README.md

Security lists for SOC/DFIR detections

🐾 Threat Hunting:

• ThreatHunting keywords Site
• ThreatHunting keywords Lists
• ThreatHunting Yara rules

ThreatHunting searches

• Windows Services Searches
• User-Agents Searches
• DNS Over HTTPS Searches
• Suspicious TLDs Searches
• HijackLibs Searches
• Phishing & DNSTWIST Searches
• Browsers extensions Searches
• C2 hiding in plain sigh
• HTML Smuggling artifacts
• PSEXEC & similar tools Searches
• Time Slipping detection
• Suspicious Named pipes

📂 My Detection Lists

• 📋 Lists: https://github.com/mthcht/awesome-lists/tree/main/Lists
• 🕵️‍♂️ ThreatHunting Guides: https://mthcht.medium.com/list/threat-hunting-708624e9266f
• 🚰 Suspicious Named pipes: suspicious_named_pipe_list.csv
• 🌐 Suspicious TLDs (updated automatically): [suspicious_TLDs]
• 🌐 Suspicious ASNs (updated automatically): [suspicious ASNs]
• 🌐 FYI Maxmind GeoIP Database (updated automatically): GeoIP DB
• 🔧 Suspicious Windows Services: suspicious_windows_services_names_list.csv
• ⏲️ Suspicious Windows Tasks: suspicious_windows_tasks_list.csv
• 🚪 Suspicious destination port: suspicious_ports_list.csv
• 🛡️ Suspicious Firewall rules: suspicious_windows_firewall_rules_list.csv
• 🆔 Suspicious User-agent: suspicious_http_user_agents_list.csv
• 📇 Suspicious USB Ids: suspicious_usb_ids_list.csv
• 🏷️ Suspicious mutex names: suspicious_mutex_names_list.csv
• 🔢 Suspicious MAC address: suspicious_mac_address_list.csv
• 📛 Suspicious Hostname: suspicious_hostnames_list.csv
• 🌐 Suspicious Browser Extensions: Browser Extensions
• 📧 Microsoft App IDs List - BEC Detection microsoft_apps_list.csv
• 🧮 Metadata Executables: executables_metadata_informations_list.csv
• 🕸️ DNS over HTTPS server list: dns_over_https_servers_list.csv
• 🕸️ Dynamic DNS domains list: dyndns_list.csv
• 🪝 Phishing lists: Phishing domains and urls
• 🕸️ Domains : [sinkholed servers]
• 🕳️ Sinkholed Domains : sinkholed_domains.csv
• 🕳️ Sinkholed Site: SINKHOLED
• 📚 Hijacklibs (updated automatically): hijacklibs_list.csv
• 🌐 TOR Nodes Lists (updated automatically): [TOR]
• 🛠️ LOLDriver List (updated automatically): loldrivers_only_hashes_list.csv
• 🛠️ Malicious Bootloader List (updated automatically): malicious_bootloaders_only_hashes_list.csv
• 📜 Malicious SSL Certificates List (updated automatically): ssl_certificates_malicious_list.csv
• 🖥️ RMM detection: [RMM]
• 👤🔑 Important Roles and groups for AD/EntraID/AWS: [permissions]
• 💻🔒 Ransomware known file extensions: ransomware_extensions_list.csv
• 💻🔒 Ransomware known file name ransom notes: ransomware_notes_list.csv
• 📝 Windows ASR rules: windows_asr_rules.csv
• 🌐 DNSTWIST Lists (updated automatically): DNSTWIST Default Domains + script
• 🌍 VPN IP address Lists (updated automatically):
  • 🛡️ NordVPN: nordvpn_ips_list.csv
  • 🛡️ ProtonVPN: protonvpn_ip_list.csv
  • 🛡️ SurfShark: surfshark_vpn_servers_domains_and_ips_list.csv
  • 🛡️ MullVad: mullvad_relay_servers_ips_list.csv
• 🌍 PROXIES PROXY IP/Port Lists
• 🏢 Companies IP Range Lists (updated automatically): Default Lists + script / Microsoft
• 📍 GeoIP services Lists: ip_location_sites_list.csv
• 🧬 Yara rules: Threat Hunting yara rules
• 🧬 Offensive Tools detection patterns: offensive_tool_keywords.csv
• 🧬 Greyware Tools detection patterns: greyware_tool_keyword.csv
• 🧬 AV signatures keywords: signature_keyword.csv
• 🧬 Microsoft Defender AV signatures lists: [Defender] + yara
• 🧬 ClamAV signatures lists: [ClamAV]
• 🔗 Others correlation Lists: [Others]
• 📋 Lists i need to finish: [todo]

