From 4ba1686f374557d144692dfb882155171a25c00c Mon Sep 17 00:00:00 2001 From: Adel K Date: Sun, 13 Sep 2020 15:41:31 +1000 Subject: [PATCH] Update README.md --- README.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 0ae11b8..61cc971 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,8 @@ - [Sentinel Attack](https://github.com/BlueTeamLabs/sentinel-attack) - A repository of Azure Sentinel alerts and hunting queries leveraging sysmon and the MITRE ATT&CK framework - [Brim](https://github.com/brimsec/brim) - A desktop application to efficiently search large packet captures and Zeek logs - [YARA](https://github.com/virustotal/yara) - The pattern matching swiss knife +- [Intel Owl](https://github.com/intelowlproject/IntelOwl) - An Open Source Intelligence, or OSINT solution to get threat intelligence data about a specific file, an IP or a domain from a single API at scale. +- [Capa](https://github.com/fireeye/capa) - An open-source tool to identify capabilities in executable files. #### Alerting Engine @@ -119,6 +121,7 @@ - [Boss of the SOC (BOTS) Dataset Version 3](https://github.com/splunk/botsv3) - [EMBER](https://github.com/endgameinc/ember) ([paper](https://arxiv.org/abs/1804.04637)) - The EMBER dataset is a collection of features from PE files that serve as a benchmark dataset for researchers - [theZoo](https://github.com/ytisf/theZoo) - A repository of LIVE malwares +- [CIC Datasets](https://www.unb.ca/cic/datasets/index.html) - Canadian Institute for Cybersecurity datasets ### Resources @@ -158,6 +161,7 @@ - [Detection Spectrum](https://posts.specterops.io/detection-spectrum-198a0bfb9302) ([PDF](docs/specterops-DetectionSpectrum.pdf)) - [Capability Abstraction](https://posts.specterops.io/capability-abstraction-fbeaeeb26384) ([PDF](docs/specterops-CapabilityAbstraction.pdf)) - [Awesome YARA](https://github.com/InQuest/awesome-yara) - A curated list of awesome YARA rules, tools, and resources +- [Defining ATT&CK Data Sources](https://medium.com/mitre-attack/defining-attack-data-sources-part-i-4c39e581454f) - A two-part blog series that outlines a new methodology to extend ATT&CK’s current data sources. #### Frameworks @@ -172,6 +176,7 @@ - [The DML Model](http://ryanstillions.blogspot.com.au/2014/04/the-dml-model_21.html) - The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. - [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) - [OSSEM](https://github.com/hunters-forge/OSSEM) (Open Source Security Events Metadata) - A community-led project that focuses on the documentation and standardization of security event logs from diverse data sources and operating systems +- [MITRE Shield](https://shield.mitre.org) - A knowledge base of active defense techniques and tactics ([Active Defense Matrix](https://shield.mitre.org/matrix/)) #### DNS @@ -187,10 +192,11 @@ #### Command and Control -- [Command-and-control Malware Traffic Playbook](https://www.demisto.com/command-control-malware-traffic-playbook/) -- [How to Hunt Command & Control Channels Using Bro IDS and RITA](https://www.blackhillsinfosec.com/how-to-hunt-command-and-control-channels-using-bro-ids-and-rita/) -- [Detect Beaconing with Flare, Elastic Stack, and Intrusion Detection Systems](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/) - [Rise of Legitimate Services for Backdoor Command and Control](docs/legit-services.pdf) +##### DoH +- [Hiding in Plain Sight](https://blog.huntresslabs.com/hiding-in-plain-sight-part-2-dfec817c036f) - A malware abusing Google DoH +- + #### Osquery @@ -330,6 +336,8 @@ A curated list of awesome adversary simulation resources - [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/) - A PowerShell Post-Exploitation Framework. - [RedHunt-OS](https://github.com/redhuntlabs/RedHunt-OS) - A Virtual Machine for Adversary Emulation and Threat Hunting. RedHunt aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment. - [Infection Monkey](https://github.com/guardicore/monkey) - An open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement. +- [Splunk Attack Range](https://github.com/splunk/attack_range) - A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk. + ### Resources