Name

Type

License

Developer(s)

URL

Description

Type of Tool

aa tool

Open-source

https://github.com/JPCERTCC/aa-tools/blob/master/LICENSE.txt

JPCERT/CC

https://github.com/JPCERTCC/aa-tools

Artefact analysis tool

Artefact Analysis

AAPT

Open-source

Android Studio

https://androidaapt.com/

This tool allows you to view, create, and update Zip-compatible archives (zip, jar, apk). It can also compile resources into binary assets.

Development Tool

Abuse helper

Open source

MIT License

Clarified Networks, CERT -FI, CERT-EE

https://github.com/abusesa/abusehelper

Automatically processing (standardised) high-volume information from a wide range of sources and finding the owners of reported IP addresses from public databaseses.

Information Co-relation

Abuse.py

Open source

GPLv3

CERT Société Générale

https://pypi.org/project/abuse-finder/

Look for abuse contacts for IP, domain names, email addresses and URLs.

Information Co-relation

AIL framework

Open-source

GNU AGPL v3.0: https://github.com/CIRCL/AIL-framework/blob/master/LICENSE

CIRCL

https://github.com/CIRCL/AIL-framework

"AIL is a modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams. AIL framework is flexible and can be extended to support other functionalities to mine or process sensitive information (e.g. data leak prevention)."

Data Leak Monitoring/Data Mining

AIRT (Application for Incident Response Teams)

Open-source

GNU GPL v2

AIRT development team

http://airt.leune.com/

"a web-based application that has been designed and developed to support the day to day operations of a computer security incident response team"
Seems discontinued (last update in 2009)
Mentioned in Trusted Introducer's SIM3 model

Incident Management Tool

ALOD

Open-source

https://github.com/rommelfs/ALOD/blob/master/License.rtf

Sascha Rommelfangen, CIRCL, Smile GIE

https://github.com/rommelfs/ALOD https://www.circl.lu/pub/tr-08/

"automatic launch object detection for Mac OS X"

Application monitoring

Analysis Pipeline 5.11.3

Open-source

GPL

SEI, CMU

https://tools.netsa.cert.org/analysis-pipeline5/download.html

It can now process YAF records and raw IPFIX records. It can do all of the analyses available in version 4.x. A notable enhancement is expansive DNS record processing.

Network Threat Detection

AndroGuard

Open-source

Apache 2.0 License

Anthony Desnos

https://github.com/androguard/androguard

Reverse engineering, Malware and goodware analysis of Android applications

Mobile Application Analysis Framework

Android Brute Force Encryption cracking program

Freeware (Santoku Community Edition)

MIT License

Santoku Community

https://github.com/santoku/Santoku-Linux/tree/master/tools/android/android_bruteforce_stdcrypto

Using command line 'bbruteforce_stdcrypto ~/Desktop/tmp_header ~/Desktop/tmp_footer' to brute force android encryption PIN.

Filesystem Recovery

Android Debug Bridge

Open-source

https://developer.android.com/studio/terms

Android Studio

https://developer.android.com/studio/command-line/adb

Android Debug Bridge (adb) is a versatile command-line tool that lets you communicate with a device.

Process Debugger

Android emulator

Open-source

Apache 2.0 License

Google

https://developer.android.com/studio/run/emulator

The Android Emulator simulates Android devices on your computer so that you can test your application on a variety of devices and Android API levels without needing to have each physical device.

Emulator

Android NDK

Open-source

Apache 2.0 License

Google

https://developer.android.com/ndk

The Android NDK is a toolset that lets you implement parts of your app in native code, using languages such as C and C++.

Artefact Analysis

Anubis

Open-source

MIT

JonLuca De Caro

https://github.com/jonluca/Anubis

Subdomain enumeration and information gathering tool

Information Co-relation

apktool

Open-source

Apache 2.0 License

Connor Tumbleson

https://ibotpeaches.github.io/Apktool/

A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications.

Decompiler

apullo

Open-source

MIT License: https://github.com/ninoseki/apullo/blob/master/LICENSE

Manabu Niseki

https://github.com/ninoseki/apullo

"A scanner for taking basic fingerprints."

Network Fingerprinting

Assemblyline

Open-source

MIT License

Canadian Cyber Security Centre

https://cyber.gc.ca/en/assemblyline https://github.com/CybercentreCanada?q=assemblyline

"Assemblyline is a platform for the analysis of malicious files. It is designed to assist cyber defence teams to automate the analysis of files and to better use the time of security analysts. The tool recognizes when a large volume of files is received within the system, and can automatically rebalance its workload. Users can add their own analytics, such as antivirus products or custom-built software, in to Assemblyline. The tool is designed to be customized by the user and provides a robust interface for security analysts."

Malware Detection Framework

AtlasFrontend

Open-source

Mariano Moreno

https://github.com/hedesil/atlas-frontend

Web application to manage information in a Security Operations Center (SOC). Code developed in the INCIBE's Hackathon 2019.

Vulnerability Management

AuRTIR

Open-source

INCIBE-CERT

Tool to automate some incident management tasks using RTIR web API.

Incident Management Tool

Autopsy

Freeware

Basis Technology

https://www.autopsy.com/

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.

Artefact Analysis

Aviary

Freeware

CISA

https://github.com/cisagov/sparrow/releases

A dashboard to help visualize and analyze threats from its Sparrow detection tool

Artefact Analysis

AWARE (Abuse Watch Alerting and Reporting Engine)

Free online service

ITU

http://aware.impact-alliance.org/ (not accessible any more)

"a solution for cyber threats monitoring through various external sources."
Has a public dashboard

Network Threat Monitoring

awk

Freeware

Alfred Aho, Peter J. Weinberger, Brian Kernighan

https://www.gnu.org/software/gawk/manual/gawk.html, https://www.geeksforgeeks.org/awk-command-unixlinux-examples/

a program that you can use to select particular records in a file and perform operations upon them.

Text Processing

Backtrack

Open-source

Mati Aharoni, Max Moser

https://www.backtrack-linux.org/

BackTrack is a Linux-based distribution dedicated to penetration testing or hacking (depending on how you look at it). It contains more than 300 of the world's most popular open source or freely distributable hacking tools. (Discontinued and run as Kali Linux as of 2013)

Penetration Testing

bgiparser (backgrounditems.btm parser)

Open-source

Apache License 2.0: https://github.com/mnrkbys/bgiparser/blob/master/LICENSE

Minoru Kobayashi (Internet Initiative Japan)

https://github.com/mnrkbys/bgiparser

"it serves to parse information about the applications to be executed upon user login , which is stored in backgrounditems.btm in macOS after 10.13 HighSierra."

Parsing Tool

BGPRanking

Open-source

https://github.com/CIRCL/bgp-ranking/blob/master/LICENSE
https://github.com/CIRCL/bgpranking-redis-api/blob/master/LICENSE

BGPRanking: Raphaël Vinot, Alexandre Dulaunoy, CIRCL
BGPRanking Python API: Raphaël Vinot, CIRCL

https://bgpranking-ng.circl.lu/ https://circl.lu/projects/bgpranking/ https://github.com/CIRCL/bgp-ranking https://github.com/CIRCL/bgpranking-redis-api

BGP ranking is a free software to calculate the security ranking of Internet Service Provider (ASN).

Network Monitoring

Bin Text

Freeware

Aldeid

https://www.aldeid.com/wiki/BinText

A small, very fast and powerful text extractor that will be of particular interest to programmers.

Artefact Analysis

BinaryEdge API

Paid service with a free option

Terms and Conditions: https://app.binaryedge.io/terms-and-conditions

BinaryEdge

https://www.binaryedge.io/ https://app.binaryedge.io/ https://docs.binaryedge.io/

Scan the internet and acquire data that can be transformed into threat intelligence feeds or security reports.

Information Correlation

Binwalk

Open-source

MIT: https://github.com/keydet89/RegRipper3.0/blob/master/license.txt

Craig Heffner

https://github.com/ReFirmLabs/binwalk https://tools.kali.org/forensics/binwalk

"a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images"

Disk Image Creation Tool

Bot Checker Script

Open source

GPL-3.0

INCIBE-CERT

https://github.com/felmoltor/INCIBEBotDetect

Script to periodically check if there is an infected maching in your LAN

Malware Detection

Bytehist

Freeware

ISCL: http://en.wikipedia.org/wiki/ISC_license

Christian Wojner @ CERT.at

https://www.cert.at/en/downloads/software/software-bytehist https://twitter.com/CERTat_Minibis

"A tool for generating byte-usage-histograms for all types of files with a special focus on binary executables in PE-format (Windows)."

Visualization

CAINE (Computer Aided Investigative Environment)

Freeware + Open-source (Linux distribution)

Nanni Bassetti (current project manager)

http://www.caine-live.net/

"an Italian GNU/Linux live distribution created as a Digital Forensics project"

Evidence Collector

Carl-Hauser

Open-source

GNU GPL v3.0: https://github.com/CIRCL/carl-hauser/blob/master/LICENSE

CIRCL

https://github.com/CIRCL/carl-hauser

"Open Source Testing Framework for image correlation, distance and analysis."

Artefact Analysis

Censys API

Paid service with free quota

Terms of Services: https://censys.io/tos

Censys

https://censys.io/api

"The Censys REST API provides programmatic access to the same data accessible through the web interface. API access is governed by our Terms of Service and all scripted access should use this API."

Information Correlation

CERT-EE Sandbox

Free online service

Cuckoo Foundation

CERT-EE

https://cuckoo.cert.ee/

File analysis tool for IT specialists, allowing them
to check in safe mode how operating systems on
various virtual and physical platforms behave when
a suspicious file is opened.

Binary Analysis Framework

CERT Bund Report Parser

Open source

MIT License

CERT-Bund

https://github.com/manitu-opensource/certbundreport-parser

A PHP parser for German CERT Bund email reports.

Parsing Tool

CERT PRISM

Freeware

https://www.sei.cmu.edu/legal/index.cfm

SEI, CMU

https://tools.netsa.cert.org/script-prism/index.html

Prism is a tool for visualizing flow data as a time series, broken down into several configurable bins by SiLK's rwfilter tool.

Visualisation Tool

certspotter-processing

Open source

GPL-3.0 License

CERT.at

https://github.com/certat/certspotter-processing

A bunch of short scripts used for handing the results of the program certspotter.