I regularly update most of these lists after each tool i analyze in my detection keywords project

Other Lists

🛡️ DFIR:

• 🔥 EricZimmerman Tools 🔥
• usnjrnl_rewind
• dfir-orc
• dfir-orc-config
• Arsenal Recon Forensic tools
• Splunk4DFIR
• dfiq
• Mind maps
• arfifacts List - DFIRArtifactMuseum
• arfifacts List - ForensicArtifacts
• Autopsy
• SleuthKit
• [OS] SIFT Workstation
• [OS] Remnux
• [OS] sof-elk
• [OS] tsurugi
• [OS] DEFT
• [OS] Flare VM
• PSBits
• Yara - Threat Hunting + TH
• Yara - Forge
• capa
• Malcontent
• [Event parser] evtx
• [Event Parser] procmon-parser
• [Event Parser] Linux - MasterParser
• [EVTX] Hayabusa
• [EVTX] WELA
• [EVTX] chainsaw
• [EVTX] APTHunter
• [EVTX / Auditd] Zircolite
• werejugo
• srum-dump
• ADTimeline
• PersistenceSniper
• [O365] Logs - Microsoft-Analyzer-Suite
• Logon Tracer
• Timeline Plaso
• Timeline TimeSketch
• regripper
• OneDrive OCR DB artifact collector exe
• OneDrive OCR DB artifact collector python
• hollows hunter
• PE sieve
• RdpCacheStitcher
• Searching strings - ripgrep
• Searching strings - Recoll
• Kape
• Kape Files
• More Kape ressources
• VolatileDataCollector
• Velociraptor
• TZ tools
• Nirsoft tools
• [memory] MemDump
• [memory] MemProcFS
• [memory] MemProcFS-Analyzer
• [memory] avml
• [memory] WinPmem
• [memory] Volatility
• [Image Mount] FTK Imager
• [Image Mount] OSFMount
• [Network] Network Miner
• [Network] Wireshark
• [Network] xplico
• [Carving] PhotoRec
• [Carving] Bulk Extractor
• Didier Stevens tools
• [memory] Lime
• Windows artifacts
• [Linux] UAC
• [Linux] EXT4 / XFS - fjta
• lists - aboutdfir.com
• Monitoring - Osquery
• [IR Guide] OpenProject
• [OSX Tools] Knockknock
• [OSX Tools] mac_apt
• Browser Chrome Extensions DNS Forensic

🚫 IOC Feeds/Blacklists:

• ABUSE.CH BLACKLISTS
• Block Lists
• DNS Block List
• Phishing Block List
• Binary Defense IP Block List
• C2IntelFeeds
• Volexity TI
• Open Source TI
• C2 Tracker
• Unit42 IOC
• Sekoia IOC
• Unit42 Timely IOC
• Unit42 Articles IOC
• ThreatFOX IOC
• Zscaler ThreatLabz IOC
• Zscaler ThreatLabz Ransomware notes
• experiant.ca
• Sophos lab IOC
• ESET Research IOC
• ExecuteMalware IOC
• Cisco Talos IOC
• Elastic Lab IOC
• Blackorbid APT Report IOC
• AVAST IOC
• Zimperium IOC
• HarfangLab IOC
• DoctorWeb IOC
• BlackLotusLab IOC
• prodaft IOC
• Pr0xylife DarkGate IOC
• Pr0xylife Latrodectus IOC
• Pr0xylife WikiLoader IOC
• Pr0xylife SSLoad IOC
• Pr0xylife Pikabot IOC
• Pr0xylife Matanbuchus IOC
• Pr0xylife QakBot IOC
• Pr0xylife IceID IOC
• Pr0xylife Emotet IOC
• Pr0xylife BumbleBee IOC
• Pr0xylife Gozi IOC
• Pr0xylife NanoCore IOC
• Pr0xylife NetWire IOC
• Pr0xylife AsyncRAT IOC
• Pr0xylife Lokibot IOC
• Pr0xylife RemcosRAT IOC
• Pr0xylife nworm IOC
• Pr0xylife AZORult IOC
• Pr0xylife NetSupportRAT IOC
• Pr0xylife BitRAT IOC
• Pr0xylife BazarLoader IOC
• Pr0xylife SnakeKeylogger IOC
• Pr0xylife njRat IOC
• Pr0xylife Vidar IOC
• Pr0xylife Warmcookie IOC
• Cloud Intel IOC
• Phihsing urls - last week feed
• SpamHaus drop.txt
• SpamHaus drop + ASN
• UrlHaus_misp
• UrlHaus_misp ASN
• UrlHaus
• vx-underground - Great Resource for Samples and Intelligence Reports
• Ransomware.live
• rosti.bin public reports feed

