├── rough-tool-list.txt ├── xss.MD ├── BLOGS.MD ├── AI.MD ├── threatmodeling.MD ├── LICENSE ├── Crowdstrike-workshop-queries ├── videos.MD ├── interesting-links.md ├── rough-blogposts-list.txt ├── Tool-List.MD └── README.md /rough-tool-list.txt: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /xss.MD: -------------------------------------------------------------------------------- 1 | XSS Resources 2 | == 3 | https://auth0.com/blog/cross-site-scripting-xss/ 4 | https://auth0.com/blog/defending-against-xss-with-csp/ 5 | -------------------------------------------------------------------------------- /BLOGS.MD: -------------------------------------------------------------------------------- 1 | - Maya Kaczorowski - https://mayakaczorowski.com/blogs 2 | - Wiz - https://www.wiz.io/blog 3 | - tl;dr sec - https://tldrsec.com/t/Blog 4 | - Chris Farris - Cloud Security Guy - https://www.chrisfarris.com/ 5 | -------------------------------------------------------------------------------- /AI.MD: -------------------------------------------------------------------------------- 1 | # AI Resources 2 | - AI Security companies - https://www.globalcyberhackathon.com/ai-security-companies 3 | 4 | ## Conference AI Talk Videos 5 | - https://tldrsec.com/p/tldr-every-ai-talk-bsideslv-blackhat-defcon-2024 6 | 7 | ## AI Learning Sites 8 | - Anthropic courses 9 | - https://github.com/anthropics/courses/tree/master/real_world_prompting 10 | - https://github.com/anthropics/courses/tree/master/prompt_engineering_interactive_tutorial 11 | - Microsoft 12 | - https://learn.microsoft.com/en-us/training/paths/ai-security-fundamentals/ 13 | -------------------------------------------------------------------------------- /threatmodeling.MD: -------------------------------------------------------------------------------- 1 | Threat Modeling Resources 2 | == 3 | - The Trouble with Threat Modeling - https://www.microsoft.com/en-us/security/blog/2007/09/26/the-trouble-with-threat-modeling/ 4 | - Threat Modeling Manifesto - https://www.threatmodelingmanifesto.org/ 5 | - Agile Stationery - https://agilestationery.com/collections/threat-modeling 6 | - Elevation of Privilege game - https://shostack.org/games/elevation-of-privilege 7 | - Shostack blog - https://shostack.org/blog 8 | - Threatware 9 | - github repo - https://github.com/samadhicsec/threatware 10 | - docs - https://threatware.readthedocs.io/en/main/index.html 11 | Community 12 | == 13 | - Threat modeling Connect - https://www.threatmodelingconnect.com/ 14 | - TMC events - https://lu.ma/user/usr-nDXNWlgut7eh8Cw 15 | - ThreatModCon - https://www.threatmodcon.com/ 16 | - TMC Forum - https://threatmodelingconnect.discourse.group/latest 17 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | This is free and unencumbered software released into the public domain. 2 | 3 | Anyone is free to copy, modify, publish, use, compile, sell, or 4 | distribute this software, either in source code form or as a compiled 5 | binary, for any purpose, commercial or non-commercial, and by any 6 | means. 7 | 8 | In jurisdictions that recognize copyright laws, the author or authors 9 | of this software dedicate any and all copyright interest in the 10 | software to the public domain. We make this dedication for the benefit 11 | of the public at large and to the detriment of our heirs and 12 | successors. We intend this dedication to be an overt act of 13 | relinquishment in perpetuity of all present and future rights to this 14 | software under copyright law. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 22 | OTHER DEALINGS IN THE SOFTWARE. 23 | 24 | For more information, please refer to 25 | -------------------------------------------------------------------------------- /Crowdstrike-workshop-queries: -------------------------------------------------------------------------------- 1 | Crowdstrike Workshop search queries 2 | 3 | 4 | Scenario 1 - Detect malicious use of standard admin tools (LOLBINS/LOLBAS) 5 | 6 | earliest=-7d ComputerName=CS-FALCON-OW10 ProcessRollUp2 7 | 8 | earliest=-7d aid=1989da72d41a47f5ae63abd62d9c26b2 ProcessRollUp2 | stats count by FileName | sort - count | fields count, FileName 9 | 10 | earliest=-7d aid=1989da72d41a47f5ae63abd62d9c26b2 ProcessRollUp2 FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe OR FileName=quser.exe OR FileName=ping.exe OR FileName=netstat.exe OR FileName=tasklist.exe OR FileName=Hostname.exe OR