Parsing Tool

CertStream

Open-source

MIT License: https://github.com/CaliDog/certstream-server/blob/master/LICENSE

Cali Dog Security

https://certstream.calidog.io/ https://github.com/search?q=org%3ACaliDog+certstream https://github.com/CaliDog/certstream-server-python https://github.com/CaliDog/certstream-python https://github.com/CaliDog/certstream-server https://github.com/CaliDog/certstream-go https://github.com/CaliDog/certstream-js https://github.com/CaliDog/certstream-java

"an intelligence feed that gives you real-time updates from the Certificate Transparency Log network, allowing you to use it as a building block to make tools that react to new certificates being issued in real time"

Network Monitoring

CFF Explorer

Freeware

Erik Pistelli

https://github.com/cybertechniques/site/blob/master/analysis_tools/cff-explorer/index.md

CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable’s internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers.

PE Editor

CHIRP IOC Detection Tool

Freeware

https://creativecommons.org/publicdomain/zero/1.0/

CISA

https://github.com/cisagov/CHIRP

CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs)

Evidence Collector

chkdeface

In-house built

JPCERT/CC

https://www.first.org/resources/papers/conf2015/first_2015_-_uchiyama-_kobayashi_-_keeping_eyes_on_malicious_websites_20150604.pdf

To check for defaced websites online.

Malware Detection

CIF (Collective Intelligence Framework)

Open-source

Mozilla Public License 2.0: https://github.com/csirtgadgets/cif-v5/blob/master/LICENSE

CSIRT Gadgets, LLC

https://csirtgadgets.com/ https://github.com/csirtgadgets

A threat intelligence framework

Cyber Threat Intelligence Framework

CIRCLean - USB key sanitizer

Open-source

BSD 3-Clause "New" or "Revised" License: https://github.com/CIRCL/Circlean/blob/master/LICENSE

CIRCL

http://www.circl.lu/projects/CIRCLean/ https://github.com/CIRCL/Circlean

CIRCLean is an independent hardware solution to clean documents from untrusted (obtained) USB keys / USB sticks.

USB Cleaning

class-dump-z

Freeware

https://github.com/interference-security/ios-pentest-tools/blob/master/class-dump-z

IOS Pentest tool.

Penetration Testing

cmu-sei/kaiju

Open-source

https://github.com/cmu-sei/kaiju/blob/main/LICENSE.md

CERT/CC-CMU

https://github.com/cmu-sei/kaiju

CERT Kaiju is a binary analysis framework extension for the Ghidra software reverse engineering suite. This repository is a "mirror" -- please file tickets, bug reports, or pull requests at the upstream home in @CERT/CC.

Sandboxing/Reversing Tool

Cortex

Open-source

GNU GAPL v3.0: https://github.com/TheHive-Project/CortexDocs/blob/master/LICENSE

TheHive Project

https://github.com/TheHive-Project/CortexDocs

"Cortex solves two common problems frequently encountered by SOCs, CSIRTs and security researchers in the course of threat intelligence, digital forensics and incident response:
How to analyze observables they have collected, at scale, by querying a single tool instead of several?
How to actively respond to threats and interact with the constituency and other teams?"

Information Correlation

createfs.py

CERT Polska

http://kippo.googlecode.com/svn/trunk/createfs.py (The website is not accessible)

A tool from the Kippo
repository to generate a fake filesystem (in python pickle format required by
Kippo) which structure is based on the host filesystem.

CRIT

Open-source

Mitre Corporation

https://crits.github.io/

CRITs is an open source malware and threat repository that leverages other open source software to create a unified tool for analysts and security experts engaged in threat defense.

Cyber Threat Intelligence

Critical Stack

Open-source

Apache License v2.0: https://github.com/criticalstack/ui/blob/main/LICENSE

Capital One

https://www.capitalone.com/tech/solutions/container-orchestration/ https://github.com/criticalstack

"enforces the highest level of governance and security standards, enabling teams to efficiently scale containerized applications in the strictest environments"

csirtgadgets/csirtg-domainsml-tf-py

Open-source

MPL 2.0

CSIRT Gadgets, LLC

https://github.com/csirtgadgets/csirtg-domainsml-tf-py

simple python/keras/tensorflow library for detecting odd domains in python

Network Threat Detection

csirtgadgets/csirtg-ipsml-tf

Open-source

MPL 2.1

CSIRT Gadgets, LLC

https://github.com/csirtgadgets/csirtg-ipsml-tf

simple library for detecting suspicious connections using TensorFlow

Network Threat Detection

csirtgadgets/csirtg-urlsml-tf-py

Open-source

MPL 2.2

CSIRT Gadgets, LLC

https://github.com/csirtgadgets/csirtg-urlsml-tf-py

simple python/keras/tensorflow library for detecting odd urls in python

Network Threat Detection

CTI Toolkit

Open-source

https://github.com/MISP/cti-toolkit/blob/master/LICENSE

CERT Australia-ACSC

https://github.com/MISP/cti-toolkit

This package contains cyber threat intelligence (CTI) tools created by CERT Australia.

Cyber Threat Intelligence

Cuckoo Sandbox

Open-source

GNU GPL v3.0: https://github.com/cuckoosandbox/cuckoo/blob/master/LICENSE

Stichting Cuckoo Foundation

https://cuckoosandbox.org/ https://github.com/cuckoosandbox

"automated malware analysis system"

Sandboxing/Reversing Tool

curl

Freeware

Daniel Stenberg

https://en.wikipedia.org/wiki/CURL#cURL

curl is a command-line tool for getting or sending data including files using URL syntax.

UNIX Tool

cve-search

Open-source + Online free service

GNU AGPL v3.0: https://github.com/cve-search/cve-search/blob/master/LICENSE

CIRCL

https://www.cve-search.org/ https://github.com/cve-search/

"a set of free software to support the search, indexing, correlation and management of software vulnerabilities"

Vulnerability Management

Cyber-Ticket-Studio

Freeware

https://github.com/cmu-sei/Cyber-Ticket-Studio/blob/master/LICENSE.txt

SEI CMU

https://github.com/cmu-sei/Cyber-Ticket-Studio

CTS is a tool that enables users to explore, search, sort, mine, and visualize large numbers of cyber incident tickets (and some other kinds of tickets) at the same time.

Incident Management

CyberGreen Stats and CyberGreen API

Free online services and free API

JPCERT/CC (lead)

https://stats.cybergreen.net/ https://stats.cybergreen.net/download/

"Cyber Health Statistics"
The website has a visualization engine and the API allows data access.

Visualization

Cybersecurity Incident Report and Analysis System – Visual Analysis Tool

Free online services

ENISA

https://www.enisa.europa.eu/topics/incident-reporting/cybersecurity-incident-report-and-analysis-system-visual-analysis/visual-tool

An online service showing statistics of cyber incidents in an interactive and visualised manner.

Visualization

Cybobstract

Open-source

https://github.com/cmu-sei/cyobstract/blob/master/LICENSE.txt

CERT/CC-CMU

https://github.com/cmu-sei/cyobstract

Cyobstract is a cyber observables extraction tool that uses regular expressions on cyber incident reports. It quickly pulls indicators and other cyber information from these reports. It takes free text as input and provides relevant information for incident response (IR) in a structured format as output.

Artefact Collector

D4 Attack Map

Free online services

CIRCL

https://map.circl.lu/

"displays realtime SSH bruteforce attacks registered against d4-project's main instance, hosted in Luxembourg."

Visualization

dc3dd

Open-source

GNU GPL v3: https://gitlab.com/kalilinux/packages/dc3dd/-/blob/kali/master/COPYING

DCCI (dc3dd@dc3.mil)

https://sourceforge.net/projects/dc3dd/ https://tools.kali.org/forensics/dc3dd https://gitlab.com/kalilinux/packages/dc3dd

"a patched version of GNU dd with added features for computer forensics"

Artefact Analysis

Open-source

GPL 3.0

Ken Thompson

https://github.com/thefanclub/dd-utility

Write and Backup Operating System IMG or ISO files on Memory Card or Disk

Disk Image Creation Tool

DEFT (Digital Evidence and Forensics Toolkit)

Freeware and Open-source?

GNU GPL v3

DEFT Linux Core Team

http://na.mirror.garr.it/mirrors/deft/

"a distribution made for Computer Forensics, with the purpose of running live on systems without tampering or corrupting devices (hard disks, pen drives, etc…) connected to the PC where the boot process takes place"

Evidence Collector

DensityScout

Freeware

ISCL: http://en.wikipedia.org/wiki/ISC_license

Christian Wojner @ CERT.at

https://cert.at/en/downloads/software/software-densityscout

"This tool calculates density (like entropy) for files of any file-system-path to finally output an accordingly descending ordered list. This makes it possible to quickly find (even unknown) malware on a potentially infected Microsoft Windows driven machine."

Malware Detection

DetectionLab

Open-source

MIT License: https://github.com/clong/DetectionLab/blob/master/LICENSE

Chris Long

https://github.com/clong/DetectionLab

"automates the process of building an Active Directory based lab environment on many different platforms and configures the lab hosts for maximum telemetry collection using tools like Sysmon and osquery"
https://jsac.jpcert.or.jp/en/timetable.html#modal-main2

Repository of Scripts

DetectLM

Open-source

JPCERT/CC

https://github.com/JPCERTCC/DetectLM

To detect attackers'lateral movement using machine learning

Network Threat Detection

dig (Domain Information Groper)

Open-source

Internet Systems Consortium, Inc.

https://linux.die.net/man/1/dig

To check if a DNS server is configured as an open resolver allowing recursive queries, you can use the 'dig' tool for sending a DNS request for an arbitrary domain name (the server is not authoritative for) to the IP address of the DNS server in question

Domain Name/IP Address Checker

dionaea honeypot

Open-source

GNU GPL v2.0: https://github.com/DinoTools/dionaea/blob/master/LICENSE

dionaea community

https://dionaea.readthedocs.io/ https://github.com/DinoTools/dionaea, https://github.com/GovCERT-CZ/dionaea, https://github.com/GovCERT-CZ/DionaeaFR

"a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls"

Honeypot

Distorm3

Open-source

https://github.com/gdabah/distorm/blob/master/COPYING

Gil Dabah

https://github.com/gdabah/distorm

diStorm3 is really a decomposer, which means it takes an instruction and returns a binary structure which describes it rather than static text, which is great for advanced binary code analysis.

Artefact Analysis

dnscat2

Open-source

BSD 3 Clause License

https://github.com/iagox86/dnscat2

This tool is designed to create an encrypted command-and-control (C&C) channel over the DNS protocol, which is an effective tunnel, out of almost every network.

Penetration Testing

DNScheck

Free online service

MAHER-CERT

https://dnscheck.cert.ir/

DNS review system to check for dns vulnerabilities in a network.

