Fenrir v0.9: Simple Bash IOC Scanner
Fenrir Simple Bash IOC Scanner Fenrir is a simple IOC scanner bash script. It allows scanning Linux/Unix/OSX systems for the following Indicators of Compromise (IOCs): HashesMD5, SHA1, and SHA256 (using...
Category: Forensics
phpmyadmin honeypot: A simple and effective phpmyadmin honeypot
#phpMyAdmin Honeypot version 1.5 — 7/2/2015 greg . foss [at] logrhythm.com Probably one of the smallest and simplest web honeypots out there… #[Requirements] You will need… 1. A web server...
honeyLambda: create and monitor fake HTTP endpoints
honeyλ – a simple serverless application designed to create and monitor URL {honey}tokens, on top of AWS Lambda and Amazon API Gateway Slack notifications Email and SMS alerts Load config from...
Artificial Intelligent Engine (AIEngine) v1.9.0 release: packet inspection engine
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go network intrusion detection system engine with capabilities of learning without any human intervention, DNS domain classification, Spam detection, network collector, network forensics...
volatility-bitlocker: Volatility plugin to extract BitLocker Full Volume Encryption Keys
volatility-bitlocker A plugin for the Volatility Framework which aims to extract BitLocker Full Volume Encryption Keys (FVEK) from memory. Works on Windows 7 through to Windows 10. This is very...
volatility-filevault2: extract Apple FileVault 2 Volume Master Keys
volatility-filevault2 This is a volatility plugin which attempts to extract Apple FileVault 2 Volume Master Keys. How it works Filevault appears to keep the volume master key in a consistently...
bitlocker: Volatility Framework plugin for extracting BitLocker FVEK
Volatility Framework: BitLocker This plugin finds and extracts Full Volume Encryption Key (FVEK) from memory dumps and/or hibernation files. This allows rapid unlocking of systems that had BitLocker encrypted volumes...
dcept: deploying & detecting use of Active Directory honeytokens
DCEPT (Domain Controller Enticing Password Tripwire) is a honeytoken-based tripwire for Microsoft’s Active Directory. Honeytokens are pieces of information intentionally littered with the system so they can be discovered by...
usbkill: anti-forensic kill-switch
« usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer. Feature Compatible with Linux, *BSD and OS...
caradoc: PDF parser and validator
PDF has become a de facto standard for exchanging electronic documents, for visualization as well as for printing. However, it has also become a common delivery channel for malware, and...
lorg: Apache Logfile Security Analyzer
LORG A tool for advanced HTTPD logfile security analysis and forensics. Web server log files are the primary source of information to reconstruct the course of events if your website got...
ngxtop: Real-time metrics for nginx server
ngxtop parses your nginx access log and outputs useful, top-like, metrics of your nginx server. So you can tell what is happening with your server in real-time. ngxtop is designed to run in...
ugforum analysis: Tools for Automated Analysis of Cybercriminal Markets
ugforum analysis: Tools for Automated Analysis of Cybercriminal Markets Underground forums are widely used by criminals to buy and sell a host of stolen items, datasets, resources, and criminal services. These...
PowerKrabsEtw: PowerShell interface for doing real-time ETW tracing
PowerKrabsEtw is a PowerShell module built around the krabsetw APIs. It exposes a subset of functionality directly available in krabsetw and is meant to streamline ETW experimentation. Notes This module is currently...
PoSh-R2 PowerShell: investigators and forensic analysts tool
PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The...