FileName=at.exe OR FileName=net.exe OR PowerShell.exe| stats count by FileName | sort - count | fields count, FileName 11 | 12 | 13 | Scenario 2 - detect web shells 14 | 15 | earliest=-7d aid=e119e1b6e95048ce9e5ca50bddee856f ProcessRollUp2 | stats count by FileName | sort - count | fields count, FileName 16 | 17 | earliest=-7d aid=e119e1b6e95048ce9e5ca50bddee856f earliest=-7d ProcessRollUp2 FileName=net.exe OR FileName=ipconfig.exe OR FileName=whoami.exe OR FileName=quser.exe OR FileName=ping.exe OR FileName=netstat.exe OR FileName=tasklist.exe OR FileName=Hostname.exe OR FileName=cmd.exe OR FileName=net.exe OR PowerShell.exe| stats count by FileName | sort - count | fields count, FileName 18 | 19 | earliest=-7d aid=e119e1b6e95048ce9e5ca50bddee856f event_simpleName=ProcessRollup2 FileName=powershell.exe (CommandLine=*Invoke-WebRequest* OR CommandLine=*Net.WebClient* OR CommandLine=*Start-BitsTransfer* OR CommandLine=*-enc* OR CommandLine=*encoded*) | table ComputerName UserName FileName CommandLine 20 | 21 | 22 | Scenario 3 - threat hunting on Linux 23 | 24 | earliest=-7d aid=09d2a7a912814da5b3050b76f3e46c5f ProcessRollUp2 25 | 26 | earliest=-7d aid=09d2a7a912814da5b3050b76f3e46c5f ProcessRollUp2 | stats count by FileName | sort - count | fields count, FileName 27 | 28 | earliest=-7d aid=09d2a7a912814da5b3050b76f3e46c5f ProcessRollUp2 FileName=whoami OR FileName=id OR FileName=netstat OR FileName=wget OR FileName=cat OR FileName=ping OR FileName=touch OR FileName=ps OR FileName=hostname OR FileName=perl OR FileName=python OR FileName=make| stats count by FileName | sort - count | fields count, FileName 29 | -------------------------------------------------------------------------------- /videos.MD: -------------------------------------------------------------------------------- 1 | Security Videos 2 | == 3 | 4 | Videos and channels from conferences etc 5 | - BSidesSF - https://www.youtube.com/@BSidesSF 6 | - OWASP AppSec Cali 2019 - https://www.youtube.com/playlist?list=PLpr-xdpM8wG-bXotGh7OcWk9Xrc1b4pIJ 7 | - Semgrep - https://www.youtube.com/@semgrep 8 | - OWASP 9 | - OWASP Global - https://www.youtube.com/@OWASPGLOBAL 10 | - OWASP London - https://www.youtube.com/@OWASPLondon 11 | - Adam Shostack - https://www.youtube.com/@Shostack 12 | - Cloud Security Alliance - https://www.youtube.com/@CloudSecurityAllianceDotOrg 13 | - Vulnerable U (Matt J) - https://www.youtube.com/@VulnerableU 14 | - Datadog - https://www.youtube.com/@DatadogHQ 15 | - LocoMocoSec - https://www.youtube.com/@locomocosecurityconference 16 | - Jit - https://www.youtube.com/@jitsec 17 | - LearnSBOM - https://www.youtube.com/@LearnSBOM/videos 18 | - Anais Urlichs (Semgrep Dev Advocate) - https://www.youtube.com/@AnaisUrlichs/featured 19 | - Falco - https://www.youtube.com/@falcosecurity 20 | - Sysdig - https://www.youtube.com/@sysdig 21 | - SOCFortress - https://www.youtube.com/@taylorwalton_socfortress 22 | - SANS 23 | - SANS Cloud Security - https://www.youtube.com/@SANSCloudSecurity 24 | - CloudSecNext Summit 2024 - https://www.youtube.com/playlist?list=PLsfnCRA9QVnQ4UWSOWiLKJci3_isxI3U6 25 | - Hexacon - https://www.youtube.com/@hexacon4091 26 | - Hexacon 2024 - https://www.youtube.com/playlist?list=PLiEHUFG7koLvk72LC2xGCn65M535-vIEC 27 | - The Elephant In AppSec conference - https://app.getcontrast.io/the-elephant-in-appsec 28 | - DefCon 32 (2024) - https://www.youtube.com/playlist?list=PL9fPq3eQfaaB2scbXRczwvjVH0ckX4bwt 29 | 30 | Platform Engineering & DevOps 31 | == 32 | - DevOps Toolkit - https://www.youtube.com/@DevOpsToolkit 33 | - Cloud Native London - https://www.youtube.com/@CherylHung 34 | - CNCF - https://www.youtube.com/@cncf/videos 35 | - Aqua Security Open Source - https://www.youtube.com/@AquaSecOSS 36 | - Techworld with Nana - https://www.youtube.com/@TechWorldwithNana 37 | - Anton Babenko - https://www.youtube.com/@AntonBabenkoLive/videos 38 | - CloudDev Engineering - https://www.youtube.com/@CloudDevEngineering 39 | 40 | Engineering 41 | == 42 | - Free Code Camp - https://www.youtube.com/@freecodecamp 43 | -------------------------------------------------------------------------------- /interesting-links.md: -------------------------------------------------------------------------------- 1 | https://github.com/protectai/vulnhuntr 2 | https://www.edr-telemetry.com/index.html 3 | https://0xanalyst.github.io/Project-Lost/ 4 | https://docs.kernel.org/security/landlock.html 5 | https://checkmarx.com/blog/this-new-supply-chain-attack-technique-can-trojanize-all-your-cli-commands/ 6 | https://www.gyan.ca/lessons-in-security-tooling-strategies-for-success/ 7 | https://www.resourcely.io/product/blueprints 8 | https://rhinosecuritylabs.com/research/cloudgoat-sns_secrets/ 9 | https://tracebit.com/blog/breaching-the-data-perimeter-cloudtrail-as-a-mechanism-for-data-exfiltration 10 | https://www.datadoghq.com/state-of-cloud-security/ 11 | https://danaepp.com/kev-cwe-attack-vector 12 | https://corgea.com/Learn/understanding-ai-and-large-language-models-(llms)-a-guide-for-security-engineers 13 | https://github.com/nccgroup/PMapper 14 | https://secureslate.medium.com/7-best-user-access-review-tools-to-save-your-business-in-2024-168a74af2309 15 | https://permify.co/post/open-source-identity-access-management-iam-solutions-for-enterprises/ 16 | https://medium.com/life-at-chime/monocle-how-chime-creates-a-proactive-security-engineering-culture-part-1-dedd3846127f 17 | https://medium.com/life-at-chime/mitigating-risky-pull-requests-with-monocle-risk-advisor-part-2-7013e1485bf2 18 | https://docs.google.com/presentation/d/1Jy-SvTuXItTH7Vpqq8O0anp4-FQKiZUShOcBeWxYowk/edit#slide=id.g21309ae7977_0_260 19 | https://www.youtube.com/watch?v=TmRyZ7FB-HA 20 | https://www.wiz.io/academy/open-policy-agent-opa 21 | https://www.wiz.io/blog/getting-started-with-open-policy-agent-opa-to-improve-your-cloud-security 22 | https://netflixtechblog.com/the-show-must-go-on-securing-netflix-studios-at-scale-19b801c86479 23 | https://tldrsec.com/p/blog-appsec-cali-2019-lessons-learned-from-the-devsecops-trenches 24 | https://securitychampions.owasp.org/ 25 | https://info.securityjourney.com/owasp-api-training-program 26 | https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html 27 | https://github.com/ComplianceAsCode/content 28 | https://awseye.com/ 29 | https://www.plerion.com/blog/what-do-hackers-know-about-your-aws-account 30 | https://www.fogsecurity.io/blog/data-perimeters-with-resource-control-policies-and-aws-kms 31 | https://www.wiz.io/blog/how-to-use-aws-resource-control-policies 32 | https://medium.com/@oraspir/hands-on-security-tips-for-centralize-root-access-in-aws-assumeroot-5d315de423cd 33 | https://alsmola.medium.com/access-approvals-considered-harmful-f24fa2fe2f87 34 | https://github.com/specfy/stack-analyser 35 | https://www.cloudflare.com/en-gb/learning/ssl/lava-lamp-encryption/ 36 | https://www.legitsecurity.com/blog/api-key-security-best-practices 37 | https://www.anshumanbhartiya.com/posts/hackagent 38 | https://www.anshumanbhartiya.com/posts/the-future-of-appsec 39 | https://github.com/GerbenJavado/LinkFinder 40 | https://arxiv.org/abs/2412.02776 41 | https://www.invicti.com/blog/security-labs/brainstorm-tool-release-optimizing-web-fuzzing-with-local-llms/ 42 | https://www.wiz.io/blog/how-to-set-secure-defaults-on-aws 43 | https://www.labs.greynoise.io/grimoire/2024-01-03-snakeyaml-deserialization/ 44 | https://www.linkedin.com/pulse/aws-account-security-onboarding-mind-map-artem-marusov-zrpre/ 45 | https://tldrsec.com/p/software-supply-chain-vendor-landscape 46 | https://tldrsec.com/p/blog-insecure-development-why-some-product-teams-are-great-and-others-arent 47 | https://tldrsec.com/p/blog-appsec-cali-2019-lessons-learned-from-the-devsecops-trenches 48 | Clint Gibler - How to 10X your security presentation - https://docs.google.com/presentation/d/1lfEvXtw5RTj3JmXwSQDXy8or87_BHrFbo1ZtQQlHbq0/edit?pli=1#slide=id.g6555b225cd_0_1069 49 | https://techbeacon.com/app-dev-testing/how-scale-security-devsecops-4-valuable-mindsets-principles 50 | https://netflixtechblog.medium.com/scaling-appsec-at-netflix-6a13d7ab6043 51 | https://openviewpartners.com/blog/what-is-minimum-viable-security-mvs/#.YhINjt9Bxzo 52 | https://www.jit.io/blog/what-is-minimum-viable-security-mvs-and-how-does-it-improve-the-life-of-developers 53 | https://airwalkreply.com/cloud-services-as-exfiltration-mechanisms 54 | https://arxiv.org/abs/2108.12078 55 | https://www.figma.com/blog/how-we-enforce-device-trust-on-code-changes/ 56 | https://www.zoom.com/en/blog/viss-approach-to-vulnerability-impact-scoring/ 57 | https://aws.github.io/aws-security-services-best-practices/ 58 | https://blog.qualys.com/vulnerabilities-threat-research/2023/12/19/2023-threat-landscape-year-in-review-part-one 59 | https://medium.com/spacelift/18-most-useful-terraform-tools-to-use-in-2023-dabcaa3fb5b1 60 | https://spacelift.io/blog/terraform-tools 61 | https://securitylabs.datadoghq.com/articles/eks-pod-identity-deep-dive/ 62 | https://aws.amazon.com/blogs/aws/amazon-eks-pod-identity-simplifies-iam-permissions-for-applications-on-amazon-eks-clusters/ 63 | https://www.chrisfarris.com/post/reinvent2023/ 64 | https://snyk.io/learn/application-security/measuring-appsec-success/ 65 | https://snyk.io/learn/application-security/vulnerability-vs-weakness/ 66 | https://snyk.io/learn/application-security/asset-first-application-security/ 67 | https://medium.com/spacelift/18-most-useful-terraform-tools-to-use-in-2023-dabcaa3fb5b1 68 | https://ebenamor.medium.com/7-underrated-kubernetes-projects-elevate-your-lab-playground-ac7f47cba347 69 | https://medium.com/@rphilogene/top-10-platform-engineering-tools-you-should-consider-in-2024-892e6e211b85 70 | https://medium.com/4th-coffee/the-new-frontier-in-cybersecurity-embracing-security-as-code-51e5ce62b19e 71 | https://cyb3rops.medium.com/introducing-yara-forge-a77cbb77dcab 72 | https://www.datadoghq.com/state-of-cloud-security/ 73 | https://securitylabs.datadoghq.com/articles/misconfiguration-spotlight-imds/ 74 | https://aws.amazon.com/blogs/security/get-the-full-benefits-of-imdsv2-and-disable-imdsv1-across-your-aws-infrastructure/ 75 | https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html 76 | https://aws.amazon.com/blogs/security/how-to-create-an-ami-hardening-pipeline-and-automate-updates-to-your-ecs-instance-fleet/ 77 | https://securitylabs.datadoghq.com/articles/from_detection_to_enforcement_migrating_from_imdsv1_to_imdsv2/ 78 | https://www.youtube.com/watch?v=wru_AyiZdlY 79 | https://tide.org/ 80 | https://seifrajhi.github.io/blog/eks-detect-manual-actions/ 81 | https://blog.trailofbits.com/2024/01/12/how-to-introduce-semgrep-to-your-organization/ 82 | https://boringappsec.substack.com/p/edition-18-the-diminishing-returns 83 | https://tldrsec.com/p/ross-pentesting-qa 84 | https://edu.chainguard.dev/chainguard/chainguard-images/staying-secure/working-with-scanners/false-results/ 85 | https://docs.gitlab.com/ee/ci/secrets/ 86 | https://boostsecurity.io/blog/opening-pandora-box-supply-chain-insider-threats-in-oss-projects 87 | https://orca.security/resources/blog/kubernetes-testing-environment/ 88 | -------------------------------------------------------------------------------- /rough-blogposts-list.txt: -------------------------------------------------------------------------------- 1 | How to stay safe from repo-jacking - The GitHub Blog 2 | Kubernetes RBAC: Role-Based Access Control 3 | Speed Meets Security: How Bottlerocket Optimizes EKS Workloads 4 | NSA Releases Top Ten Cloud Security Mitigation Strategies > National Security Agency/Central Security Service > Press Release View 5 | Tackling cybersecurity vulnerabilities through Secure by Design 6 | Secure by Design Alert: Eliminating SQL Injection Vulnerabilities in Software | CISA 7 | Keep Hackers Out of Your Kubernetes Cluster with These 5 Simple Tricks! 8 | Mapping the global geography of cybercrime with the World Cybercrime Index | PLOS ONE 9 | Deterring Attackers with HoneyTrail: Deploying Deception in AWS | by Adan | May, 2024 | Medium 10 | Detecting Manual Actions in EKS Clusters with Terraform and SNS 🕵 | by Seifeddine Rajhi | Medium 11 | Impair Defenses [T1562.012]: Detect Linux Audit Logs Tampering (Part 1) | by Aleksandar Matev | May, 2024 | Detect FYI 12 | Deterring Attackers with HoneyTrail: Deploying Deception in AWS | by Adan | May, 2024 | Medium 13 | Enhancing Security for AWS Static Websites: A PoC Implementation of Honeytokens | by Adan | Medium 14 | How I hacked into Google’s internal corporate assets – Observations in Security 15 | Emerging Identity Threats: The Muddy Waters of Residential Proxies | Obsidian Security 16 | Full article: Evidence-based cybersecurity policy? A meta-review of security control effectiveness 17 | Fun with Kubernetes Authorization Auditing - multiple authz plugins 18 | Image signing validation on K8s. In the previous post, we talked about… | by Brian Davis | Medium 19 | Semgrep for Terraform Security – High Signal Security – YAIB (Yet Another Infosec blog). 