Domain Name/IP Address Checker

dnstwist

Open-source

Apache License v2.0: http://www.apache.org/licenses/LICENSE-2.0

Marcin Ulikowski

https://dnstwist.it/ https://github.com/elceef/dnstwist

"Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation "

Domain Name/IP Address Checker

do-portal

Open-source

CERT.at

https://github.com/certat/do-portal

This is a web-based application for managing contact information with network information, self-administration and statistics integration. It is used by CERT.at/GovCERT.at/Austrian Energy CERT to maintain contact information for customers and network owners

Contact Portal

Douglas-Quaid

Open-source

GNU GPL v3.0: https://github.com/CIRCL/douglas-quaid/blob/master/LICENSE

CIRCL

https://github.com/CIRCL/douglas-quaid

"Open source software for image correlation, distance and analysis."

Disk Image Analysis

DumpIt (Moonsols standalone programme or part of Comae-Toolkit/Stardust?)

Freeware or Open-source?

Comae or Moonsols?

https://www.comae.com/dumpit-memory-forensics-malware-analysis/ https://github.com/comaeio/comae-cli http://qpdownload.com/dumpit/ http://www.moonsols.com/wp-content/plugins/download-monitor/download.php?id=7 [broken]

Memory acquisition
"Comae-Toolkit is free for personal usage. Registration is required."
Some CSIRTs referred to Moonsols as the developer and some referred to Comae. It is unclear if Comae inherited Dumpit from Moonsols and developed it further. It is however clear that Comae's Dumpit is more recent and still being actively maintained.

Memory Analysis Tool

dynamic_ips

CERT.at

https://github.com/certat/dynamic_ips

A mapping of (IP address -> is a dynamic IP (Y/N)?)

Information Co-relation

ElasticSearch

Freeware

https://github.com/elastic/elasticsearch/blob/master/LICENSE.txt

Elastic NV

https://github.com/elastic/elasticsearch

Elasticsearch is a search engine based on the Lucene library. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.

Search Engine

EmoCheck

Open-source

https://github.com/JPCERTCC/EmoCheck/blob/master/LICENSE.txt

JPCERT/CC

https://github.com/JPCERTCC/EmoCheck

Emotet detection tool for Windows OS

Artefact Collector

Encrypted Disk Detector: EDD

Freeware

MAGNET

https://www.magnetforensics.com/resources/encrypted-disk-detector/

"a command-line tool that can quickly and non-intrusively check for encrypted volumes on a computer system during incident response"

Disk Image Analysis

ENISA CSIRT maturity self-assessment tool

Free online service

ENISA

https://www.enisa.europa.eu/topics/csirts-in-europe/csirt-capabilities/csirt-maturity/csirt-maturity-self-assessment-survey

"helps CSIRTs to self-assess their team’s maturitylogo maturity in terms of 44 parameters of the SIM3 model"

Incident Management

ENISA interactive CSIRT Inventory

Free online service

ENISA

https://www.enisa.europa.eu/topics/csirts-in-europe/csirt-inventory https://www.enisa.europa.eu/topics/csirts-in-europe/csirt-inventory/certs-by-country-interactive-map

"The European CSIRT Inventory gives an overview of the actual situation concerning CSIRT teams in Europe. It provides a list of publicly listed incident response teams that can be visualised by the interactive mapping tool."

Incident Management

exchange_webshell_detection

Open-source

CERT.lv

https://github.com/cert-lv/exchange_webshell_detection

Detect webshells dropped on Microsoft Exchange servers exploited through "proxylogon" group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) (This project is discontinued)

Artefact Collector

Exeinfo PE

Freeware

A.S.L Soft

https://exeinfo-pe.en.uptodown.com/windows

Exeinfo PE is a program that lets you verify .exe files and check out all their properties. You can also change the file name, directly open the .exe, or simply delete it.

Artefact Analysis

ExifTool

Open-source

Perl license: https://exiftool.org/#license

Phil Harvey

https://exiftool.org/ https://en.wikipedia.org/wiki/ExifTool

Extracting metadata of files, including PE (exe) file header info

Information Reader/Writer

Falcon Sandbox Public API and API connectors

Open-source

Terms and Conditions of Use: https://www.hybrid-analysis.com/terms
GNU GPL v3.0: https://github.com/PayloadSecurity/VxAPI/blob/master/LICENSE.md
MIT License: https://github.com/picatz/falconz/blob/master/LICENSE.txt

Falcon Sandbox & VxAPI Python connector: Hybrid Analysis
Ruby connector: Kent 'picat' Gruber

https://www.hybrid-analysis.com/docs/api/v2 https://github.com/PayloadSecurity/VxAPI https://github.com/picatz/falconz

"Falcon Sandbox has a powerful and simple API that can be used to submit files/URLs for analysis, pull report data, but also perform advanced search queries. The API is open and free to the entire IT-security community."

Sandboxing/Reversing Tool

FastIR

Open-source

GPL 3.0

Sekoia Lab

https://github.com/SekoiaLab/Fastir_Collector

This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected. FastIR Collector is no longer maintained. We recommend using our new FastIR Artifacts collector instead

Evidence Collector

Filebeat-module-for-Squid

https://github.com/rhpenguin/Filebeat-module-for-Squid

Config example and Filebeat module for Squid based on JPCERT/CC report.

Logfile Monitoring

flubot

Open-source

ISC License

NCSC-NL

https://github.com/NCSC-NL/flubot

This repository contains lists of domains generated by the Flubot DGA.

Repository of Domains from Flubot DGA

FollowTcpStream

CERT.at

https://github.com/certat/FollowTcpStream

A command-line tool written in Python influenced by Wiresharks "Follow TCP stream" functionality enhanced by some fancy and useful features like un-chunking, un-gzipping, etc.

Network Monitoring Tool

foremost

Open-source

Public domain

UG Government

http://foremost.sourceforge.net/ https://tools.kali.org/forensics/foremost https://gitlab.com/kalilinux/packages/foremost

"a forensic program to recover lost files based on their headers, footers, and internal data structures"

File Recovery Tool

FTK Imager (and FTK Imager Lite)

Freeware

Access Data

https://accessdata.com/product-download/ftk-imager-version-4.2.0 https://accessdata.com/product-download/ftk-imager-lite-version-3-1-1

Memory and disk acquisition

Disk Image Creation Tool

gabriel

Open source

GPL-3.0 License

CERT-GOV-GE

https://github.com/CERT-GOV-GE

A DDoS detection plugin for NfSen
"*** Development of this plugin has been stopped. Currently it has some false positives and does not work as it should. ***"

DDOS Detection Plugin

Ghidra

Open-source

Apache License v2.0: https://github.com/NationalSecurityAgency/ghidra/blob/master/LICENSE

National Security Agency, USA

https://ghidra-sre.org/ https://github.com/NationalSecurityAgency/ghidra

"a software reverse engineering (SRE) framework"

Sandboxing/Reversing Tool

Glastopf

Open-source

GNU GPL v3.0: https://github.com/mushorg/glastopf/blob/master/GPL

Lukas Rist

https://github.com/mushorg/glastopf http://glastopf.org/

"a Python web application honeypot"

Honeypot

GMER

Freeware

Przemysław Gmerek

http://www.gmer.net/?m=0

GMER is a software tool written by a Polish researcher Przemysław Gmerek, for detecting and removing rootkits.

Malware Detection

GoUtils2.0

Open-source

No license

Egor Zaytsev

https://gitlab.com/zaytsevgu/GoUtils2.0/ https://github.com/sibears/IDAGolangHelper (new version) https://gitlab.com/zaytsevgu/goutils (old version)

"Set of IDA Pro scripts for parsing GoLang types information stored in compiled binary"

Sandboxing/Reversing Tool

grep

Open-source

Ken Thompson

https://en.wikipedia.org/wiki/Grep

a command-line utility for searching plain-text data sets for lines that match a regular expression. Its name comes from the ed command g/re/p (globally search for a regular expression and print matching lines), which has the same effect.

Command-line Search Utility

Guymager

CERT-EU

https://guymager.sourceforge.io/

Disk acquisition

Disk Image Creation Tool

HoneyViz

Open-source

Honeynet Project

https://www.honeynet.org/2011/08/27/honeyviz-demo-is-out-for-your-viewing-pleasure/

An interactive honeynet visualization tool (Slide 23 of https://www.itu.int/en/ITU-D/Cybersecurity/Documents/Services.pdf)
May be discontinued as could not be found on Google

Honeypot

Hook Analysis

Freeware (form filling needed)

Own license (see LICENSE.txt in the downloaded software compression package file)

Beenu Arora
https://www.beenu.com/

http://www.hookanalyser.com/ https://drive.google.com/file/d/0B4eYJx0xZdQAM3B2aklEa0NTcm8/view [after filling form]

"A Freeware Malware Analysis and Cyber Threat Intelligence Software"
Freeware, but does not seem open source. Downloading requires a form filled.
Author identified via screenshots of the software on its website.

Cyber Threat Intelligence

Icinga2

Open-source

GNU GPL v2: https://github.com/Icinga/icinga2/blob/master/COPYING

https://github.com/Icinga/icinga2/blob/master/AUTHORS

https://icinga.com/ https://github.com/Icinga/icinga2

"computer system and network monitoring application ... originally created as a fork of the Nagios system monitoring application in 2009."

Network Monitoring Tool

IDA Freeware / IDA Free

Freeware

Hex-Rays SA

https://www.hex-rays.com/products/ida/support/download_freeware/

"an interactive, programmable, extensible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X"
Freeware version has limited features and technical support.

Sandboxing/Reversing Tool

IFAS (Information Feed Analysis System)

Open-source

Apache License v2.0: https://www.apache.org/licenses/LICENSE-2.0.txt

HKCERT and CSIRT Foundry

http://samuelandamanda.life/ifas/

IFAS is designed to gather security event logs from many public sources, normalise them to similarly-structured event data, store them, and allow searching and analysis of events.

Artefact Collector

Immunity Debugger

Open-source

https://github.com/kbandla/ImmunityDebugger/blob/master/1.85/LICENSE.txt

Immunity Inc.

https://www.immunityinc.com/products/debugger/ https://github.com/kbandla/ImmunityDebugger

"a powerful new way to write exploits, analyze malware, and reverse engineer binary files"

Sandboxing/Reversing Tool

impfuzzy, pyimpfuzzy, impfuzzy for Neo4j, impfuzzy for Volatility, impfuzzy for Volatility3

Open-source

JPCERT/CC

https://github.com/JPCERTCC/impfuzzy/ https://github.com/JPCERTCC/impfuzzy/tree/master/pyimpfuzzy https://github.com/JPCERTCC/impfuzzy/tree/master/impfuzzy_for_Neo4j https://github.com/JPCERTCC/impfuzzy/tree/master/impfuzzy_for_Volatility/ https://github.com/JPCERTCC/impfuzzy/tree/master/impfuzzy_for_Volatility3/

"Fuzzy Hash calculated from import API of PE files"
"Python script for clustering malware based on fuzzy hash and importing/visualizing the result using Neo4j."