🐙 Github

• More github lists

🖥️ SIEM/SOC/PurpleTeam related:

• EDR Telemetry
• PurpleTeam Scripts
• Awesome-SOC
• Awesome SOC analyst
• Threat-Hunting with Splunk
• Detection Lists
• PurpleTeam atomics

📊 TI TTP/Framework/Model/Trackers

• Tools used by ransomware groups - @BushidoToken
• Tools used by Russian APT
• Tools associated with groups (partial)
• Techniques - MITRE ATT&CK
• Tactics - MITRE ATT&CK
• Groups & Operations Naming conventions matrix
• Mitigation - MITRE ATT&CK
• ATT&CK matrix navigator
• All MITRE data in xlsx format
• Tools used by threat actor groups - MITRE ATT&CK
• atomic-red-team
• redcanary Threat Detection report
• The-Unified-Kill-Chain
• TTP pyramid
• Pyramid of pain
• Cyber Kill chain
• MITRE D3FEND
• MITRE CAPEC
• MITRE CAR
• MITRE DeTTECT
• MITRE PRE-ATT&CK Techniques
• APTMAP
• CVE Vuln Database
• CVE Vuln Framework
• REACT framework
• 🔥ALL TI Reports🔥
• 🔥ALL TI Reports searches🔥

🕵️‍♂️ Investigation

📊 TI checks

• Virustotal
• SpamHaus
• AbuseIPDB
• Malwarebazaar
• emailrep
• dnsdumpster
• nslookup.io
• cloudfare URL scan
• proxy IP check - proxycheck.io
• reputation IP check criminalip
• proxy IP check - iphub.info
• shodan
• Onyphe
• haveibeenpwned
• leakcheck.io
• Censys
• cybergordon (URL reputation check)
• threatminer
• urlscan
• Apptotal (apps and extensions analysis)
• urlquery
• cloudfare scanner
• scamsearch.io
• scamdb.net
• urlvoid
• urldna.io
• url checkphish
• ipvoid
• mxtoolbox
• mxtoolbox mail header
• Microsoft TI
• pulsedive
• URL Redirect Checker
• threatbook
• web archive
• McAfee Threat Intelligence Exchange
• Kaspersky Security Network
• Microsoft Security Intelligence Report
• IBM X-Force Exchange
• AlienVault OTX
• greynoise
• whoxy
• url tiny-scan
• certificates - crt.sh
• site web-check
• validin.com
• Browser Extension CRX checker
• .EXE lookup - echotrail
• Malware-Traffic-Analysis (PCAP files)
• redhuntlabs
• whois domaintools
• ASN check bgp.he
• viewdns
• OUI mac address lookup
• macvendorlookup
• .EXE lookup - xcyclopedia
• abuse.ch
• malware-traffic-analysis
• waybackmachine
• Online Paste Tools Lookup
• dnshistory
• asnlookup
• Browser extension checker - CRXaminer
• ipinfo.io
• fofa.info
• SecurityTrail
• ZommEye
• BlueCoat lookup
• Norton lookup
• Fortinet lookup
• McAfee lookup
• Trellix lookup
• Palo Alto lookup
• Talos Intelligence lookup
• Checkpoint lookup
• Cyren lookup
• Forcepoint lookup
• TrendMicro lookup
• USB & PCI database - DeviceHunt