20 | Using feature flags for security | by Alex Smolen | Apr, 2024 | Medium 21 | (The) Postman Carries Lots of Secrets ◆ Truffle Security Co. 22 | Choosing secure and verifiable technologies 23 | Emerging Identity Threats: The Muddy Waters of Residential Proxies | Obsidian Security 24 | A Step-by-Step Guide to Securely Upgrading Your EKS Clusters 25 | Monitoring your EKS clusters audit logs | Falco 26 | Quickly Visualize your AWS Costs · Bits and Cloud 27 | Mistaken Identification: When an Attack Technique isn’t a Technique | by VanVleet | Jul, 2024 | Medium 28 | Reverse Engineering eBPF Programs: A Deep Dive 29 | Detection Engineering Fundamentals: What makes a good alert? | by br4dy5 | Jun, 2024 | Medium 30 | A Guide To Kubernetes Logs That Isn't A Vendor Pitch 31 | Taking a look at Kubernetes Profiling 32 | About - Pivot Atlas 33 | Stop worrying about 'allowPrivilegeEscalation' - Christophe Tafani-Dereeper 34 | Impair Defenses [T1562.012]: Detect Linux Audit Logs Tampering (Part 2) | by Aleksandar Matev | Jun, 2024 | Detect FYI 35 | Building to Prevent Subdomain Takeovers – High Signal Security – YAIB (Yet Another Infosec blog). 36 | Overcoming Security Obstructionism 37 | State of Exploitation - A Peek into the Last Decade of Vulnerability Exploitation 38 | Dirty Little Secrets of Vulnerability Management 39 | Encryption At Rest: Whose Threat Model Is It Anyway? – Semantically Secure 40 | EDR Internals for macOS and Linux | Outflank Security Blog 41 | The race to make a business out of secure defaults 42 | Encoding Differentials: Why Charset Matters | Sonar 43 | Introducing YetiHunter: An open-source tool to detect and hunt for suspicious activity in Snowflake 44 | 🙂 Fortunately ⇆ 🙁 Unfortunately of 🙂 Fortunately ⇆ 🙁 Unfortunately 45 | How to make “Input validation” easy for your devs | by Mohamed AboElKheir | AppSec Untangled | Jul, 2024 | Medium 46 | The Absurdly Underestimated Dangers of CSV Injection 47 | How to Secure Your Kubernetes Clusters with Trivy 48 | DevSec Blog - Application Security and DevSecOps Learning Resources 49 | Wiring a Winning Security Organization 50 | Non-Production Endpoints as an Attack Surface in AWS | Datadog Security Labs 51 | Gibler - How to 10X Your Security - Google Slides 52 | Introducing RedFlag: Using AI to Scale Addepar's Offensive Security Team | Addepar 53 | How to create a multi clusters secure supply chain (SLSA 3) in 10min (OSS edition) | by Jean-Philippe Gouin | Medium 54 | Securing the Container World with Policies: acjs and ctrdac - Google Bug Hunters 55 | Attack Paths Into VMs in the Cloud 56 | AWS OIDC Provider Enumeration – High Signal Security – YAIB (Yet Another Infosec blog). 57 | AWS without Access Keys · The Fly Blog 58 | Phantom Secrets: Undetected Secrets Expose Major Corporations 59 | Bugcrowd’s Vulnerability Rating Taxonomy - Bugcrowd 60 | Defenses - Wiz 61 | Don’t Security Engineer Asymmetric Workloads 62 | A guide to threat hunting and monitoring in Snowflake | Datadog Security Labs 63 | Utilizing Generative AI and LLMs to Automate Detection Writing | by Dylan | Medium 64 | Guide your SOC Leaders to More Engineering Wisdom for Detection(Part 9) | by Anton Chuvakin | Anton on Security | Jul, 2024 | Medium 65 | Creating Cost-Effective, Scalable Detections | Rippling 66 | Kubernetes security fundamentals: Authorization | Datadog Security Labs 67 | Enabling Security Guardrails: Infra as Code with CDK for Terraform 68 | Building a Detection Engine Part 1 - What is it? | Medium 69 | Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs 70 | A hard look at GuardDuty shortcomings 71 | Container Breakouts: Escape Techniques in Cloud Environments 72 | Insecure deserialization | Web Security Academy 73 | Shorten your detection engineering feedback loops with Grimoire | Datadog Security Labs 74 | My Methodology to AWS Detection Engineering (Part 1: Object Selection) 75 | Introducing Sigma Specification v2.0 | by Nasreddine Bencherchali | Aug, 2024 | Sigma_HQ 76 | Bucket Monopoly: Breaching AWS Accounts Through Shadow Resources 77 | My Methodology to AWS Detection Engineering (Part 1: Object Selection) 78 | An AWS Administrator Identity Crisis: Part 1 | by hotnops | Posts By SpecterOps Team Members 79 | Meet IAM APE: Open Source Tool for AWS IAM Policy Management 80 | An AWS IAM Security Tooling Reference [2024] – High Signal Security – YAIB (Yet Another Infosec blog). 81 | Lessons Learned in Detection Engineering | by Ryan McGeehan | Starting Up Security | Medium 82 | Linux Detection Engineering - A Sequel on Persistence Mechanisms — Elastic Security Labs 83 | AWS IAM: A Comprehensive Guide Toward Least Privilege - Cyscale 84 | AWS vs Azure: A “Secure by default” comparison – Security Café 85 | Industrial IAM Service Role Creation – High Signal Security – YAIB (Yet Another Infosec blog). 