Your first time on this page? Allow me to give some explanations.
Awesome Incident Response
A curated list of tools for incident response
Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.
Thank you meirwah & contributors
View Topic on GitHub:
Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.
Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.
A toolset to make a system look as if it was the victim of an APT attack
Small and highly portable detection tests based on MITRE's ATT&CK.
Automated Tactics Techniques & Procedures
Automated Adversary Emulation Platform
"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
An information security preparedness tool to do adversarial simulation.
A utility to safely generate malicious network traffic patterns and evaluate controls.
Virtual Machine for Adversary Emulation and Threat Hunting
CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
Tools for the Computer Incident Response Team
an osquery fleet manager
CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities
Open source device management, built on osquery.
GRR Rapid Response: remote live forensics for incident response
Digital Forensics Investigation Platform
DEPRECATED - MozDef: Mozilla Enterprise Defense Platform
Incident Response Forensic Framework
Zentral is an open-source solution for infrastructure monitoring and endpoint event stream processing. It provides build-in orchestration of macOS security components (Santa, Osquery, et-al.), event correlation and event management. It consolidates its features with various data store backends (ElasticStack, Azure Log Analytics, Splunk, et-al.).
Disk Image Creation Tools
Remote forensics meta tool
🚨 The artifactcollector is a customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
This is the development tree. For downloads please see:
The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices
CyLR - Live Response Collection Tool
Digital Forensics Artifact Repository
A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
Remote Memory Acquisition Tool
UAC (Unix-like Artifacts Collector) is a Live Response collection tool for Incident Reponse that makes use of built-in tools to automate the collection of Unix-like systems artifacts. Supported systems: AIX, FreeBSD, Linux, macOS, NetBSD, Netscaler, OpenBSD and Solaris.
A framework for orchestrating forensic collection, processing and data export
DFIRTrack - The Incident Response Tracking Application
Fast Incident Response
Sandia Cyber Omni Tracker (SCOT)
Shuffle: A general purpose security automation platform. Our focus is on collaboration and resource sharing.
DPS' Lightweight Investigation Notebook
Digital Forensics Artifacts Knowledge Base
Windows Events Attack Samples
Windows Registry Knowledge Base
Collect, Process, and Hunt with host based data from MacOS, Windows, and Linux
Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management
Linux Evidence Collection
Log Analysis Tools
"Evolving AppCompat/AmCache data analysis beyond grep"
APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity
Apache Logfile Security Analyzer
CLI utility and Python module for analyzing log files and other data.
Investigate malicious Windows logon by visualizing and analyzing Windows event log
Generic Signature Format for SIEM Systems
StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.
Investigate suspicious activity by visualizing Sysmon's event log
A standalone SIGMA-based detection tool for EVTX.
Memory Analysis Tools
AVML - Acquire Volatile Memory for Linux
Web interface for the Volatility Memory Forensics Framework
inVtero.net: A high speed (Gbps) Forensics, Memory integrity & assurance. Includes offensive & defensive memory capabilities. Find/Extract processes, hypervisors (including nested) in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques
LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
Volatility plugin for extracts configuration data of known malware
An advanced memory forensics framework
Volatility 3.0 development
VolatilityBot – An automated memory analyzer for malware samples and memory dumps
VolDiff: Malware Memory Footprint Analysis based on Volatility
Memory Imaging Tools
Script for automating Linux memory capture and analysis
OSX Evidence Collection
macOS (& ios) Artifact Parsing Tool
OS X Auditor is a free Mac OS X computer forensics tool
A forensic evidence collection & analysis toolkit for OS X
A curated list of awesome forensic analysis tools and resources
Please no pull requests for this repository. Thanks!
A collective list of public APIs for use in security. Contributions welcome
Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response.
A Python DNS crawler to find identical domain names under different TLDs.
A modular Python application to pull intelligence about malicious files
The Hunting ELK
Web browser forensics for Google Chrome/Chromium
A modular Python application to collect intelligence for malicious hosts.
Command line utility and Python package to ease the (un)mounting of forensic disk images
A Powershell incident response framework
$MFT directory tree reconstruction & record info
Online hash checker for Virustotal and other services
PowerSponse is a PowerShell module focused on targeted containment and remediation during incident response.
A simple many-rules to many-files YARA scanner for incident response or malware zoos.
Collecting & Hunting for IOCs with gusto and style
A Simple Ransomware Vaccine
Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at [email protected]
A simple threat hunting tool based on osquery, Salt Open and Cymon API
Sysmon configuration file template with default high-quality event tracing
A repository of sysmon configuration modules
Traceroute improved wrapper for CSIRT and CERT operators
A concise, directive, specific, flexible, and free incident response plan template
Cyber Incident Response Team Playbook Battle Cards
Incident Response Methodologies
Phantom Community Playbooks
A Threat hunter's playbook to aid the development of techniques and hypothesis for hunting campaigns.
Process Dump Tools
Malware Configuration And Payload Extraction
Cuckoo Sandbox is an automated dynamic malware analysis system
Modified edition of cuckoo
A Python library to interface with a cuckoo-modified instance
Free and Open Source Reverse Engineering Platform powered by rizin
Ghidra is a software reverse engineering (SRE) framework
Malware static analysis framework
UNIX-like reverse engineering framework and command-line toolset
UNIX-like reverse engineering framework and command-line toolset.
A machine learning tool that ranks strings based on their relevance for malware analysis.
Binary analysis and management framework
A Python library and command line tools to provide interactive log visualization.
Simple Bash IOC Scanner
Loki - Simple IOC and Incident Response Scanner
simple YARA-based IOC scanner
Incident Response Documentation made easy. Developed by Incident Responders for Incident Responders
post mortem tracker
Super timeline all the things
Collaborative forensic timeline analysis
Windows Evidence Collection
Windows Live Artifacts Acquisition Script
A modern tool for the Windows kernel exploration and tracing
This script is made to collect the most valiable artifacts for foreniscs or incident reponse investigation rather than imaging the whole har drive.
Incident Response Triage - Windows Evidence Collection for Forensic Analysis
Loki - Simple IOC and Incident Response Scanner
A collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints.
Fast incident overview
PowerForensics provides an all in one platform for live disk forensic analysis
PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.