Memory Analysis Tool

ImpREC

Open-source

Apache License, Version 2.0

Dr. Markus Borg

https://github.com/mrksbrg/ImpRec

Advanced artefact analysis tool.

Artefact Analysis

Indicator of Compromise Scanner for CVE-2019-19781

Open-source

Apache License v2.0: https://github.com/citrix/ioc-scanner-CVE-2019-19781/blob/master/LICENSE.txt

Citrix

https://github.com/citrix/ioc-scanner-CVE-2019-19781/

"a utility for detecting compromises of Citrix ADC Appliances related to CVE-2019-19781. The utility, and its resources, encode indicators of compromise collected during FireEye Mandiant investigations."

Scanner

INetSim

Open-source

Thomas Hungenberg & Matthias Eckert

https://www.inetsim.org/downloads.html

INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behaviour of unknown malware samples.

Simulator Software Suite

Inf-tools

Open-source

GNU GPL v3.0: https://github.com/CIRCL/lnf-tools/blob/master/LICENSE

CIRCL

https://github.com/CIRCL/lnf-tools

"to analyze and process large set of Netflow records"

Network Data Analyser

IntelMQ and other related tools

Open-source

IntelMQ & Contact DB - GNU AGPL v3.0: https://github.com/certtools/intelmq/blob/develop/LICENSE
IntelMQ Manager - Multiple: https://github.com/certtools/intelmq-manager/tree/develop/LICENSES

CERT.pt and CERT.at

http://certtools.github.io/ https://github.com/certtools/intelmq/ https://github.com/certtools/intelmq-manager https://github.com/certtools/contactdb

IntelMQ is a solution for IT security teams (CERTs & CSIRTs, SOCs, abuse departments, etc.) for collecting and processing security feeds (such as log files) using a message queuing protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs/CSIRTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs.

Incident Management Tool

intelmq-docker

CERT.at

https://github.com/certat/intelmq-docker

This docker image is not docker compliant. THIS is just for beta usage & information gathering. Do not run this software in production, it might break.

Incident Management

intelmq-fody

CERT.at

https://github.com/certat/intelmq-fody

Web interface to IntelMQ

Incident Management

intelmq-fody-backend

CERT.at

https://github.com/certat/intelmq-fody-backend

A backend to serve intelmq-cb-mailgen data for the webapp fody.

Incident Management

intelmq-webinput-csv

CERT.at

https://github.com/certat/intelmq-webinput-csv

This is a Flask-based web interface allowing the user to insert CSV data into intelmq's pipelines interactively with preview from the CSV parser.

Incident Management Solution

internet-inventory

CERT.at

https://github.com/certat/internet-inventory

Collection of datasets representing an "Internet Inventory" - metadata on IPs and networks and ASNs on the net

WHOIS

IOC Editor

Freeware

FireEye

https://www.fireeye.com/services/freeware/ioc-editor.html

provides an interface for managing data and manipulating the logical structures of IOCs.

Artefact Collector

IOC-DB API

Free API

InQuest Labs

https://labs.inquest.net/iocdb

A free API for accessing IOC-DB programmatically.

API

iocextract

Open-source

GNU GPL v2.0: https://github.com/InQuest/python-iocextract/blob/master/LICENSE

Inquest, LLC

https://github.com/InQuest/python-iocextract

"extracts URLs, IP addresses, MD5/SHA hashes, email addresses, and YARA rules from text corpora. It includes some encoded and "defanged" IOCs in the output, and optionally decodes/refangs them."

Artefact Collector

iodine

Open-source

ISC License

Erik Ekman,Bjorn Andersson

https://github.com/yarrick/iodine

This is a piece of software that lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed.

Penetration Testing

IOT Tracker

In-house built

CERT Polska

https://www.cert.pl/en/uploads/docs/Report_CP_2019.pdf

a simple and effective tool for monitoring infected IoT devices in Polish address space. IoT Tracker collects information about malware infected IoT devices from several different sources of data

Evidence Collector

IP-ASN-History (IP to ASN Mapping Service with History)

Open-source

GNU AGPL v3.0: https://github.com/D4-project/IPASN-History/blob/master/LICENSE

CIRCL

http://www.circl.lu/services/ip-asn-history/ https://github.com/D4-project/IPASN-History

To look up IP addresses announcements in the past.

Domain Name/IP Address Checker

ip2nat

Open-source

AGPL 3.0

CERT.at

https://github.com/certat/ip2nat

source code for extracting a mapping of IP address to NAT (yes/no?) property

Domain Name/IP Address Checker

iPhone Backup Analyser 2

Open-source

MIT License

Mario Piccinelli

https://github.com/PicciMario/iPhone-Backup-Analyzer-2

This software allows the user to browse through the content of an iPhone/iPad backup made by iTunes (or other software able to perform iOS devices' backup).

Artefact Analysis

JVN (Japan Vulnerability Notes)

Free online service

JPCERT/CC, IPA (Information-technology Promotion Age, Japan)

http://jvn.jp/en/

"a vulnerability information portal site designed to help ensure Internet security by providing vulnerability information and their solutions for software products used in Japan"

Vulnerability Database

Kaitai Struct

Open source

GPL 3.0

Kaitai Project

https://kaitai.io/

Kaitai Struct is a general-purpose declarative language for describing binary data structures. With it we can parse binary file formats, in-memory data structures, network packets, etc.

Parsing Tool

Kali Linux

Open-source

Kali Linux

http://cdimage.kali.org/kali-latest/amd64/

A Linux distribution with many security tools such as for disk acquisition as recommended by CIRCL.

Penetration Testing

Kamerka / ꓘamerka

Open-source

Wojciech (www.offensiveosint.io)

https://github.com/woj-ciech/Kamerka-GUI https://github.com/woj-ciech/kamerka

"an open-source intelligence (OSINT) gathering tool that indexes information about sensitive internet-connected devices and plots their approximate location on a map."
It seems the author recommends the GUI version now and invalidated the old version.

Cyber Threat Intelligence

Kansa

Open-source

Apache License 2.0: https://github.com/davehull/Kansa/blob/master/LICENSE

Dave Hull

https://github.com/davehull/Kansa

"A modular incident response framework in Powershell. It's been tested in PSv2 / .NET 2 and later and works mostly without issue."

Artefact Collector

Karton

Freeware

https://github.com/CERT-Polska/karton/blob/master/LICENSE

CERT Polska

https://github.com/CERT-Polska/karton

Karton is a robust framework for creating flexible and lightweight malware analysis backends.

Malware Analysis

keyfinder

Open-source

https://github.com/CERTCC/keyfinder/blob/master/LICENSE.md

CMU CERT/CC

https://github.com/CERTCC/keyfinder

A tool for finding and analyzing private (and public) key files, including support for Android APK files.

Scanner Tool

Kippo

Open-source

Upi Tamminen

https://github.com/desaster/kippo

"a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker"

Honeypot

Kippo-Graph

Open-source

https://github.com/ikoniaris/kippo-graph/blob/master/LICENSE.txt

Ioannis Koniaris

https://github.com/ikoniaris/kippo-graph

"a full featured script to visualize statistics for a Kippo based SSH honeypot"

Visualisation Tool

KVM (Kernel-based Virtual Machine)

Open-source

Avi Kivity and other contributors

https://www.linux-kvm.org/

"a full virtualization solution for Linux on x86 hardware containing virtualization extensions (Intel VT or AMD-V)", part of Linux kernel
"The kernel component of KVM is included in mainline Linux, as of 2.6.20. The userspace component of KVM is included in mainline QEMU, as of 1.3. "

Visualisation Tool

libevt (including tools such as evtexport)

Open-source

GNU LGPL v3.0: https://github.com/libyal/libevt/blob/main/COPYING

Joachim Metz

https://github.com/libyal/libevt

"a library to access the Windows Event Log (EVT) format"

Log Analysis

libvshadow/vshadowinfo

Open-source

Joachim Metz

https://github.com/libyal/libvshadow/

"a library to access the Volume Shadow Snapshot (VSS) format"

Volume Shadow Snapshot (VSS) Reader

LiME

Open-source

GPL 2.0

Joe Sylve

https://github.com/504ensicsLabs/LiME

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android.

Memory Analysis Tool

linux_arp

Open-source

GPL 2.0

Linus Torvalds

https://manpages.ubuntu.com/manpages/xenial/man7/arp.7.html

It is used to convert between Layer2 hardware addresses and IPv4 protocol addresses on directly connected networks. The user normally doesn't interact directly with this module except to configure it; instead it provides a service for other protocols in the kernel.

Network Utility

linux_ifconfig

Open-source

GPL 2.0

Linus Torvalds

https://man7.org/linux/man-pages/man8/ifconfig.8.html

ifconfig(interface configuration) command is used to configure the kernel-resident network interfaces. It is used at the boot time to set up the interfaces as necessary. After that, it is usually used when needed during debugging or when you need system tuning. Also, this command is used to assign the IP address and netmask to an interface or to enable or disable a given interface.

Network Management

linux_mount

Open-source

GPL 2.0

Linus Torvalds

https://man7.org/linux/man-pages/man2/mount.2.html

mount() attaches the filesystem specified by sourc (which is
often a pathname referring to a device, but can also be the
pathname of a directory or file, or a dummy string) to the
location (a directory or file) specified by the pathname in
target.

Disk Image Creation Tool

linux_proc_maps

Open-source

GPL 2.0

Linus Torvalds

https://man7.org/linux/man-pages/man5/proc.5.html

The proc filesystem is a pseudo-filesystem which provides an interface to kernel data structures. It is commonly mounted at /proc.

Artefact Collector

linux_pslist

Open-source

GPL 2.0

Linus Torvalds

http://manpages.ubuntu.com/manpages/impish/man1/pslist.1.html

Pslist is a simple utility to list the process IDs (PIDs) of a process and all its children, and its children's children, and so on.

Process Enumerator

linux_route_cache

Linus Torvalds

http://linux-ip.net/html/routing-cache.html

The routing cache stores recently used routing entries in a fast and convenient hash lookup table, and is consulted before the routing tables. If the kernel finds a matching entry during route cache lookup, it will forward the packet immediately and stop traversing the routing tables.