🔬 Sandbox / Emulation

• Sandbox Anyrun
• triage
• capesandbox
• joesandbox
• filescan.io
• Hybrid Analysis
• virustotal
• threat zone
• vmray
• kaspersky opentip
• speakeasy (kernel and user mode emulation)
• DOGGuard
• Kaspersky Threat Intelligence Portal

🧩 Data manipulation

• CyberChef
• jsoncrack
• Grok debugger
• JS deobfuscator
• PCAP online analyzer
• Hash calculator
• regex101
• PCAP Analyzer Online
• Javascript Deobfuscator - deobfuscate.relative.im
• Javascript Deobfuscator - de4js
• JSONViewer
• TextMechanic
• UrlEncode.org
• TextFixer
• RegExr
• TextUtils
• TextCompactor
• Pretty Diff
• XML Tree
• Online XML Formatter and Beautifier
• XML Escape Tool
• DiffChecker
• CSVJSON
• HTML Formatter
• Text Tool
• String Manipulation Tool
• unshorten it
• urlunscrambler
• URLEncode & Decode
• longurl
• Message Header
• MXToolbox EmailHeaders
• Email Header Analyzer
• Email Header Analysis
• Gitlab dashboard from Excel
• uncoder
• DeHashed
• Diff Checker
• ChatGPT

📡 Detection Resources

• Detection Lists
• MITRE techniques
• MITRE Updates
• MITRE D3fend
• MITRE Navigator
• MITRE Datasources
• GTFOBIN
• LOLBAS
• LOTS
• LOLRMM
• loldrivers
• LOLRMM
• LOLC2
• LOLESXI
• WTFBIN
• Sigma
• Splunk Rules
• Elastic Rules
• DFIR-Report Sigma-Rules
• JoeSecurity Sigma-Rules
• mdecrevoisier Sigma-Rules
• P4T12ICK Sigma-Rules
• tsale Sigma-Rules
• list of detections resources
• KQL Hunting Queries
• detection engineering resources
• Defender Resource
• awesome-threat-detection
• LOLOLFarm

🌐 Security News

• Adam Chester Blog Feed
• ahnlab apt feed
• ahnlab cert feed
• ahnlab phishing feed
• ahnlab trend feed
• Akamai blog feed
• Any.run malware analysis blog feed
• Avast Blog feed
• badsectorlabs Last week in security - Redteam
• bi-zone blog feed
• bitdefender labs feed
• binarydefense blog feed
• Blackberry blog
• Bleepingcomputer Feed
• bleepingcomputer feed
• broadcom blog feed
• CERT FR Alerts
• CERT FR Avis
• CERT LV feed
• CERT PL feed
• CERT SE feed
• CERT SI feed
• CERT UA feed
• CERT-FR
• Checkpoint Research feed
• CIRT bd feed
• CISA news feed
• CISA news
• Cisco Talos
• claroty team82 research
• Cloudfare security feed
• Clément Notin Feed
• crowdstrike counter adversary operations blog
• deepinstinct blog
• detect.fyi
• Detection engineering weekly
• DFIR weekly news
• DFIR weekly news feed
• drweb virus alert feed
• eclecticiq threat intel
• Elastic security labs blog
• elastic security labs blog feed
• EricaZelic Blog
• forcepoint lab blog
• genians threat intel feed
• gi7w0rm threat intel feed
• Google Project Zero blog feed
• Google threat intelligence feed
• Google Threat Intelligence
• Google Threat analysis feed
• Group-IB feed
• HackerNews Feed
• harfanglab lab feed
• hexacorn blog feed
• horizon3 Feed
• hunt.io blog
• huntress blog feed
• IC3 CSA feed
• Infostealers Hub News Feed
• infostealers reports feed
• Intrinsec feed
• isc sans edu feed
• JPCERT feed
• JPCERT
• krebsonsecurity feed
• malwarebytes blog feed
• malwaretech feed
• Mauricio Velazco Blog
• mcafee labs feed
• Michael Haag Blog
• Microsoft security blog feed
• Microsoft Incident response ninja hub
• Microsoft Threat Intel feed
• morphisec threat research
• NCC Group research feed
• nccgroup research blog security
• NCSC news feed
• NIST CVEs
• NIST cybersecurity insights feed
• Offensive Research - DSAS by INJECT
• orangecyberdefense Intel
• outpost24 research and threat intel feed
• proofpoint threat insight
• Qualys Threat research feed
• redcanary feed
• reversinglabs threat research
• sans blog
• security.com threat intel
• securityaffairs apt feed
• securityweek feed
• securlist apt targeted attacks feed
• Sekoia Blog
• Sekoia blog feed
• SentinelOne labs feed
• seqrite techical blog
• Simone Kraus blog feed
• sophos threat research feed
• specterops feed
• Splunk Research Blog
• Sybersecyrity news feed
• Talos feed
• tenable Blog
• The HackerNews feed
• thedfirreport feed
• threat connect blog feed
• threatlabz zscaler blog
• threatpost feed
• trendmicro security feed
• Trustwave blog feed
• Twitter
• Unit42 feed
• Unit42 feed
• virusbulletin feed
• virusbulletin
• volexity blog feed
• welivesecurity feed
• tl;dr sec newsletter

