User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome Incident Response

A curated list of tools for incident response

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: Dec. 4, 2021, 3:05 p.m.

Thank you meirwah & contributors
View Topic on GitHub:
meirwah/awesome-incident-response

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Adversary Emulation

A toolset to make a system look as if it was the victim of an APT attack

1.63K
332
79d
MIT

Small and highly portable detection tests based on MITRE's ATT&CK.

5.23K
1.79K
30d
MIT

Automated Tactics Techniques & Procedures

219
63
2y 23d
n/a

Automated Adversary Emulation Platform

3.01K
633
31d
Apache-2.0

"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.

814
142
1y 6m
MIT

An information security preparedness tool to do adversarial simulation.

906
135
2y 8m
MIT

A utility to safely generate malicious network traffic patterns and evaluate controls.

585
103
32d
n/a
852
184
2y 7m
n/a

Virtual Machine for Adversary Emulation and Threat Hunting

1.03K
169
1y 4m
BSD-3-Clause

All-In-One Tools

CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.

585
154
2y 108d
BSD-3-Clause

Tools for the Computer Incident Response Team

130
27
4y 7m
MIT

an osquery fleet manager

576
97
6m
MIT

CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities

167
55
10m
AGPL-3.0
3.12K
562
42d
Apache-2.0

Open source device management, built on osquery.

501
95
30d
n/a

GRR Rapid Response: remote live forensics for incident response

3.93K
702
87d
Apache-2.0

Digital Forensics Investigation Platform

359
62
46d
GPL-3.0

DEPRECATED - MozDef: Mozilla Enterprise Defense Platform

2.16K
349
32d
MPL-2.0

Incident Response Forensic Framework

586
138
2y 15d
n/a

Digging Deeper....

968
162
30d
n/a

Zentral is an open-source solution for infrastructure monitoring and endpoint event stream processing. It provides build-in orchestration of macOS security components (Santa, Osquery, et-al.), event correlation and event management. It consolidates its features with various data store backends (ElasticStack, Azure Log Analytics, Splunk, et-al.).

570
74
32d
Apache-2.0

Books

Communities

Disk Image Creation Tools

Evidence Collection

๐Ÿšจ The artifactcollector is a customizable agent to collect forensic artifacts on any Windows, macOS or Linux system

84
9
47d
MIT

This is the development tree. For downloads please see:

558
133
31d
n/a

The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices

306
46
10m
GPL-3.0

CyLR - Live Response Collection Tool

406
66
53d
GPL-3.0

Digital Forensics Artifact Repository

645
154
31d
Apache-2.0

A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.

346
87
9m
n/a

Remote Memory Acquisition Tool

188
40
1y 73d
MIT

UAC (Unix-like Artifacts Collector) is a Live Response collection tool for Incident Reponse that makes use of built-in tools to automate the collection of Unix-like systems artifacts. Supported systems: AIX, FreeBSD, Linux, macOS, NetBSD, Netscaler, OpenBSD and Solaris.

107
21
30d
Apache-2.0

Incident Management

A framework for orchestrating forensic collection, processing and data export

165
54
30d
Apache-2.0

DFIRTrack - The Incident Response Tracking Application

315
68
30d
n/a

Fast Incident Response

1.34K
443
5m
GPL-3.0

Sandia Cyber Omni Tracker (SCOT)

219
46
8m
n/a

Shuffle: A general purpose security automation platform. Our focus is on collaboration and resource sharing.

594
113
31d
AGPL-3.0

DPS' Lightweight Investigation Notebook

395
92
5y 100d
Apache-2.0

Knowledge Bases

Digital Forensics Artifacts Knowledge Base

26
5
8m
Apache-2.0

Windows Events Attack Samples

1.5K
272
44d
GPL-3.0

Windows Registry Knowledge Base

79
17
42d
Apache-2.0

Linux Distributions

Linux Evidence Collection

Log Analysis Tools

"Evolving AppCompat/AmCache data analysis beyond grep"

149
24
80d
Apache-2.0

APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity

433
83
41d
GPL-3.0

Apache Logfile Security Analyzer

193
50
2y 9m
GPL-2.0

CLI utility and Python module for analyzing log files and other data.

97
16
9m
MIT

Investigate malicious Windows logon by visualizing and analyzing Windows event log

1.87K
363
35d
n/a

Generic Signature Format for SIEM Systems

4.26K
1.25K
30d
n/a

StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.

2.61K
327
44d
Apache-2.0

Investigate suspicious activity by visualizing Sysmon's event log

330
49
6m
n/a

A standalone SIGMA-based detection tool for EVTX.

192
28
31d
n/a

Memory Analysis Tools

AVML - Acquire Volatile Memory for Linux

432
47
74d
MIT

Web interface for the Volatility Memory Forensics Framework

243
41
4y 14d
n/a

inVtero.net: A high speed (Gbps) Forensics, Memory integrity & assurance. Includes offensive & defensive memory capabilities. Find/Extract processes, hypervisors (including nested) in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques

245
55
4y 9d
AGPL-3.0

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

1.22K
256
5m
GPL-2.0

Volatility plugin for extracts configuration data of known malware

363
62
110d
n/a

An advanced memory forensics framework

4.96K
1.04K
92d
GPL-2.0

Volatility 3.0 development

665
140
31d
n/a

VolatilityBot โ€“ An automated memory analyzer for malware samples and memory dumps

235
58
5m
MIT

VolDiff: Malware Memory Footprint Analysis based on Volatility

179
51
4y 84d
BSD-2-Clause

Memory Imaging Tools

OSX Evidence Collection

macOS (& ios) Artifact Parsing Tool

410
71
41d
MIT

OS X Auditor is a free Mac OS X computer forensics tool

3.1K
308
1y 4m
n/a

A forensic evidence collection & analysis toolkit for OS X

1.8K
249
2y 5m
n/a

Other Lists

A curated list of awesome forensic analysis tools and resources

1.73K
366
52d
CC0-1.0

Please no pull requests for this repository. Thanks!