Network Utility

LogonTracer

Open-source

https://github.com/JPCERTCC/LogonTracer/blob/master/LICENSE.txt

JPCERT/CC

https://github.com/JPCERTCC/LogonTracer, https://github.com/likescam/LogonTracer_jpcert

"LogonTracer is a tool to investigate malicious logon by visualizing and analyzing Windows Active Directory event logs. This tool associates a host name (or an IP address) and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and which host is used."

Artefact Analysis

macApfsMounter

Open-source

GNU GPL v3.0: https://github.com/Recruit-CSIRT/macApfsMounter/blob/master/LICENSE

moniik / Takaya Kawasaki (Recruit Technologies)

https://github.com/Recruit-CSIRT/macApfsMounter

"A small tool to easily mount APFS image on macOS."

Disk Image Creation Tool

macOS Artifact Collector (macosac)

Open-source

Apache License 2.0: https://github.com/mnrkbys/macosac/blob/master/LICENSE

Minoru Kobayashi (Internet Initiative Japan)

https://github.com/mnrkbys/macosac

"a DFIR tool for collecting artifact files on macOS."

Artefact Collector

macOS Triage Tool

Open-source

GNU GPL v3.0: https://github.com/Recruit-CSIRT/macOSTriageTool/blob/master/LICENSE

moniik / Takaya Kawasaki (Recruit Technologies)

https://github.com/Recruit-CSIRT/macOSTriageTool

"A DFIR tool to collect artifacts on macOS"

Artefact Collector

MacRipper

Open-source

GNU GPL v3.0: https://github.com/Recruit-CSIRT/MacRipper/blob/master/LICENSE.txt

moniik / Takaya Kawasaki (Recruit Technologies)

https://github.com/Recruit-CSIRT/MacRipper

"A DFIR tool to analyze artifacts on macOS"

Artefact Analysis

MalConfScan

Open-source

https://github.com/JPCERTCC/MalConfScan/blob/master/LICENSE.txt

JPCERT/CC

https://github.com/JPCERTCC/MalConfScan

This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers

Memory Analysis Tool

MalConfScan with Cuckoo

Open-source

https://github.com/JPCERTCC/MalConfScan-with-Cuckoo/blob/master/LICENSE.txt

JPCERT/CC

https://github.com/JPCERTCC/MalConfScan-with-Cuckoo

Cuckoo Sandbox plugin for extracts configuration data of known malware

Memory Analysis Tool

Malware Hunter

Free online service

Shodan

https://malware-hunter.shodan.io/

"a crawler that scans the Internet regularly to identify botnet command and control (C&C) servers for various malware and botnets."

Malware Detection

Malwr

https://malwr.com/

"Automated Malware Analysis Sandboxes and Services". NOTE: Currently the site is not accessible.

Sandboxing/Reversing Tool

mass_mail.py

In-house built

NCSC-FI

https://www.first.org/resources/papers/conference2014/first_2014_-_huopio-_kauto_-_your_assistance_is_required_20140613.pdf

Automated script for mass mailing

Mass Mailer Tool

md5sum

Open-source

GNU GPL v3

Ulrich Drepper, Scott Miller, and David Madore

https://linux.die.net/man/1/md5sum

"calculates and verifies 128-bit MD5 hashes, as described in RFC 1321."
Core command-line utility tool in Linux.

MD5 Checker

mdd

Open-source

GPL 2.0

https://sourceforge.net/projects/mdd/

MDD is a physical memory acquisition tool for imaging Windows based computers created by the innovative minds at ManTech International Corporation. MDD is capable of acquiring memory images from Win2000, XP, Vista and Windows Server.

Disk Imaging Tool

Mejiro

Free online service

JPCERT/CC

https://www.jpcert.or.jp/english/mejiro/index.html

"Mejiro is an Internet risk visualization service that collects data on risk factors existing on the Internet and visualizes risks based on indexes calculated by country or region(hereafter "region"). ... Mejiro builds on the basic principles of the Cyber Green Project, which JPCERT/CC has been working on since FY2014, and it visualizes Internet risks based on our unique approach."

Visualisation Tool

MeliCERTes CSP (Core Service Platform)

Open-source

EUPL v1.2: https://github.com/melicertes/csp/blob/develop/LICENSE

MeliCERTes project team: ENISA, CERT.at, CERT.EE, CERT.pl, CIRCL, SK-CERT

https://github.com/melicertes/csp

"a modular platform that interlaces various services that not only offers a complete security incident management solution but also allows CSIRTs to share information and collaborate with each other within verified Trust Circles. Each module specialises in a task essential to security incident management."

Information Sharing Platform

Merovingio

Open source

INCIBE-CERT

https://github.com/INTECOCERT/merovingio

Merovingio is an applications analyser that determines whether these are legitimate or malicious.

App Verification Tool

Microsoft PowerShell-based Tool

Freeware

Microsoft

https://www.kyberturvallisuuskeskus.fi/en/varoitus-exchangen-hyvaksikaytetty-haavoittuvuus, https://docs.microsoft.com/en-us/powershell/scripting/overview?view=powershell-7.1

PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework.

Artefact Analysis

mihari

Open-source

MIT License: https://github.com/ninoseki/mihari/blob/master/LICENSE

Manabu Niseki

https://github.com/ninoseki/mihari

"a helper to run queries & manage results continuously. Mihari can be used for C2, landing page and phishing hunting"
"makes a query against Shodan, Censys, VirusTotal, SecurityTrails, etc. and extracts artifacts (IP addresses, domains, URLs and hashes) from the results."

Scanner

Minibis

Freeware

ISCL: http://en.wikipedia.org/wiki/ISC_license

Christian Wojner @ CERT.at

http://procdot.com/
https://cert.at/en/downloads/software/software-minibis

"Software and tips to easily build up an automated malware analysis station based on a concept introduced in the paper "Mass Malware Analysis: A Do-It-Yourself Kit"."

Malware Analysis

MISP (Open Source Threat Intelligence Platform)

Open-source

GNU AGPL v3.0: https://github.com/MISP/MISP/blob/2.4/LICENSE

CIRCL, Belgian Defense and NATO Computer Incident Response Capability

http://www.misp-project.org/
https://github.com/MISP/
http://www.circl.lu/services/misp-malware-information-sharing-platform/

A platform for sharing, storing and correlating Indicators of Compromises of targeted attacks but also threat intelligence such as threat actor information, financial fraud information and many more

Cyber Threat Intelligence

Mitmproxy

Open-source

MIT

MITM Core Team

https://github.com/mitmproxy

mitmproxy is your swiss-army knife for debugging, testing, privacy measurements, and penetration testing.

Penetration Testing

MITRE ATT&CK

Free

MITRE Corporation

https://attack.mitre.org

The MITRE ATT&CK® framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

Cyber Threat Intelligence

Mobile Sandbox

MobileSandbox

https://mobilesandbox.com/

This isolates apps from each other and protects apps and the system from malicious apps. To do this, Android assigns a unique user ID (UID) to each Android application and runs it in its own process. The sandbox is simple, auditable, and based on decades-old UNIX-style user separation of processes and file permissions

Sandboxing/Reversing Tool

MONARC

Open-source

GNU AGPL v3.0

Lëtzebuerg (SMILE) g.i.e.

https://www.monarc.lu/ https://github.com/monarc-project

"a tool and a method allowing an optimised, precise and repeatable risk assessment"

Risk Assessment Tool

mtracker

In-house built

CERT Polska

https://www.cert.pl/en/uploads/docs/Report_CP_2019.pdf

to track botnet activity based on reverse engineering of their com-
munication protocols

Sandboxing/Reversing Tool

mwdb-core

Open-source

GNU AGPL v3.0: https://github.com/CERT-Polska/mwdb-core/blob/master/LICENSE

CERT Polska

https://github.com/CERT-Polska/mwdb-core

Aggregating various feeds and malware collection in well-organized model that allows to discover relations between samples, families and campaigns

Cyber Threat Intelligence

mwdblib

Open-source

MIT

CERT Polska

https://github.com/CERT-Polska/mwdblib

API bindings for mwdb.cert.pl service or your own instance of MWDB, supporting both Python 2.x/3.x versions. Use it if you want to automate data uploading/fetching from MWDB or have some ipython-based CLI.

Security API

Open-source

GNU AGPL v3.0: https://github.com/CERT-Polska/n6/blob/master/LICENSE.txt

CERT Polska

https://n6.cert.pl/en/ https://github.com/CERT-Polska/n6

"a system designed to collect, process and share information about network events and possible security incidents"

Network Fingerprinting

Nagios

Open-source

GNU GPL v2: https://github.com/NagiosEnterprises/nagioscore/blob/master/LICENSE

Nagios Enterprises, LLC

https://www.nagios.org/

"monitors systems, networks and infrastructure"

Network Monitoring Tool

Ncat

Open-source

Avian Research

https://nmap.org/ncat/

Ncat is a feature-packed networking utility which reads and writes data across networks from the command line.

Network Utility

Net-SNMP

Open-source

http://net-snmp.sourceforge.net/about/license.html

Net-SNMP community

http://net-snmp.sourceforge.net/

"... a widely used protocol for monitoring the health and welfare of network equipment (eg. routers), computer equipment and even devices like UPSs. Net-SNMP is a suite of applications used to implement SNMP v1, SNMP v2c and SNMP v3 using both IPv4 and IPv6."

Network Utility

NetFlow Tool

Free version

Paessler

https://www.paessler.com/netflow_monitoring?gclid=CjwKCAjw9uKIBhA8EiwAYPUS3C_C9QY1ZZJ3u64P4dzP-L9wXzCjCEkoCyJD7BpzLXE1AiCyaLQwdRoCPKkQAvD_BwE

NetFlow Analyzer PRTG lets you check and monitor your bandwidth and determine, for example, the amount of network traffic caused by IP addresses, protocols, or programs.

Network Utility

netsh firewall show config

Freeware

Microsoft Corporation

https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior

To view state of
the firewall and the list of exceptions

Network Utility

netstat

open-source

GPLv2

Various open source and commercial developers

https://en.wikipedia.org/wiki/Netstat

To list and view open ports or active connections in systems

Network Utility

nfdump

open-source

BSD

Peter Haag

https://github.com/phaag/nfdump

The nfdump tools collect and process netflow data on the command line

Netflow Reader

nfsen

BSD

SWITCH CERT

http://nfsen.sourceforge.net/

Provides graphical overview over your netflow data.

