Event Tracing For Windows (ETW) Resources

#ThreatHunting #DFIR #Malware #Detection Mind Maps

Resources To Learn And Understand SIGMA Rules

The Eventlog Compendium is the go-to resource for understanding Windows Event Logs.

Symantec EDR Internals

Repository containing malware analysis filters for the Windows SysInternals' - Process Monitor tool

A script that automates a brute-force attack on a login page

Resources and Discussions About Detection Engineering

Generic Signature Format for SIEM Systems

Parser for Symantec EDR "localdatastore" folder

A python script that contains multiple functionalities (Hashing, Encoding/Decoding...etc.)

Extracted Yara rules from Windows Defender mpavbase and mpasbase

Living Off The Land Drivers

A collection of my slides and presentations

BigBountyRecon tool utilises 58 different techniques using various Google dorks and open source tools to expedite the process of initial reconnaissance on the target organisation.

A pySigma wrapper to manage detection rules.

Small and highly portable detection tests based on MITRE's ATT&CK.

Resources provided by the community that can serve to be useful for Law Enforcement worldwide

A resource containing all the tools each ransomware gangs uses

Project for tracking publicly disclosed DLL Hijacking opportunities.

MAL-CL (Malicious Command-Line)

No description.

Some usefull Scripts and Executables for Pentest & Forensics

Sysmon configuration file template with default high-quality event tracing

LotL RMM

TrustedSec Sysinternals Sysmon Community Guide

Retired TrustedSec Capabilities

Windows Event Log Knowledge Base

A standalone SIGMA-based detection tool for EVTX, Auditd and Sysmon for Linux logs

Windows Implementation Library

No description.

Collection of Event ID ressources useful for Digital Forensics and Incident Response

Various PowerShells scripts I've made to automate some of the boring stuff in my everyday DFIR journey!

Convert Sigma rules to SIEM queries, directly in your browser.

Python library to parse and convert Sigma rules into queries (and whatever else you could imagine)

Set of tools to analyze Windows sandboxes for exposed attack surface.

No description.

No description.

GhostLoader - AppDomainManager - Injection - 攻壳机动队

Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Made with ❤️ by @last0x00

A YARA Rule Performance Measurement Tool

A light-weight first-stage C2 implant written in Nim.

Signature base for my scanner tools

pySigma Elasticsearch backend

Set of SIGMA rules (>320) mapped to MITRE ATT&CK tactic and techniques

No description.

Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)

A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk

No description.

Official Website Of The Sigma Project

This repository contains supplemental items including IOCs, and signatures discussed in Huntress blogposts, and other media.

Expand compressed files from WinSxS folder

This project aims to compare and evaluate the telemetry of various EDR products.

A repo that contains recursive dir listings of a vanilla (clean) install of every Windows OS version to compare and see what's been added with each update.

ETW Python Library

Script for parsing Symantec Endpoint Protection logs, VBNs, and ccSubSDK database.

No description.

CVE-2020-12593 POC

CVE-2020-5839 POC

ZOHO Manage Engine Application Manager - XSS POC

CVE-2019-19547​ POC

No description.

CTF's Writeups

Splunk Security Content

Simpleator ("Simple-ator") is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803), also called "Redstone 4", with additional improvements that were made in Windows 10 October Update (1809), aka "Redstone 5".

No description.

Splunk Technology Add-on for monitoring Ollama LLM deployments. Features file monitoring of server logs, HEC integration for custom telemetry, and CIM compliance for enterprise security. Provides HTTP access log parsing, prompt analytics, and built-in data redaction. Compatible with Splunk Cloud Platform

A opensource sigma convertion tool built using pysigma

Quickly search for references to a GUID in DLLs, EXEs, and drivers

Sigma rule specification

Sensor Mappings to ATT&CK is a collection of resources to assist cyber defenders with understanding which sensors and events can help detect real-world adversary behaviors in their environments.

Sigma detection rules for hunting with the threathunting-keywords project

Rules generated from our investigations.

The Sigma command line interface based on pySigma

No description.

The new Windows Terminal and the original Windows console host, all in the same place!

Source code of Windows XP (NT5). Leaks are not from me. I just extracted the archive and cabinet files.

Slides from various conference talks

Pure Python parser for Application Compatibility Shim Databases (.sdb files)

A collection of JSON schema files including full API

This repository is used for Windows client for IT Pro content on Microsoft Learn.

QRadar AQL backend for converting Sigma rules to QRadar AQL queries

No description.

Issues found on WSL

Hardcore Debugging

This is the repository for the master files that comprise the SPDX License List

A proof-of-concept subject interface package (SIP) used to demonstrate digital signature subversion attacks.

No description.

pySigma Splunk backend

pySigma Cookiecutter backend template

A ProcessMonitor visualization application written in rust.

Digital Forensics Artifact Repository

Process Monitor X v2

Online hash checker for Virustotal and other services

No description.

POC CVE-2023-21746

Aurora Agent User Manual

A repository hosting example goodware evtx logs containing sample software installation and basic user interaction

Sample code for Component Object Model (COM) setup and registration.

A wrapper of windows apis for the Go Programming Language.

OSSEM Data Dictionaries

[POC] Asynchronous reverse shell using the HTTP protocol.

Basic C2 Server

TrevorC2 is a legitimate website (browsable) that tunnels client/server communications for covert command execution.