel/jhead/)
* Exif Jpeg header manipulation tool
--------------------
### VBA Analysis
* [ViperMonkey](https://github.com/decalage2/ViperMonkey)
* ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc).
--------------
### <a name="tools">Tools:</a>
Ghiro
* [StegExpose](https://github.com/b3dk7/StegExpose)
* StegExpose is a steganalysis tool specialized in detecting LSB (least significant bit) steganography in lossless images such as PNG and BMP. It has a command line interface and is designed to analyse images in bulk while providing reporting capabilities and customization which is comprehensible for non forensic experts. StegExpose rating algorithm is derived from an intelligent and thoroughly tested combination of pre-existing pixel based staganalysis methods including Sample Pairs by Dumitrescu (2003), RS Analysis by Fridrich (2001), Chi Square Attack by Westfeld (2000) and Primary Sets by Dumitrescu (2002). In addition to detecting the presence of steganography, StegExpose also features the quantitative steganalysis (determining the length of the hidden message). StegExpose is part of my MSc of a project at the School of Computing of the University of Kent, in Canterbury, UK.
###< a name="photo">Image Forensics</a>
* **101**
* **Articles/Papers/Talks/Writeups**
* **General**
* **Tools**
* [Extensible Metadata Platform](https://en.wikipedia.org/wiki/Extensible_Metadata_Platform)
* The Extensible Metadata Platform (XMP) is an ISO standard, originally created by Adobe Systems Inc., for the creation, processing and interchange of standardized and custom metadata for digital documents and data sets.
* [jhead](http://www.sentex.net/~mwandel/jhead/)
* Exif Jpeg header manipulation tool
* [Jeffrey's Image Metadata Viewer](http://exif.regex.info/exif.cgi)
* **Miscellaneous**
--------------
### <a name="linux">Linux Forensics</a>
---------------------
### Steganography
* **101**
* **Articles/Papers/Talks/Writeups**
* **General**
* **101**
* **Articles/Papers/Talks/Writeups**
* **General**
* **Tools**
* **Miscellaneous**
* [Santoku Linux How-Tos'](https://santoku-linux.com/howtos)
* [OpenPuff Steganography](http://embeddedsw.net/OpenPuff_Steganography_Home.html)
* **Tools**
* [StegExpose](https://github.com/b3dk7/StegExpose)
* StegExpose is a steganalysis tool specialized in detecting LSB (least significant bit) steganography in lossless images such as PNG and BMP. It has a command line interface and is designed to analyse images in bulk while providing reporting capabilities and customization which is comprehensible for non forensic experts. StegExpose rating algorithm is derived from an intelligent and thoroughly tested combination of pre-existing pixel based staganalysis methods including Sample Pairs by Dumitrescu (2003), RS Analysis by Fridrich (2001), Chi Square Attack by Westfeld (2000) and Primary Sets by Dumitrescu (2002). In addition to detecting the presence of steganography, StegExpose also features the quantitative steganalysis (determining the length of the hidden message). StegExpose is part of my MSc of a project at the School of Computing of the University of Kent, in Canterbury, UK.
* **Miscellaneous**
### <a name="windows">Windows Forensics</a>
* **General**
* **101**
* **Articles/Papers/Talks/Writeups**
* [How to parse Windows Eventlog](http://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/)
* [Techniques for fast windows forensics investigations](https://www.youtube.com/watch?v=eI4ceLgO_CE)
* Look at sniper forensics, skip around, 18min has resources you want to grab for snapshots
* [Event Tracing for Windows and Network Monitor](http://blogs.technet.com/b/netmon/archive/2009/05/13/event-tracing-for-windows-and-network-monitor.aspx)
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
* **Educational**
* [Know your Windows Processes or Die Trying](https://sysforensics.org/2014/01/know-your-windows-processes.html)
* Excellent quick reference on Windows proccesses with a focus on Win7. Good resource.
* [License to Kill: Malware Hunting with the Sysinternals Tools](http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B308)
* [Windows Program Automatic Startup Locations](http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/)
* [Collection of Windows Autostart locations](http://gladiator-antivirus.com/forum/index.php?showtopic=24610)
* [Spotting the Adversary with Windows Event Log Monitoring - NSA](http://cryptome.org/2014/01/nsa-windows-event.pdf)
* NSA 70-page writeup on windows event log monitoring
* **General**
* [SANS CHEAT SHEET- Windows Artifact Analysis](https://uk.sans.org/posters/windows_artifact_analysis.pdf)
* **Tools**
* [WMI_Forensics](https://github.com/davidpany/WMI_Forensics)
* This repository contains scripts used to find evidence in WMI repositories
* [NTDSXtract - Active Directory Forensics Framework](http://www.ntdsxtract.com/)
* Description from the page: This framework was developed by the author in order to provide the community with a solution to extract forensically important information from the main database of Microsoft Active Directory (NTDS.DIT).