Network Monitoring Tool

Nmap

Open-source

NPSL: https://nmap.org/npsl/

Gordon Lyon

https://nmap.org/

"for network discovery and security auditing"

Network Mapper

Norimaci

Open-source

Apache License 2.0: https://github.com/mnrkbys/norimaci/blob/master/LICENSE

Minoru Kobayashi (Internet Initiative Japan)

https://github.com/mnrkbys/norimaci

"a simple and lightweight malware analysis sandbox for macOS"

Sandboxing

oledump.py

Open-source

Didier Stevens

https://blog.didierstevens.com/programs/oledump-py/

"a program to analyze OLE files (Compound File Binary Format)"

Artefact Analysis

OllyDbg

Shareware

Oleh Yuschuk

http://www.ollydbg.de/

"a 32-bit assembler level analysing debugger for Microsoft® Windows®"
"This software is a shareware. To use this program on a permanent basis or for commercial purposes, you should register it by sending filled registration form to Ollydbg@t-online.de. The registration is free of charge and assumes no financial or other obligations from either side ..."

Reversing Tool

Onion Indexer

Open-source

MIT

Marcrabadan

https://github.com/marcrabadan/onion-indexer

Onion Indexer is developed in Python, onion indexer involves gathering all info about deep web pages applying Azure Batch (HPC) with the purpose of analysis and processing data gathered.

Web Information Gathering Tool

Open DNS Resolver Check Site + a command-line tool

Free online service

JPCERT/CC

http://www.openresolver.jp/en/
http://www.openresolver.jp/cli/check.html
http://www.openresolverproject.org

"offers an easy and simple method to check open DNS resolvers just by accessing the site and giving a few clicks"

Domain Name/IP Address checker

Opensource Spam Assasin

Open source

Apache License

Community-Led Development

https://spamassassin.apache.org/

Spam filtering tool

Spam Filter

OSINT OPSEC Tool

Open-source

GNU GPL v3.0: https://github.com/AxelSeg/osint-opsec-tool/blob/master/LICENCE

Brendan Jamieson

https://github.com/AxelSeg/osint-opsec-tool

"monitors multiple 21st Century OSINT sources real-time for keywords, then analyses the results, generates alerts, and maps trends of the data, finding all sorts of info"

OSINT Framework

osTicket Community Edition

Open-source

GNU GPL v2.0: https://github.com/osTicket/osTicket/blob/develop/LICENSE.txt

Enhancesoft

https://osticket.com/
https://github.com/osTicket

"a widely-used open source support ticket system. It seamlessly integrates inquiries created via email, phone and web-based forms into a simple easy-to-use multi-user web interface"

Incident Management Tool

OTOOL

Open-source

Apple Public
Source License Version 1.1

Apple Computer, Inc.

https://www.unix.com/man-page/osx/1/otool/

The otool command displays specified parts of object files or libraries. If the, -m option is not used, the file arguments may be of the
form libx.a(foo.o), to request information about only that object file and not the entire library. (Typically thisargument mustbe
quoted, ``libx.a(foo.o)'', to get it past the shell.)

System Fingerprint

OTRS (originally Open-Source Ticket Request System)

Open-source / Dual-license

GNU GPL v3.0: https://github.com/OTRS/otrs/blob/rel-6_0/COPYING

OTRS AG

https://otrs.com/
https://github.com/OTRS/otrs
https://en.wikipedia.org/wiki/OTRS

"one of the most flexible web-based ticketing systems used for Customer Service, Help Desk, IT Service Management. Please note that ((OTRS)) Community Edition offers limited OTRS functionality"
Mentioned in Trusted Introducer's SIM3 model

Incident Management Tool

Pastelyzer

Open-source

zlib license: https://github.com/cert-lv/pastelyzer/blob/master/LICENSE

CERT.LV

https://github.com/cert-lv/pastelyzer/

To swiftly identify any data leaks containing Latvian IP addresses, bank card numbers, e-mail and social networking service information to inform the organizations and internet users

Web Data Mining Tool

pcapdj

Open-source

GNU AGPL v3.0: https://github.com/CIRCL/pcapdj/blob/master/LICENSE

CIRCL

https://github.com/CIRCL/pcapdj

A pcap file dispatcher for processing very large set of pcap files.

Network Utility

pdfid.py and pdf-parser.py

Open-source

Didier Stevens

https://blog.didierstevens.com/programs/pdf-tools/

pdf-parser.py: "parse a PDF document to identify the fundamental elements used in the analyzed file."
pdfid.py: "scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened."

Parsing Tool

PDFrankenstein

Open-source

GNU General Public License

CERT/CC-CMU

https://github.com/cmu-sei/pdfrankenstein

PDFrankenstein is a Python tool for bulk malicious PDF feature extraction.

Malware Detection

PEF

Open-source

Apache 2.0 License

NCSC-NL

https://github.com/NCSC-NL/PEF

A research prototype application demonstrating network traffic pseudonymization using a model-driven engineering approach.

Network Utility

PEiD

Freeware

Snaker

http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/PEiD-updated.shtml

PEiD detects most common packers, cryptors and compilers for PE files.
It can currently detect more than 470 different signatures in PE files.
It seems that the official website (www.peid.info) has been discontinued. Hence, the tool is no longer available from the official website but it still hosted on other sites.

Artefact Collector

PEview

Freeware

http://wjradburn.com/software/PEview.zip, https://github.com/dwfault/PEView

PEView is a tool that helps identify the structure of PE files.

Artefact Collector

pfsense

Freeware ( pfSense Community Edition)

Apache 2.0 licens

Rubicon Communications, LLC.

https://www.pfsense.org/

pfSense® software is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface.

Firewall

pharos

Open-source

https://github.com/cmu-sei/pharos/blob/master/LICENSE.md

enhancesoft

https://github.com/cmu-sei/pharos

Automated static analysis tools for binary programs

Reversing Tool

Phishing Catcher

Open-source

GNU GPL v3.0: https://github.com/x0rz/phishing_catcher/blob/master/LICENSE

x0rz

https://github.com/x0rz/phishing_catcher

Catch possible phishing domains in near real time by looking for suspicious TLS certificate issuances reported to the Certificate Transparency Log (CTL) via the CertStream API.

Security API

PhotoRec

Open-source

GNU GPL v2.0: https://www.gnu.org/licenses/old-licenses/gpl-2.0.html

Christophe GRENIER

https://www.cgsecurity.org/wiki/PhotoRec

"file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory"

File Recovery Tools

PhpMyAdmin

Freeware

GPL 2.0

PhpMyAdmin Project

https://www.phpmyadmin.net/

phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL and MariaDB.

Web Administration Tool

PIL

Open-source

MIT License

Steven Shrewsbury

https://github.com/stshrewsburyDev/PIL-Tools/

An extension module for Pillow to add functions that help simplify some processes.

Disk Imaging Tool

PlainSight

Freeware + Open-source?

PlainSight

http://www.plainsight.info/

“a versatile computer forensics environment that allows inexperienced forensic practitioners perform common tasks using powerful open source tools”

Artefact Analysis

potiron

Open-source

CIRCL

https://github.com/CIRCL/potiron

Normalise, index and Visualise Network Capture

Network Data Analyser

ProcDOT

Freeware

https://cert.at/media/files/downloads/software/procdot/files/license.txt

Christian Wojner @ CERT.at

https://cert.at/en/downloads/software/software-procdot

"This tool processes Sysinternals Process Monitor (Procmon) logfiles and PCAP-logs (Windump, Tcpdump) to generate a graph via the GraphViz suite. This graph visualizes any relevant activities (customizable) and can be interactively analyzed."

Malware Detection

Process Explorer

Freeware

Microsoft

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

Process Explorer is a freeware task manager and system monitor for Microsoft Windows created by SysInternals

Artefact Collector

Process Hacker

Freeware

GPL 3.0

https://processhacker.sourceforge.io/

A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.

Artefact Collector

Process Monitor

Open source (The Linux version)

MIT

Microsoft

https://github.com/Sysinternals/ProcMon-for-Linux

The tool monitors and displays in real-time all file system activity on a Microsoft Windows or Unix-like operating system

Artefact Collector

PyCIRCLean

Open-source

BSD 3 Clause License

https://github.com/CIRCL/PyCIRCLean

An open-source USB key and document sanitizer

File Checker

PyCrypto

Open-source

Public domain

Dwayne Litzenberger

https://pypi.org/project/pycrypto/

Python cryptography toolkit.

Cryptography Toolkit

Python for Volatility

Freeware

GPL 2.0

Volatility Foundation

https://github.com/volatilityfoundation/volatility

An advanced memory forensics framework

Memory Analysis Tool

QuasarRAT-Analysis

Open-source

JPCERT/CC

https://github.com/JPCERTCC/QuasarRAT-Analysis

"analysis tools for Quasar and the Quasar family"

Malware Detection

Redmine

Open-source

GNU GPL v2: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html

Jean-Philippe Lang

https://www.redmine.org/

"a flexible project management web application"

Incident Management

Referral Whois (RWhois)

Open-source

GNU GPL v2.0: https://github.com/arineng/rwhoisd/blob/master/rwhoisd/LICENSE

Network Solutions, Incorporated, Directory Services group

http://projects.arin.net/rwhois/
https://github.com/arineng/rwhoisd

"a reference implementation of the server side of the RWhois protocol, first described in RFC 1714"

Domain Name/IP Address checker

RegEx

Open-source

MIT License

https://github.com/ziishaned/learn-regex

To find common incident data types in the free text of incident reports, including IP addresses (v4 and v6), domain names ("original" top-level domains (TLDs)), email addresses, file names, file paths, and file hash values.

Regular Expression Engine

RegRipper

Open-source

MIT License: https://github.com/keydet89/RegRipper3.0/blob/master/license.txt

H. Carvey

https://github.com/keydet89/RegRipper3.0

Windows Registry reader and more.

Artefact Collector

Regshot

Open-source

LGPL 2.0

https://sourceforge.net/projects/regshot/

Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product.

Registry Comparison Utility

REMnux

Free distro

Zeltser Security Corp

https://remnux.org/
https://github.com/REMnux

"a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools. "

Sandboxing/Reversing Tool

Resource Hacker

Freeware

Angus Johnson

http://www.angusj.com/resourcehacker/

Resource Hacker is a free resource extraction utility and resource compiler for Windows. It can be used to add, modify or replace most resources within Windows binaries including strings, images, dialogs, menus, VersionInfo and Manifest resources.