1.04K
332
31d
n/a

A collective list of public APIs for use in security. Contributions welcome

588
99
5m
MIT

Other Tools

Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response.

579
61
1y 7m
Apache-2.0

A Python DNS crawler to find identical domain names under different TLDs.

18
3
2y 6m
n/a

A modular Python application to pull intelligence about malicious files

102
23
1y 0d
n/a

The Hunting ELK

3.05K
593
6m
GPL-3.0

Web browser forensics for Google Chrome/Chromium

662
109
46d
Apache-2.0

A modular Python application to collect intelligence for malicious hosts.

229
50
7m
n/a

Command line utility and Python package to ease the (un)mounting of forensic disk images

85
30
67d
MIT

A Powershell incident response framework

1.16K
239
1y 82d
Apache-2.0

$MFT directory tree reconstruction & record info

168
16
36d
GPL-3.0

Online hash checker for Virustotal and other services

587
115
74d
Apache-2.0

PowerSponse is a PowerShell module focused on targeted containment and remediation during incident response.

30
8
9m
MIT

A simple many-rules to many-files YARA scanner for incident response or malware zoos.

19
4
3y 6m
Apache-2.0

Collecting & Hunting for IOCs with gusto and style

181
47
4m
MIT

A Simple Ransomware Vaccine

758
96
42d
Unlicense

Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at [email protected]

1.65K
218
4m
Apache-2.0

A simple threat hunting tool based on osquery, Salt Open and Cymon API

62
14
4y 5m
MIT

Sysmon configuration file template with default high-quality event tracing

3.23K
1.18K
47d
n/a

A repository of sysmon configuration modules

1.59K
332
40d
MIT

Traceroute improved wrapper for CSIRT and CERT operators

36
9
6y 7m
GPL-3.0

Playbooks

A concise, directive, specific, flexible, and free incident response plan template

176
74
63d
n/a

Cyber Incident Response Team Playbook Battle Cards

67
19
38d
MIT

Incident Response Methodologies

843
191
3y 4m
n/a

Phantom Community Playbooks

303
144
32d
n/a

A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns.

2.83K
651
6m
GPL-3.0

Process Dump Tools

Sandboxing/Reversing Tools

Malware Configuration And Payload Extraction

558
150
30d
GPL-3.0

Cuckoo Sandbox is an automated dynamic malware analysis system

4.83K
1.61K
4m
GPL-3.0

Modified edition of cuckoo

374
176
4y 14d
n/a

A Python library to interface with a cuckoo-modified instance

16
4
5y 35d
n/a

Free and Open Source Reverse Engineering Platform powered by rizin

9.86K
787
35d
GPL-3.0

Ghidra is a software reverse engineering (SRE) framework

29.48K
3.84K
30d
Apache-2.0

Malware static analysis framework

149
44
1y 8m
n/a

UNIX-like reverse engineering framework and command-line toolset

15.2K
2.56K
30d
LGPL-3.0

UNIX-like reverse engineering framework and command-line toolset.

1.11K
123
30d
LGPL-3.0

A machine learning tool that ranks strings based on their relevance for malware analysis.

519
107
1y 2d
Apache-2.0

Binary analysis and management framework

1.44K
365
9m
n/a

A Python library and command line tools to provide interactive log visualization.

129
35
5y 16d
n/a

Scanner Tools

Simple Bash IOC Scanner

340
70
9m
MIT

Loki - Simple IOC and Incident Response Scanner

2.17K
477
66d
GPL-3.0

simple YARA-based IOC scanner

104
21
36d
LGPL-3.0

Timeline Tools

Incident Response Documentation made easy. Developed by Incident Responders for Incident Responders

255
27
110d
Apache-2.0

post mortem tracker

986
130
2y 65d
MIT

Super timeline all the things

1.18K
269
32d
Apache-2.0

Collaborative forensic timeline analysis

1.75K
394
30d
Apache-2.0

Videos

Windows Evidence Collection

Windows Live Artifacts Acquisition Script

153
29
112d
GPL-2.0
466
136
10m
GPL-3.0

A modern tool for the Windows kernel exploration and tracing

1.44K
150
45d
n/a

This script is made to collect the most valiable artifacts for foreniscs or incident reponse investigation rather than imaging the whole har drive.

100
13
1y 46d
GPL-3.0

Invoke-LiveResponse

120
28
1y 96d
MIT

Incident Response Triage - Windows Evidence Collection for Forensic Analysis

104
25
5y 7m
n/a

Loki - Simple IOC and Incident Response Scanner

2.17K
477
66d
GPL-3.0

A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints.

311
70
8m
GPL-3.0

Fast incident overview

31
7
4y 9m
n/a

PowerForensics provides an all in one platform for live disk forensic analysis

1.13K
262
10m
MIT

PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.

427
104
4y 4m
Apache-2.0

RegRipper3.0

188
40
64d
n/a