* [Did it Execute? - Mandiant](https://www.mandiant.com/blog/execute/)
* You found a malicious executable! Now you’ve got a crucial question to answer: did the file execute? We’ll discuss a few sources of evidence you can use to answer this question. In this post, we will focus on static or “dead drive” forensics on Windows systems. We will cover four main sources of evidence: Windows Prefetch, Registry, Log Files, and File Information.
* [Get-InjectedThread.ps1](https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2)
* Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
* [HowTo: Determine Program Execution](http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html)
* [Kansa -A Powershell incident response framework ](https://github.com/davehull/Kansa)
* A modular incident response framework in Powershell. Note there's a bug that's currently cropping up in PowerShell version 2 systems, but version 3 and later should be fine
* [DPAPIck](http://dpapick.com/)
* This is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API
* [WinPrefetchView v1.25](http://www.nirsoft.net/utils/win_prefetch_view.html)
* Each time that you run an application in your system, a Prefetch file which contains information about the files loaded by the application is created by Windows operating system. The information in the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. WinPrefetchView is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.
* [BTA - AD Security Audit Framework](https://bitbucket.org/iwseclabs/bta)
* BTA is an open-source Active Directory security audit framework. Its goal is to help auditors harvest the information they need to answer such questions as:
* Who has rights over a given object (computer, user account, etc.) ?
* Who can read a given mailbox ?
* Which are the accounts with domain admin rights ?
* Who has extended rights (userForceChangePassword, SendAs, etc.) ?
* What are the changes done on an AD between two points in time ?
* [Claimsman]()
* Claimsman logs all file handle creation on Windows systems, and logs to both a local file and centralized log management system.
* [FastIR Collector](https://github.com/SekoiaLab/Fastir_Collector)
* This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.
* [FastIR Collector on advanced threats](http://www.sekoia.fr/blog/wp-content/uploads/2015/10/FastIR-Collector-on-advanced-threats_v1.4.pdf)
* [Windows Attribute changer](http://www.petges.lu/home/)
* [PowerForensics - PowerShell Digital Forensics](https://github.com/Invoke-IR/PowerForensics)
* The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support.
* [LogonTracer](https://github.com/JPCERTCC/LogonTracer)
* Investigate malicious Windows logon by visualizing and analyzing Windows event log
* [PoSH-R2](https://github.com/WiredPulse/PoSh-R2)
* PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.
* **Miscellaneous**
--------------
### <a name="osx">OS X Forensics Tools</a>
* [OS X Audiotr](https://github.com/jipegit/OSXAuditor)
* OS X Auditor is a free Mac OS X computer forensics tool.
* [OS X Forensics Generals](https://davidkoepi.wordpress.com/category/os-x-forensics-10-8/)
* [OSX Lion User Interface Preservation Analysis](https://digital-forensics.sans.org/blog/2011/10/03/osx-lion-user-interface-preservation-analysis#)
* [Knock Knock](https://github.com/synack/knockknock)
* KnockKnock displays persistent items (scripts, commands, binaries, etc.), that are set to execute automatically on OS X
* [Pac4Mac](https://github.com/sud0man/pac4mac)
* Pac4Mac (Plug And Check for Mac OS X) is a portable Forensics framework (to launch from USB storage) allowing extraction and analysis session informations in highlighting the real risks in term of information leak (history, passwords, technical secrets, business secrets, ...). Pac4Mac can be used to check security of your Mac OS X system or to help you during forensics investigation.