Artefact Collector

RIPS

Open-source

GNU GPL v3.0

Johannes Dahse

http://rips-scanner.sourceforge.net/
https://sourceforge.net/projects/rips-scanner/

"A static source code analyser for vulnerabilities in PHP scripts"
"A complete rebuilt solution is available from RIPS Technologies that overcomes these limitations and performs state-of-the-art security analysis." [https://www.ripstech.com/]

Code Analysis Tool

ROSE Compiler
(called Compass/ROSE in a CMU CERT/CC report)

Open-source

Revised BSD License: https://github.com/rose-compiler/rose/blob/release/COPYRIGHT

Lawrence Livermore National Laboratory

http://rosecompiler.org/
https://github.com/rose-compiler/

"a robust, open source, compiler-based infrastructure for building source to source program transformation and analysis tools"

Reverse Engineering

rr_decoder

Open-source

MIT License: https://github.com/nao-sec/rr_decoder/blob/master/LICENSE

nao_sec

https://github.com/nao-sec/rr_decoder

"to decode Royal Road RTF Weaponizer 8.t object"

Reverse Engineering

rtfdump

Open-source

Public domain

Didier Stevens

https://blog.didierstevens.com/2016/07/29/releasing-rtfdump-py/

Analysis tool for malicious RTF documents.

Artefact Analysis

rtir -scripts

CERT.at

https://github.com/certat/rtir-scripts

Various small scripts that make life easier with RT(IR)

Incident Management

RTIR (Request Tracker for Incident Response)

Open-source

GNU GPL v2

Best Practical Solutions, LLC

https://bestpractical.com/rtir
https://github.com/bestpractical/rtir

"industrial-grade incident-handling tool designed to provide a simple, effective workflow for members of CERT and CSIRT teams."
Related to another freeware RI (http://www.bestpractical.com/rt/), produced by the same vendor.
Mentioned in Trusted Introducer's SIM3 model

Incident Management

SANS SIFT

Freeware + Open-source

SANS

https://digital-forensics.sans.org/community/downloads

"a group of free open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings"

Linux Distribution Tool

sawp

open-source

MIT License

Canada Cyber Security Centre

https://github.com/CybercentreCanada/sawp

This library contains parsers for various wire protocols, and is intended to be used in network security sensors.

Network Utility

Security Onion3 Linux distribution

Open-source

GPL 2.0

Security Onion Solutions, LLC

https://securityonionsolutions.com/

free and open platform for threat hunting, network security monitoring, and log management.

Linux Distribution Tool

sed

Freeware

GNU GPL 3.0

Free Software Foundation, Inc.

https://www.gnu.org/software/sed/

sed (stream editor) is a non-interactive command-line text editor.

Text Editor

sfsimage

Open-source

MIT License

Bruce Nikkel

http://digitalforensics.ch/sfsimage/

"uses the squashfs read-only compressed filesystem as a digital forensic evidence container"

Evidence Collector

sha1sum

Open-source

GNU GPL v3

Ulrich Drepper, Scott Miller, and David Madore

https://linux.die.net/man/1/sha1sum

"compute and check SHA1 message digest"
Core command-line utility tool in Linux.

File Integrity Checker

sha256sum

Open-source

https://help.ubuntu.com/community/License

Ulrich Drepper, Scott Miller, and David Madore

https://linux.die.net/man/1/sha256sum

The program sha256sum is designed to verify data integrity using the SHA-256 (SHA-2 family with a digest length of 256 bits). SHA-256 hashes used properly can confirm both file integrity and authenticity.

File Integrity Checker

Shiva

Open-source

GPL 3.0

Sumit Sharma, Rahul Binjve

https://github.com/shiva-spampot/shiva

a high interaction SMTP
honeypot specifically designed for spam collection and analysis

Honeypot

Shockpot-Frontend

Freeware

GPLv3+

GovCERT.CZ

https://github.com/GovCERT-CZ/Shockpot-Frontend

Shockpot-Frontend is a full featured script to visualize statistics from a Shockpot honeypot.

Visualisation Tool

Shockpot-Frontend

Shockpot

Freeware

GPLv3+

GovCERT.CZ

https://github.com/GovCERT-CZ/shockpot

WebApp Honeypot for detecting Shell Shock exploit attempts

Visualisation Tool

Shodan API and Shodan Command-Line Interface

Paid service with a free option

Shodan

https://www.shodan.io/
https://developer.shodan.io/
https://cli.shodan.io/
https://developer.shodan.io/api/clients (with GitHub links)

"the world's first search engine for Internet-connected devices"
"All Shodan accounts come with a free API plan. Simply sign-up for a free Shodan account and you will be able to start using the API."

Search Engine

SiLK 3.19.1

Freeware

GPL

SEI, CMU

https://tools.netsa.cert.org

network flow collection and storage infrastructure that will accept flow data from a variety of sensors.

Network Utility

SNARE

Open-source

GPL 3.0

https://github.com/mushorg/snare

SNARE is a web honeypot for monitoring of incoming attacks.

Honeypot

Snorby

Open-source

https://github.com/Snorby/snorby/blob/master/LICENSE

Threat Stack, Inc

https://github.com/Snorby/

"a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan)"

Network Monitoring Tool

Snort

Open-source

GNU General Public License Version 2

Snort Community

https://www.snort.org/

Snort is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats.

IDS

Sparrow

Freeware

https://github.com/cisagov/Sparrow/blob/develop/LICENSE

CISA

https://github.com/cisagov/Sparrow

helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment.

Evidence Collector

Squid Analysis Report Generator (SARG)

Open-source

GPL 2.0

Frédéric Marchal

https://sourceforge.net/projects/sarg/

SARG is an open source tool that allows you to analyse the squid log files and generates beautiful reports in HTML format with informations about users, IP addresses, top accessed sites, total bandwidth usage, elapsed time, downloads, access denied websites, daily reports, weekly reports and monthly reports.

Artefact Analysis

Squid Client

Open-source

GNU GPL 2.0

Duane Wessels

http://www.squid-cache.org/

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.

Artefact Analysis

Squid Server

Open-source

GNU GPL 2.1

Duane Wessels

http://www.squid-cache.org/

Artefact Analysis

ssdeep / libfuzzy

Open-source

GNU GPL v2.0: https://github.com/ssdeep-project/ssdeep/blob/master/COPYING

ssdeep Project

http://ssdeep.sourceforge.net/
https://github.com/ssdeep-project/ssdeep

"computing context triggered piecewise hashes (CTPH)"
Used by JPCERT/CC in its impfuzzy tool.

Hashing Programs

stats-portal

Open-source

AGPL 3.0

CERT.at

https://github.com/certat/stats-portal

The stats portal is a component in the certtools series. It connectes to the eventDB (the database of all incident events which got processed by IntelMQ).

Incident Management

Strings

Freeware

Microsoft Corporation

https://docs.microsoft.com/en-us/sysinternals/downloads/strings

Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters.

Artefact Collector

super_mediator 1.8.0

Freeware

SEI, CMU

https://tools.netsa.cert.org/super_mediator/download.html

It collects and filters YAF output data to various IPFIX collecting processes and/or csv files

Network Data Analyser

Sysinternal TCPView

Freeware

Microsoft

https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview

The Sysinternals TCPView tool is a graphical interface that displays all of the active connections on a host.

Artefact Collector

Sysinternals Suite

Freeware

Microsoft

https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

"a collection of native Microsoft tool which are very useful when performing ‘Live Analysis’. The entire set of Sysinternals tools are collected in a single archive."

Artefact Analysis

Sysmon

Freeware

Microsoft

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

Tool to record various Windows OS operations application such as applications, registry entries, communication.

System Fingerprint

SysmonSearch

Open-source

https://github.com/JPCERTCC/SysmonSearch/blob/master/LICENSE.txt

JPCERT/CC

https://github.com/JPCERTCC/SysmonSearch

"make event log analysis more effective and less time consuming, by aggregating event logs generated by Microsoft's Sysmon"

System Fingerprint

T-Pot

Open-source

GNU GPL v3.0: https://github.com/telekom-security/tpotce/blob/master/LICENSE

Deutsche Telekom Security GmbH

http://github.security.telekom.com/honeypot.html
https://github.com/telekom-security/tpotce

A honeypot platform

Honeypot

tag2domain

Open-source

AGPL 3.0

CERT.at

https://github.com/certat/tag2domain

A mapping project between tags (annotations, labels) and domain names

Domain Name/IP Address Checker

TANNER

Open-source

GPL 3.0

https://github.com/mushorg/tanner

TANNER is used to control the behaviour of multiple SNARE instances and aggregate the information that is collected. SNARE is a web honeypot for monitoring of incoming attacks.

Honeypot

Taranis

Open-source

EUPL v1.2: https://github.com/NCSC-NL/taranis3/blob/release-3.6/LICENCE

NCSC-NL

https://github.com/NCSC-NL/taranis3

"an information processing tool … to manage the process of creating useful alerts based on a multitude of information sources."

News Feeds Analysis

tcpdump

Open-source

BSD: https://github.com/the-tcpdump-group/tcpdump/blob/master/LICENSE

Tcpdump Group

http://www.tcpdump.org/
https://github.com/the-tcpdump-group/tcpdump

Network acquisition

Network Utility

The Sleuth Kit

Open-source

Multiple licenses: http://sleuthkit.org/sleuthkit/licenses.php

sleuthkit.org

http://sleuthkit.org/sleuthkit/
https://github.com/sleuthkit/sleuthkit/

Open source digital forensics

Artefact Analysis

TheHive

Open-source

GNU AGPL v3.0: https://github.com/TheHive-Project/TheHive/blob/master/LICENSE

Nabil Adouani, Thomas Franco, Saâd Kadhi, Jérôme Leonard @ CERT-BDF

https://github.com/TheHive-Project/TheHive

A Scalable, Open Source and Free Security Incident Response Platform

Incident Management Tool

ThreatIngestor

Open-source

GNU GPL v2.0: https://github.com/InQuest/ThreatIngestor/blob/master/LICENSE

Inquest, LLC

https://github.com/InQuest/ThreatIngestor

"An extendable tool to extract and aggregate IOCs from threat feeds"
"Integrates out-of-the-box with ThreatKB and MISP, and can fit seamlessly into any existing worflow with SQS, Beanstalk, and custom plugins."
"can be configured to watch Twitter, RSS feeds, or other sources, extract meaningful information such as malicious IPs/domains and YARA signatures, and send that information to another system for analysis."

Artefact Analysis

Thug

Open-source

GPL 2.0

Angelo Dell'Aera

https://github.com/buffer/thug

Thug is a Python low-interaction honeyclient aimed at mimicking the behavior of a web browser in order to detect and emulate malicious contents.