📺 Youtube/Twitch channels

• DFIR - 13cubed videos
• DFIR - SANS videos
• DFIR - MyDFIR
• DFIR - DFIRScience
• Malware Analysis - jstrosch
• Malware Analysis - cyberraiju
• Malware Analysis - Botconf
• DFIR - AntisyphonTraining
• DFIR - BlackPerl
• Malware Analysis - malwareanalysisforhedgehogs
• DFIR - BlueMonkey4n6
• DFIR - binaryzone
• Detection Engineering - Splunk - atomicsonafriday
• Exploitation - HackerSploit
• DFIR - TheTaggartInstitute
• Malware Analysis - JohnHammond
• Malware Analysis - invokereversing
• Exploitation - Defcon Talks + https://media.defcon.org/
• Exploitation - Alh4zr3d - twitch
• Exploitation - Alh4zr3d - youtube
• Exploitation - incodenito
• Exploitation - dayzerosec
• Malware Analysis - MalwareTechBlog
• Malware Analysis - radkawar
• Exploitation - LiveOverflow
• Malware Analysis - neoeno
• Malware Analysis - AzakaSekai
• CTI - bushidotoken
• CTI - @TLP_R3D
• Windows Internal - @mrexodia
• !!! Exploitation - ippsec
• Exploitation - flangvik
• Conferences channel - scrtinsomnihack
• Conferences channel - OffensiveCon
• Conferences channel - BSidesSF
• Conferences channel - BSidesTLV
• Conferences channel - bsidesbudapest
• Conferences channel - SecuritybsidesOrgUk
• Conferences channel - bsidescanberra9688
• Conferences channel - brucontalks
• Conferences channel - DEFCONConference
• Conferences channel - Disobey
• Conferences channel - hitbsecconf
• Conferences channel - SANSOffensiveOperations
• Conferences channel - BlackHillsInformationSecurity
• Conferences channel - RITSEC
• Conferences channel - Preludeorg
• Conferences channel - BlackHatOfficialYT
• Conferences channel - TROOPERScon
• Conferences site - infocon.org
• Conferences site - sectube.tv
• Conferences channel - x33conf

🎙️ Podcasts

• darknetdiaries
• risky.biz
• DFIR Podcasts
• cloud.withgoogle.com
• Internet Storm Center sans podcast
• 7 minutes security Podcast
• hacking-humans
• dayzerosec
• CISO series
• Splunk Atomic on Friday
• NolimitSecu (FR)
• HacknSpeak (FR)
• Radio CSIRT (FR)
• DEV podcasts (FR)
• Security Conversations
• Monde de la cyber (FR)

💬 Discord /Slack channels

• RedTeam - 🔥 Initial Access Guild 🔥 Discord
• RedTeam - 🔥 Red-Team VX community 🔥 Discord
• RedTeam - BloodHoundHQ Slack
• RedTeam - evilsocket Discord
• RedTeam - OffSec Discord
• Threat Hunting - Threat Hunter community Discord
• PurpleTeam - Ipurpleteam Discord
• Blueteam Detection engineering - Hunter's Den Discord
• Blueteam Detection engineering - Sigma HQ Discord
• Blueteam Threat Intel - Malcore Discord