* [Mac OS X Keychain Forensic Tool](https://github.com/n0fate/chainbreaker)
* The chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner. Master Key candidates can be extracted from volafox or volatility keychaindump module. Supports: Snow Leopard, Lion, Mountain Lion, Mavericks, Yosemite, El Capitan, (High) Sierra
--------------
#### Bootkit Disk Forensics
* **101**
* **Articles/Papers/Talks/Writeups**
* **General**
* **Tools**
* **Miscellaneous**
* [Part 1](http://www.malwaretech.com/2015/02/bootkit-disk-forensics-part-1.html)
* [Part 2](http://www.malwaretech.com/2015/03/bootkit-disk-forensics-part-2.html)
@ -447,7 +445,16 @@ Ghiro
--------------
#### Malware Management Framework(Originally called 'Sniper Forensics')
http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
* [Malware Management Framework - Sniper Forensics Toolkit](http://sniperforensicstoolkit.squarespace.com/malwaremanagementframework/)
* [The Malware Management Framework](https://malwarearchaeology.squarespace.com/mmf/)
* The Malware Reporting Standard](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/55220280e4b0170ec8b526b6/1428292224531/Malware+Reporting+Standard+vApril+2015.pdf)
* [BSidesLV Presentation](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/552200afe4b0e4ad5008b943/1428291802554/Malware+Mgmt+Framework+v2.0.pdf)
* [Sniper Forensics](https://digital-forensics.sans.org/summit-archives/2010/2-newell-spiderlabs-sniper-forensics.pdf)
* Pg10 and onward
* [Link](https://sniperforensicstoolkit.squarespace.com/storage/logging/Windows%20Logging%20Cheat%20Sheet%20v1.1.pdf)


+ 7
- 9
Draft/Fuzzing Bug Hunting.md View File

@ -22,23 +22,16 @@
#### sort
https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
* Add Descriptions/generals to types of fuzzing
* [0-day streams: pdfcrack](https://www.youtube.com/watch?v=8VLNPIIgKbQ&app=desktop)
* [FuzzManager](https://github.com/MozillaSecurity/FuzzManager)
* With this project, we aim to create a management toolchain for fuzzing. Unlike other toolchains and frameworks, we want to be modular in such a way that you can use those parts of FuzzManager that seem interesting to you without forcing a process upon you that does not fit your requirements.
* [COMRaider](http://sandsprite.com/iDef/COMRaider/)
* ActiveX Fuzzing tool with GUI, object browser, system scanner, and distributed auditing capabilities
* [Github](https://github.com/dzzie/COMRaider)
* [From Fuzzing to 0day.](http://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/)
* [Basic fuzzing framework](https://www.cert.org/vulnerability-analysis/tools/bff-download.cfm)
* [Fuzzing 101 (Part 1)]()
* [Fuzzing 101 (Part 2)](https://vimeo.com/5237484)
* [0-day streams: pdfcrack](https://www.youtube.com/watch?v=8VLNPIIgKbQ&app=desktop)
* [pcrappyfuzzer](https://github.com/blazeinfosec/pcrappyfuzzer)
* Script to perform quick 'n dirty fuzzing of PCAPs with radamsa and Scapy.
#### end sort
@ -63,6 +56,8 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
* [The Power Of Pair: One Template That Reveals 100+ Uaf Ie Vulnerabilities - BlackhatEU14](http://www.securitytube.net/video/12924?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SecurityTube+%28SecurityTube.Net%29)
* [Mining for Bugs with Graph Database Queries [31c3]](https://www.youtube.com/watch?v=291hpUE5-3g)
* [ClusterFuzz](http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at-scale-by-abhishek-arya.pdf)
* [Google VRP and Unicorns](https://sites.google.com/site/bughunteruniversity/behind-the-scenes/presentations/google-vrp-and-unicorns)
* In July 2017 at BountyCraft event we delivered a presentation entitled "Google VRP and Unicorns", featuring a selection of interesting bugs reported to our program, and disclosing some planned updates in store for Google VRP.
* **History**
* [Symbolic execution timeline](https://github.com/enzet/symbolic-execution)
* Diagram highlights some major tools and ideas of pure symbolic execution, dynamic symbolic execution (concolic) as well as related ideas of model checking, SAT/SMT solving, black-box fuzzing, taint data tracking, and other dynamic analysis techniques.
@ -100,6 +95,7 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
* dynamic binary analysis via platform emulation
* **Writeups**
* [Fuzzing TCP servers - Robert Swiecki](http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html)
* [From Fuzzing to 0day.](http://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/)
* **Static Fuzzing**
* **Frameworks**
* [Paper Machete](https://github.com/cetfor/PaperMachete/wiki)
@ -160,6 +156,8 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
* A dumb protocol-unaware packet fuzzer/replayer.
* [Nightmare](https://github.com/joxeankoret/nightmare)
* A distributed fuzzing testing suite with web administration, supports fuzzing using network protocols.
* [pcrappyfuzzer](https://github.com/blazeinfosec/pcrappyfuzzer)
* Script to perform quick 'n dirty fuzzing of PCAPs with radamsa and Scapy.