Honeypot

Tiuku

Open-source

MIT

NCSC-FI

https://github.com/ncsc-fi/tiuku

Tiuku is a tool for scanning various kinds of systems and environments for security related information and displaying the results in a browser-based user interface

Scanner

ToolAnalysisResultSheet

Open-source

JpCERT/CC

https://github.com/JPCERTCC/ToolAnalysisResultSheet

This repository summarizes the results of examining logs recorded in Windows upon execution of the 49 tools which are likely to be used by the attacker that has infiltrated a network.

Log Analysis

torexitnodes_simple

Open-source

AGPL 3.0

CERT.at

https://github.com/certat/torexitnodes_simple

Simple version of the tor exit node list DB. Part of the Internet Inventory project.

Network Utility

traceroute-circl

Open-source

GNU GPL v3.0: https://github.com/CIRCL/traceroute-circl/blob/master/LICENSE

CIRCL

https://github.com/CIRCL/traceroute-circl

Traceroute improved wrapper for CSIRT and CERT operators

Domain Name/IP Address Checker

tshark

Freeware

GNU GPLv2

The Wireshark Team

https://www.wireshark.org/docs/wsug_html_chunked/AppToolstshark.html

TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file.

Network Data Analyser

tuency
Constituency Portal [predcessor]

Open-source

GNU AGPL v3.0: https://github.com/certtools/intelmq/blob/develop/LICENSE
https://gitlab.com/intevation/tuency/tuency/-/tree/master/LICENSES

Intevation GmbH (partner of CERT.at)

https://gitlab.com/intevation/tuency/tuency
https://github.com/certat/do-portal [predcessor]

The “Constituency-Portal” (tuency) is a contact data management tool featuring self-service functionality and is directly integrated with the authentication solution Keycloak. This allows us to use the contact data for authentication in other linked applications. The software further enhances and extends our possibilities to better address and configure our daily e-mail notifications for network owners regarding issues in their networks.

Domain Name/IP Address Checker

Unix commands

Open-source

GNU GPL

FreeBSD, Ken Thompson, Nokia Bell Labs,

https://en.wikipedia.org/wiki/List_of_Unix_commands

Unix commands are inbuilt programs that can be invoked in multiple ways.

Unix Tool

Upx

Open-source

https://github.com/upx/upx/blob/devel/LICENSE

Markus Franz Xaver, Johannes Oberhumer

https://github.com/upx/upx

the Ultimate Packer for eXecutables

Executable Packer

URL Abuse

Open-source

GNU AGPL v3.0: https://github.com/CIRCL/url-abuse/blob/master/LICENSE

CIRCL

https://circl.lu/services/urlabuse/
https://github.com/CIRCL/url-abuse

This is a public-facing free service CIRCL runs. It is made open-source so other CSIRTs can use it, too.

Malware Detection

URLhaus API

Free API

Terms of Services: https://urlhaus.abuse.ch/api/#tos

abuse.ch

https://urlhaus.abuse.ch/api/

"sharing malicious URLs that are being used for malware distribution"

Malware Detection API

urlquery Python API

Open-source

https://github.com/CIRCL/urlquery_python_api/blob/master/LICENSE

CIRCL

https://github.com/CIRCL/urlquery_python_api

"API to access urlquery"
urlquery seems to have been discontinued.

Security API

urlscan.io

Free online service

urlscan GmbH

https://urlscan.io/

"A free service to scan and analyse websites"
"urlscan.io itself is a free service, but we also offer commercial products for heavy users and organisations that need additional insight."

Malware Detection

VB Decompiler Free Lite

Freeware

DotFix Software

https://www.vb-decompiler.org/download.htm

Decompiler for VB applications
This is just one of many free VB decompilers.

Reverse Engineering

Vega

Open-source

Multiple: https://github.com/subgraph/Vega/tree/develop/licenses

Subgraph

https://subgraph.com/vega/
https://github.com/subgraph/Vega

"a free and open source web security scanner and web security testing platform to test the security of web applications"

Penetration Testing

vFeed: The Correlated Vulnerability and Threat Intelligence Database Wrapper

Open-source

https://github.com/toolswatch/vFeed/blob/master/LICENSE.md

ToolsWatch Org

https://github.com/toolswatch/vFeed/

"a CVE, CWE, and OVAL Compatible naming scheme concept that provides extra structured detailed third-party references and technical characteristics for a CVE entry through an extensible XML/JSON schema"
"Any organization based in Luxembourg that could use the data feeds in order to improve security (for their own benefit or their customers’) can request an access."

Vulnerability and Threat Intelligence Feed

Viper

Open-source

BSD 3-clause license: https://github.com/viper-framework/viper/blob/master/LICENSE

Claudio Guarnieri

https://github.com/viper-framework/viper

"a binary analysis and management framework. Its fundamental objective is to provide a solution to easily organize your collection of malware and exploit samples as well as your collection of scripts you created or found over the time to facilitate your daily research."

Sandboxing/Reversing Tool

Virtualbox

Open-source

GNU GPL v2

Oracle

https://www.virtualbox.org/

"a general-purpose full virtualizer for x86 hardware, targeted at server, desktop and embedded use"

Virtualisation Tool

VirusTotal tools

Open-source

GNU GPL v3.0: https://github.com/CIRCL/vt-tools/blob/master/LICENSE

CIRCL

https://github.com/CIRCL/vt-tools

"A set of tools to interact with the services from VirusTotal"

Malware Detection

VirusTotal.com

Free online service

Chronicle LLC

https://www.virustotal.com/

Analyze suspicious files and URLs to detect types of malware

Malware Detection

VMMap Tool

Freeware

Microsoft Corporation

https://docs.microsoft.com/en-us/sysinternals/downloads/vmmap

VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process's committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types.

Memory Analysis Tool

Volatility

Open-source

GNU GPL v2.0: https://github.com/volatilityfoundation/volatility/blob/master/LICENSE.txt

Volatility Foundation

https://www.volatilityfoundation.org/
https://github.com/volatilityfoundation/volatility
https://en.wikipedia.org/wiki/Volatility_(memory_forensics)

Memory forensics

Memory Analysis Tool

VolatilityBot

Open-source

MIT License

Martin Gustavo Korman

https://github.com/mkorman90/VolatilityBot

"an automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation. Not only does it automatically extract the executable (exe), but it also fetches all new processes created in memory, code injections, strings, IP addresses, etc."

Memory Analysis Tool

Open-source

Joe Ossanna

https://www.geeksforgeeks.org/wc-command-linux-examples/

The program reads either standard input or a list of computer files and generates one or more of the following statistics: newline count, word count, and byte count. If a list of files is provided, both individual file and total statistics follow.

Word Count Statistsic

wget

Open source

GPLv3+

Giuseppe Scrivano, Tim Rühsen, Darshit Shah

http://www.gnu.org/software/wget/

A command line tool to check if a computer is running open DNS resolver

File Retrieval

Whois services

Free online services

domaintools.com
whois.com
whois

https://whois.domaintools.com/
https://www.whois.com/whois
https://who.is/
…

To find ownership of IPs and domains

Domain Name/IP address Checker

winpmem (part of Pmem Memory acquisition Suite)

Open-source

Apache License 2.0: https://github.com/Velocidex/c-aff4/blob/master/LICENSE

Michael Cohen / Google Inc.

https://github.com/Velocidex/c-aff4/tree/master/tools/pmem
[https://github.com/Velocidex/c-aff4/releases/download/3.1.rc1/winpmem_3.1.rc3.exe]
https://github.com/google/rekall/tree/master/tools/pmem
[https://github.com/google/rekall/releases/download/v1.3.1/winpmem_1.6.2.exe]

Memory acquisition

Memory Analysis Tool

WireShark

Open-source

GNU GPL v2: https://www.wireshark.org/docs/wsug_html/#AppGPL

Gerald Combs

https://www.wireshark.org/

"the world’s foremost and widely-used network protocol analyzer"

Network Data Analyser

Wordpot-Frontend

Freeware

GPLv3+

GovCERT.CZ

https://github.com/GovCERT-CZ/Wordpot-Frontend

Wordpot-Frontend is a full featured script to visualize statistics from a Wordpot honeypot

Visualisation Tool

Wordpot

Freeware

GPLv3+

GovCERT.CZ

https://github.com/GovCERT-CZ/wordpot

A wordpress honeypot

Honeypot

wrestool (part of icoutils)

Open-source

GNU GPL: https://github.com/rwmjones/icoutils

Colin Watson, Oskar Liljeblad

https://github.com/rwmjones/icoutils/tree/master/wrestool

"extract resources from Microsoft Windows(R) binaries"

Artefact Analysis

wxHexEditor

Open-source

GPL 2.0

https://github.com/EUA/wxHexEditor

wxHexEditor is another Hex Editor, build because of there is no good hex editor for Linux system, specially for big files.

Hex Editor

X-ISAC

Free online service

CIRCL

https://www.x-isac.org/

"the supporting Information Sharing and Analysis Center for other ISACs, information sharing communities or CSIRT networks which provides core software, cross-sector threat intelligence, taxonomies and open standards."
MISP is a founding member of this platform.

Information Sharing

xxd

Open-source

"Distribute freely and credit me,
make money and share with me,
lose money and don't ask me."

Juergen Weigert

https://linux.die.net/man/1/xxd

"make a hexdump or do the reverse"
Part of many Linux/UNIX distributions

Hexdump Creator

YAF 2.12.1

Freeware

SEI, CMU

https://tools.netsa.cert.org/yaf/index.html

Yet Another Flow Sensor (YAF) processes packet data into bidirectional flow records that can be used as input to an IPFIX Collecting Process.

Network Data Analyser

YARA

Open-source

BSD 3-Clause "New" or "Revised" License: https://github.com/VirusTotal/yara/blob/master/COPYING

Google Inc. etc.
https://github.com/VirusTotal/yara/blob/master/AUTHORS

http://virustotal.github.io/yara/
https://github.com/virustotal/yara

Helping malware researchers to identify and classify malware samples.

Malware Detection

Yara Rules

Open-source

MIT License: https://github.com/nao-sec/yara_rules/blob/master/LICENSE

nao_sec

https://github.com/nao-sec/yara_rules

"For malware research"

Malware Detection

ZMap

Open-source

Apache License v2.0: https://github.com/zmap/zmap/blob/master/LICENSE

ZMap Project

https://zmap.io/
https://github.com/zmap/zmap

"a fast single-packet network scanner optimized for Internet-wide network surveys … can scan the entire public IPv4 address space in under 45 minutes"

Network Scanner