📚 Training

DFIR

• 13cubed - Investigating Windows Endpoints 13cubed.com -windows endpoints

• 13cubed - Investigating Windows Memory 13cubed.com -windows memory

• 13cubed - Investigating Linux Devices 13cubed.com - linux

• SANS: FOR500

• SANS: FOR508

• Defensive-security: Linux-live-forensics

• @0gtweet - Forensic course: Mastering Windows Forensics

• @DebugPrivilege : Forensic Debugging free course InsightEngineering

• Challenges:

  • Arsenal Recon Disks Images for DFIR: publicly-accessible-disk-images
  • @inversecos - APT Emulation Labs: xintra
  • @TheDFIRReport : LABs with logs from the existing reports dfir-labs
  • @ACEresponder: Courses with Detailed Explanations and Labs aceresponder.com
  • @binaryz0ne: DFIR challenges with Datasets + Linux forensic workshop

SOC

• tryhackme - SOC lvl 1

• tryHackme - SOC lvl 2

• letsdefend.io @chrissanders88 - letsdefend.io

• Constructing Defense constructingdefense.com

• SANS: SANS555

• Xintra: Attacking and Defending Azure M365

• Challenges:

  • Splunk Boss Of The SOC - BOTS
    • BOTS dataset v1
    • BOTS dataset v2
    • BOTS dataset v3

• @TheDFIRReport : LABs with logs from the existing reports dfir-labs

• @ACEresponder: Courses with Detailed Explanations and Labs aceresponder.com

• @inversecos - APT Emulation Labs: xintra

Offensive

• OSCP - HTB
• OSCP - Course PEN200
• OSEP - Course PEN300

Challenges

• HackTheBox
• Pentestlab
• Root-Me
• TryHackMe
• Zenk-Security

RE / Malware Analysis / Deep Dive

• OpenSecurityTraining2

📚 Books

DFIR

• Practical Forensic Imaging
• Practical-Linux-Forensics-Digital-Investigators
• TheHitchhikersGuidetoDFIRExperiencesFromBeginnersandExperts - Free
• Forensic Artifacts - Microsoft GuideBook - free
• Eric Zimmerman Manual Tools - Free
• The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
• Applied Incident Response
• SANS FOR500 / FOR508 book
• Blue Team Handbook: Incident Response Edition
• Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
• Placing the Suspect Behind the Keyboard: DFIR Investigative Mindset
• Crafting the InfoSec Playbook: Security Monitoring and Incident
• Investigating Windows Systems

Malware Anaysis

• Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
• The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
• Evasive Malware: A Field Guide to Detecting, Analyzing, and Defeating Advanced Threats

SOC

• Blue Team Handbook: SOC, SIEM, and Threat Hunting
• BTFM: Blue Team Field Manual
• PTFM: Purple Team Field Manual + PTFM: Purple Team Field Manual v2
• EDR - Introduction to endpoint security
• MITRE - 11 Strategies of a World-Class Cybersecurity Operations Center
• Big picture on running a SOC - Modern SOC
• Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
• SANS 555 book

Deep Dive

• Windows Internals Books
• How Linux Works
• Linux Device Drivers
• Understanding The Linux Virtual Memory Manager
• Linux insides
• Linux Ebpf
• Windows Security Internals

Exploitation

• Hacking Art Exploitation
• Hacker Playbook Practical Penetration Testing
• RTFM: Red Team Field Manual
• Red Team Development and Operations: A practical guide
• RTRM: Red Team Reference Manual
• POC||GTFO