86 | Delivering Security at Scale: From Artisanal to Industrial 87 | Designing Least Privilege AWS IAM Policies for People | by Alex Smolen | Medium 88 | Building A Security Platform Engineering Team | Kane Narraway 89 | Compound Probability: You Don’t Need 100% Coverage to Win | by VanVleet | Sep, 2024 | Medium 90 | Table stakes for Detection Engineering 91 | New whitepaper available: Building security from the ground up with Secure by Design | AWS Security Blog 92 | Detection Engineering and Threat Hunting: 🤝🏼 93 | What’s the worst place to leave your secrets? – Research into what happens to AWS credentials that are left in public places - Cybenari 94 | How AWS uses automated reasoning to help you achieve security at scale | AWS Security Blog 95 | Understand how IAM Access Analyzer findings work - AWS Identity and Access Management 96 | Refine permissions in AWS using last accessed information - AWS Identity and Access Management 97 | Artificial intelligence: A reading list - House of Commons Library 98 | 10x Your AppSec Program with this One Simple Trick | securing.dev 99 | Comprehensive Static Analysis: Accuracy, Speed, or Completeness | securing.dev 100 | Steampipe + Access Advisor – High Signal Security – YAIB (Yet Another Infosec blog). 101 | Addressed AWS Default Risks: OIDC, Terraform and Admin Access 102 | Cloudfront WAF bypass resulted in a 9k bill : r/aws 103 | The rise of security engineering and how it is changing the cybersecurity of tomorrow 104 | Bringing software engineering principles, systems, and processes to cybersecurity 105 | Challenges in Security Engineering Programs 106 | 300 Billion Emails, Infinite Risk: The Evolution of Email Security 107 | Simplifying XSS Detection with Nuclei - A New Approach 108 | Mastering Cloud-Specific IOCs for Enhanced Threat Detection | Wiz Blog 109 | The Russian APT Tool Matrix 110 | Introducing Sigmalite. RunReveal's open source sigma rule evaluator for detection 111 | A Cloud Access Management Maturity Model: Part 1 | Community | Blog | Common Fate 112 | A Cloud Access Management Maturity Model: Part 2 | Community | Blog | Common Fate 113 | A safer Internet with Cloudflare: free threat intelligence, analytics, and new threat detections 114 | -------------------------------------------------------------------------------- /Tool-List.MD: -------------------------------------------------------------------------------- 1 | - YaraHunter 2 | - https://github.com/deepfence/YaraHunter 3 | - https://docs.deepfence.io/docs/yarahunter/ 4 | - Tracee 5 | - https://github.com/aquasecurity/tracee 6 | - https://aquasecurity.github.io/tracee/latest/docs/overview/ 7 | - https://www.aquasec.com/blog/cicd-pipeline-security-tool-tracee/ 8 | - Cue - Data validation language - https://cuelang.org/ 9 | - https://cuelang.org/docs/introduction/ 10 | - Mergen 11 | - https://github.com/petrgazarov/salami 12 | - https://github.com/sametsazak/mergen 13 | - Trivy's misconfiguration scanning engine - https://github.com/aquasecurity/defsec 14 | - SASTScan - free & Open Source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and Git friendly 15 | - https://github.com/ShiftLeftSecurity/sast-scan 16 | - DepScan - security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies 17 | - https://github.com/owasp-dep-scan/dep-scan 18 | - https://www.pynt.io/ 19 | - https://hadolint.github.io/hadolint/ 20 | - UBlock - efficient blocker for Chromium and Firefox - https://github.com/gorhill/uBlock 21 | - automatically give AWS IAM users access to your Kubernetes cluster - https://github.com/Qovery/iam-eks-user-mapper 22 | - Cleaning up images from Kubernetes nodes - https://github.com/eraser-dev/eraser 23 | - Turbot - https://turbot.com/ 24 | - Flowpipe - https://flowpipe.io/ 25 | - https://github.com/turbot/flowpipe 26 | - https://steampipe.io/ 27 | - Guardrails - https://turbot.com/guardrails 28 | - Pipes - https://turbot.com/pipes 29 | - document and assess any security automation in your SOC - https://github.com/tuckner/automation-capability-matrix 30 | - KubeClarity - detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems - https://github.com/openclarity/kubeclarity 31 | - IceKube - Attack paths in k8s clusters 32 | - https://github.com/WithSecureLabs/IceKube 33 | - https://labs.withsecure.com/tools/icekube--finding-complex-attack-paths-in-kubernetes-clusters 