* **Fuzzing Linux**
* **Kernel**
* [KernelFuzzer](https://github.com/mwrlabs/KernelFuzzer) - Cross Platform Kernel Fuzzer Framework.


+ 31
- 16
Draft/Game Hacking.md View File

@ -33,6 +33,7 @@ Fix ToC
* NES zombie survival game made to be hacked
* **Writeups**
* [Hack the Vote CTF "The Wall" Solution](https://zerosum0x0.blogspot.com/2016/11/hack-vote-wall-solution.html)
* [Creating A Kewl And Simple Cheating Platform On Android - DeepSec2014](http://www.securitytube.net/video/12547?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SecurityTube+%28SecurityTube.Net%29)
* **Emulators**
* [How do emulators work and how are they written?](https://stackoverflow.com/questions/448673/how-do-emulators-work-and-how-are-they-written)
* **Breaking The Game**
@ -53,18 +54,6 @@ Fix ToC
* MTuner is a C/C++ memory profiler and memory leak finder for Windows, PlayStation 4, PlayStation 3, etc.
------------
### Android
* [Creating A Kewl And Simple Cheating Platform On Android - DeepSec2014](http://www.securitytube.net/video/12547?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SecurityTube+%28SecurityTube.Net%29)
------------
## <a name="console"></a>Console Hacking
------------
### <a name="console"></a>Nintendo
* **Nintendo Gameboy/Pocket/Color/Advance**
@ -81,8 +70,15 @@ Fix ToC
* A heap overflow in tag processing leads to code execution when a specially- crafted m4a file is loaded by Nintendo 3DS Sound. This bug is particularly good, because as far as I can tell it is the first ever homebrew exploit that is free, offline, and works on every version of the firmware for which the sound app is available.
* **Emulator**
* [Citra](https://citra-emu.org/)
* **Homebrew**
* [Luma3DS](https://github.com/AuroraWright/Luma3DS)
* Luma3DS is a program to patch the system software of (New) Nintendo 3DS handheld consoles "on the fly", adding features (such as per-game language settings and debugging capabilities for developers) and removing restrictions enforced by Nintendo (such as the region lock). It also allows you to run unauthorized ("homebrew") content by removing signature checks.
* **Nintendo Entertainment System**
* **Articles/Writeups**
* **Emulators**
* **Nintendo Super Nintendo**
* **Articles/Writeups**
* **Emulators**
* **Nintendo64**
* **Articles/Writeups**
* [Reversing the Nintendo 64 CIC - Mike Ryan, marshallh, and John McMaster - REcon 2015](https://www.youtube.com/watch?v=HwEdqAb2l50)
@ -105,11 +101,30 @@ Fix ToC
* The Homebrew Channel - open source edition
* [WiiUse](https://github.com/rpavlik/wiiuse)
* Wiiuse is a library written in C that connects with several Nintendo Wii remotes. Supports motion sensing, IR tracking, nunchuk, classic controller, Balance Board, and the Guitar Hero 3 controller. Single threaded and nonblocking makes a light weight and clean API.
* **Nintendo WiiU**
* **Emulators**
* **Firmware**
* **Homebrew**
* **Articles/Writeups**
* [Anatomy of a Wii U: The End...?](https://hexkyz.blogspot.com/2018/01/anatomy-of-wii-u-end.html)
* **Nintendo Switch**
* [yuzu](https://github.com/yuzu-emu/yuzu)
* yuzu is an experimental open-source emulator for the Nintendo Switch from the creators of Citra. It is written in C++ with portability in mind, with builds actively maintained for Windows, Linux and macOS. The emulator is currently only useful for homebrew development and research purposes.
* [Nintendo_Switch_Reverse_Engineering - dekuNukem](https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering)
* A look at inner workings of Joycon and Nintendo Switch
* **Articles/Writeups**
* [Console Security - Switch Homebrew on the Horizon](https://media.ccc.de/v/34c3-8941-console_security_-_switch)
* Nintendo has a new console, and it's more secure than ever. The Switch was released less than a year ago, and we've been all over it. Nintendo has designed a custom OS that is one of the most secure we've ever seen, making the game harder than it has ever been before. In this talk we will give an introduction to the unique software stack that powers the Switch, and share our progress in the challenge of breaking it. We will talk about the engineering that went into the console, and dive deep into the security concepts of the device. The talk will be technical, but we aim to make it enjoyable also for non-technical audiences.