📚 Knowledge sites

• DFIR - NTFS deepdive - ntfs.com
• DFIR - aboutdfir
• DFIR - Forensic Artifacts - microsoft GuideBook
• Malware Analysis - unprotect.it - Evasion techniques
• Exploitation - hacktricks
• Exploitation - PayloadsAllTheThings
• Exploitation - red-team-note
• Exploitation - Red Team Notes
• DFIR - JPCERT Tools Analysis
• Exploitation - Red Team TTP
• Linux - EBPF docs
• DFIR - Microsoft NinjaHub
• DEV - Windows PInvoke signatures
• Privacy - VPN privacy guide
• Detection - GCP Attack - Defense
• Detection - Azure Attack Defense
• Detection - Unprotect project
• Exploitation - Hacker recipes
• Logs - Events IDs - ultimatewindowssecurity
• Logs - Event IDs & policies - microsoft
• Logs - Event IDs Logon types - microsoft
• Logs - Azure SigninLogs Schema
• Logs - Azure SigninLogs Risk Detection
• Logs - AADSTS Error Codes
• Logs - Microsoft Errors Search
• Logs - Microsoft Entra authentication and authorization error codes
• Logs - Microsoft Defender Event IDs
• Logs - Microsoft Defender for Cloud Alert References
• Logs - Microsoft Defender for Identity Alert References
• Logs - Microsoft Defender XDR Schemas
• Logs - Microsoft DNS Debug Event IDs
• Logs - Sysmon Event IDs
• more cheatsheets
• Exploitation - TLS details
• SOC - Email Headers IANA
• SOC - DKIM, DMARC, SPF
• SOC - Kerberos Protocol explained
• SOC - ADSecurity AD Attacks
• SOC - Pass the ticket explained
• SOC - Kerberoasting explained
• SOC - Kerberos Unconstrained Delegation explained
• SOC - AS_REP roasting explained
• SOC - Golden tickets explained
• SOC - Silver Ticket explained
• SOC - Skeleton Key explained
• SOC - NTLM Relay explained
• SOC - LLMNR Poisoning explained
• SOC - DCsync explained
• SOC - DCshadow attack explained
• SOC - Interview Questions by LetsDefend
• SOC - explain shell command arguments

🧪 LAB

• LAB automation - ludus
• LAB env - windows - GOAD
• LAB automation - warhorse
• LAB automation - Azure - BadZure
• LAB automation - Azure - AzureGoat
• OS - Malware analysis - flare-vm
• SandBox - cuckoo
• SandBox - CAPEv2
• SandBox - Malice (Virustotal self hosted clone)
• Detection platform - wazuh
• Detection platform - securityonion
• Detection platform - Splunk
• Detection platform - Elastic
• Deployment - ansible
• SOC - Use Case Factory Automation - DetectIQ
• Network Logs - StratosphereLinuxIPS
• Network Logs - flare-fakenet-ng
• Network Logs - maltrail
• Purpleteam - openbas
• Honeypot - LLM honeypot galah
• Honeypot - canary
• Honeypot - opencanary
• Honeypot - Respotter (Responder honeypot)
• Honeypot - Certiception (ADCS honeypot)
• Honeypot - cowrie
• Maldev - Defense Evasion - avred
• Maldev - Defense Evasion - gocheck
• Reconnaissance - HEDnsExtractor
• Detection Agent - Sandfly linux agent
• Log Forwarder - openwec (windows event forwarder)
• Threat Hunting Platform - deephunter
• Windows Logs - JonMon
• Windows Logs - Sysmon
• LInux Logs - ossec
• Linux Logs - ecapture (SSL/TLS)
• Linux Logs - tracee
• Linux Logs - auditd
• Linux Logs - SysmonForLinux
• Linux Logs - kunai
• CTI - OpenCTI
• CTI - MISP
• Code analysis
• IR platform - iris-web
• IR platform - rAIdline
• IR platform - FIR
• Challenges - DFIR LABS
• Log samples - Splunk Attack range
• IT - Remote connections manager - xpipe
• Endpoint Security - Windows Hardening - Harden-Windows-Security
• Endpoint Security - Linux Hardening - lynis
• Endpoint Security - Linux - apparmor

📦 Others

• Crontab check
• markmap.js.org (markdown to mindmap)
• Subnet Calculator
• chmod calculator
• Epoch time converter
• cyberchef
• Chrome Addon for TI checks
• sms verification
• temp mail
• 10 minute mail

Content creation

• Attack animation creator - aceresponder

🏷️ Bookmarks

• ⭐ Bookmarks with all my lists to import in your browser (updated automatically) UPDATE Bookmarks