* [Nintendo_Switch_Reverse_Engineering - dekuNukem](https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering)
* A look at inner workings of Joycon and Nintendo Switch
* **Emulators**
* [Ryujinx](https://github.com/gdkchan/Ryujinx)
* Experimental Switch emulator written in C#
* [yuzu](https://github.com/yuzu-emu/yuzu)
* yuzu is an experimental open-source emulator for the Nintendo Switch from the creators of Citra. It is written in C++ with portability in mind, with builds actively maintained for Windows, Linux and macOS. The emulator is currently only useful for homebrew development and research purposes.
* **Firmware**
* [Atmosphere-NX](https://github.com/SciresM/Atmosphere-NX)
* This is a repo for a work-in-progress customized firmware for the Nintendo Switch.
* **Homebrew**
* [nx-hbmenu](https://github.com/switchbrew/nx-hbmenu)
* Switch Homebrew Menu
------------


+ 6
- 2
Draft/Interesting Things Useful stuff.md View File

@ -29,6 +29,9 @@
#### To Sort
* sort and break into policy/high level/ vs interesting things
* [Cubicles and Compromises - Webcast](https://www.blackhillsinfosec.com/webcast-cubicles-compromises/)
* [Printable Version](https://www.blackhillsinfosec.com/cubicles-compromises-printable/)
* [Programming Sucks](http://www.stilldrinking.org/programming-sucks)
@ -67,9 +70,10 @@ http://spth.virii.lu/articles.htm
* [My Canons on (ISC)² Ethics - Such as They Are(2011)](http://infosecisland.com/blogview/15450-My-Canons-on-ISC-Ethics-Such-as-They-Are.html)
* [Containers Will Not Fix Your Broken Culture (and Other Hard Truths) - Complex socio-technical systems are hard; film at 11. - Bridget Kromhout](https://queue.acm.org/detail.cfm?id=3185224)
* [tcpTrigger](https://github.com/R-Smith/tcpTrigger)
* tcpTrigger is a Windows service intended to notify you of incoming network connections. You specify a TCP port to monitor and an action to take. Actions taken include: sending a notification email and/or launching an external application or script. Your action will then be triggered each time an incoming connection is attempted on your specified port.
* [Hacker Scripts](https://github.com/NARKOZ/hacker-scripts)
* Based on a true story


+ 21
- 8
Draft/Malware.md View File

@ -48,6 +48,18 @@ Add
* [PortEX: Robust static anaylsis of Portable Executable Malware](https://evilzone.org/reverse-engineering/%28pdf%29-robust-static-analysis-of-portable-executable-malware/)
* [Malvertising: Under The Hood by Chris Boyd - BSides Manchester2017](https://www.youtube.com/watch?v=VESvOsr91_M&index=1&list=PLcgqQkap1lNrOBNCXqpPqpPAqckxv0XhP)
* [EvadeML](https://github.com/uvasrg/EvadeML)
* An Evolutionary Framework for Evading Machine Learning-based Malware Classifiers
* [ViperMonkey](https://github.com/decalage2/ViperMonkey)
* ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc).
* [dotNET_WinDBG](https://github.com/Cisco-Talos/dotNET_WinDBG)
* This python script is designed to automate .NET analysis with WinDBG. It can be used to analyse a PowerShell script or to unpack a binary packed using a .NET packer.
* [Unravelling .NET with the Help of WinDBG - TALOS](http://blog.talosintelligence.com/2017/07/unravelling-net-with-help-of-windbg.html)
* This article describes: How to analyse PowerShell scripts by inserting a breakpoint in the .NET API; How to easily create a script to automatically unpack .NET samples following analysis of the packer logic.
##### END Sort
@ -119,12 +131,11 @@ Add
* Automated Malware Analysis
* [Cuckoo-Droid](https://github.com/i[danr1986/cuckoo-droid/blob/master/README.md)
* CuckooDroid is an extension of Cuckoo Sandbox the Open Source software for automating analysis of suspicious files, CuckooDroid brigs to cuckoo the capabilities of execution and analysis of android application.
* Obfuscators
* **Obfuscators**
* [ProGuard](http://proguard.sourceforge.net/)
* [DexGuard](http://www.saikoa.com/dexguard)
* [Obfuscation in Android malware, and how to fight back](https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-Android-obfuscation)
* [Obfuscation in Android Malware and how to fight back](https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-Android-obfuscation)
* De-Obfuscators
* **De-Obfuscators**
* [De-hoser](https://github.com/strazzere/dehoser)
* Unpacker for the HoseDex2Jar APK Protection which packs the original file inside the dex header
* [hidex](https://github.com/cryptax/dextools/tree/master/hidex)