34 | - Map cloudtrail data to Mitre ATT&CK - https://github.com/zmallen/cloudtrail2sightings 35 | - CloudSecGPT - https://blog.marcolancini.it/2023/blog-cloudsecgpt/ 36 | - CHEN (Code Hierarchy Exploration Net) - https://github.com/AppThreat/chen 37 | - A curated list of GPT agents for cybersecurity - https://github.com/fr0gger/Awesome-GPT-Agents 38 | - aws2tf - automates the importing of existing AWS resources into Terraform and outputs the Terraform HCL code 39 | - https://github.com/aws-samples/aws2tf 40 | - Chainguard - Automated testing, generation & manipulation of #osquery packs 41 | - https://github.com/chainguard-dev/osqtool 42 | - open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs 43 | - https://github.com/center-for-threat-informed-defense/adversary_emulation_library 44 | - Semgrep tool - https://gitlab.com/lapt0r/border-collie 45 | - SSH-Snake - a self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery 46 | - https://github.com/MegaManSec/SSH-Snake 47 | - https://drew-sec.github.io/EvilSlackbot/ 48 | - Dive - tool for exploring & shrinking each layer in a docker image 49 | - https://github.com/wagoodman/dive 50 | - ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis 51 | - https://github.com/SpiderLabs/ModSecurity 52 | - Ostorlab - security scanning orchestrator 53 | - https://ostorlab.co 54 | - https://github.com/Ostorlab/KEV 55 | - Terraformer - CLI tool to generate terraform from existing infrastructure - https://github.com/GoogleCloudPlatform/terraformer 56 | - TFLint - https://github.com/terraform-linters/tflint 57 | - Datree - k8s misconfigurations - https://www.datree.io 58 | - Konstraint - policy management tool for interacting with OPA Gatekeeper - https://github.com/plexsystems/konstraint 59 | - Kuma - multi-zone service mesh for containers, Kubernetes and VMs. Built with Envoy. CNCF Sandbox Project - https://github.com/kumahq/kuma 60 | - Envoy proxy - https://www.envoyproxy.io/ 61 | - KubeArmor - K8s Runtime Security Enforcement System 62 | - https://kubearmor.io/ 63 | - https://github.com/kubearmor/KubeArmor 64 | - Infisical - open source secrets management 65 | - https://infisical.com/ 66 | - https://github.com/Infisical/infisical 67 | - Git Secret - bash-tool to store your private data inside a git repository - https://github.com/sobolevn/git-secret 68 | - VAmPI - Vulnerable REST API with OWASP top 10 vulnerabilities for security testing - https://github.com/erev0s/VAmPI 69 | - HoppScotch - open source postman alternative 70 | - https://docs.hoppscotch.io/ 71 | - https://hoppscotch.io/ 72 | - https://github.com/hoppscotch/hoppscotch 73 | - Kraken CI - open source self-hosted CI 74 | - https://kraken.ci/ 75 | - https://github.com/Kraken-CI/kraken 76 | - Backstage - open source developer portal framework 77 | - https://backstage.io/ 78 | - https://github.com/backstage/backstage 79 | - Buildbot - Python-based continuous integration testing framework 80 | - https://buildbot.net/ 81 | - https://github.com/buildbot/buildbot/ 82 | - Ceph - open source distributed storage system 83 | - https://ceph.io/en/ 84 | - https://github.com/ceph/ceph 85 | - Digger - terraform pull request automation - self-hosted or github actions app 86 | - https://digger.dev/ 87 | - https://github.com/diggerhq/digger 88 | - Secure Codebox - Automated Security Testing Tool - https://www.securecodebox.io/ 89 | - OWASP - https://owasp.org/projects/ 90 | - Nettacker - Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management 91 | - https://github.com/owasp/nettacker 92 | - OWTF - Open Web Testing Framework 93 | - https://owasp.org/www-project-owtf/ 94 | - https://github.com/owtf/owtf 95 | - BLT - Bug Logging Tool 96 | - https://blt.owasp.org/ 97 | - https://owasp.org/www-project-bug-logging-tool/ 98 | - DSOMM - DevSecOps Maturity Model - https://owasp.org/www-project-devsecops-maturity-model/ 99 | - SAMM - Software Assurance Maturity Model - https://owasp.org/www-project-samm/ 100 | - ASVS - Application Security Verification Standard 101 | - https://owasp.org/www-project-application-security-verification-standard/ 102 | - https://github.com/OWASP/ASVS 103 | - Terranetes - Self serve cloud resources with Terraform & Kubernetes 104 | - https://terranetes.appvia.io/ 105 | - https://terranetes.appvia.io/terranetes-controller/ 106 | - https://github.com/appvia/terranetes 107 | - https://github.com/appvia/terranetes-controller 108 | - Kubewarden - Policy as Code engine for K8s 109 | - https://www.kubewarden.io/ 110 | - https://github.com/kubewarden 111 | - jsPolicy - k8s policies with javascript or typescript - https://www.jspolicy.com/ 112 | - LinkerD - Service mesh - https://linkerd.io/ 113 | - Istio - Service mesh - https://istio.io/ 114 | - Traefik - ingress solutions - https://traefik.io/ 115 | - Malcontent - supply chain malware discovery tool - https://github.com/chainguard-dev/malcontent 116 | - NamespaceHound - tool for detecting the risk of potential namespace crossing violations in multi-tenant clusters - https://github.com/wiz-sec-public/namespacehound 117 | - PoIEx - Points of Intersection Explorer for code reviews 118 | - https://blog.doyensec.com/2024/01/30/poiex-release.html 119 | - https://github.com/doyensec/PoiEx 120 | - WeAudit - collaborative code review tool for VSCode - https://marketplace.visualstudio.com/items?itemName=trailofbits.weaudit 121 | - TrustOnCloud threat models - https://github.com/trustoncloud 122 | - TrailDiscover - AWS CloudTrail TTP library related to ATT&CK - https://traildiscover.cloud/ 123 | - https://medium.com/@adan.alvarez/introducing-traildiscover-simplifying-access-to-security-insights-about-cloudtrail-events-cde14508f2e9 124 | - https://github.com/adanalvarez/TrailDiscover 125 | - DevPod - open source Codespaces alternative - https://devpod.sh/ 126 | - https://github.com/loft-sh/devpod 127 | - JNV - json viewer and jq filter editor - https://github.com/ynqa/jnv 128 | - Open-API-TUI - Terminal UI to list, browse and run APIs defined with openapi spec - https://github.com/zaghaghi/openapi-tui 129 | - IAMGraph - Tool to model AWS IAM role trust relationships and assume role paths to Neo4j graph database - https://github.com/WithSecureLabs/IAMGraph 130 | - Gram - Klarna's own threat model diagramming tool - https://github.com/klarna-incubator/gram 131 | - OpenFunction - Cloud Native Function-as-a-Service Platform 132 | - https://openfunction.dev/ 133 | - https://github.com/OpenFunction/OpenFunction 134 | - Dagger - engine to run pipelines in containers - https://dagger.io/ 135 | - https://github.com/dagger/dagger 136 | - AppView - Instrument, Observe, Secure - https://appview.org/ 137 | - https://github.com/appview-team/appview 138 | - Task Ninja - Task automation framework for pentesting etc - https://github.com/RikunjSindhwad/Task-Ninja 139 | - Nix & NixOS - reliable package management - https://nixos.org/ 140 | - CloudGrappler - tool for querying of high-fidelity and single-event detections related to well-known threat actors in popular cloud environments 141 | - https://github.com/Permiso-io-tools/CloudGrappler 142 | - sslscan - tests SSL/TLS enabled services to discover supported cipher suites - https://github.com/rbsec/sslscan 143 | - SSLyze - Fast and powerful SSL/TLS scanning library - https://github.com/nabla-c0d3/sslyze 144 | - Atlantis - Terraform Pull Request Automation - https://www.runatlantis.io/ 145 | - Libyear Maven Plugin - Maven implementation of the libyear dependency freshness measure - https://github.com/mfoo/libyear-maven-plugin 146 | - Project Discovery - vulnerability detection tool suite - https://projectdiscovery.io/ 147 | - https://docs.projectdiscovery.io/introduction 148 | - https://github.com/projectdiscovery 149 | - HoneyTrail - AWS honeytrap & dedicated cloudtrail generator - https://github.com/adanalvarez/HoneyTrail 150 | - Docker phobia - image size analysis & shrinking - https://github.com/remorses/docker-phobia 151 | - Known Breaches - Collection of known data breaches updated daily - https://breaches.dls.sh/ 152 | - https://github.com/notdls/known-breaches 153 | - IAM Zero - Identity & Access Management simplified and secure - https://iamzero.dev/ 154 | - https://github.com/common-fate/iamzero 155 | - https://iamzero.dev/docs/getting-started 156 | - IAM Ape - combines all AWS permissions for an entity into single policy - https://github.com/orcasecurity/orca-toolbox/tree/main/iam-ape 157 | - SPIFFE - Secure Production Identity Framework For Everyone - https://spiffe.io/ 158 | - Dorothy - test Okta security monitoring & detection - https://github.com/elastic/dorothy 159 | - Cloud Commotion - cause chaos to simulate security incidents - https://github.com/SecurityRunners/CloudCommotion 160 | - fail2ban - Daemon to ban hosts that cause multiple authentication errors - https://github.com/fail2ban/fail2ban 161 | - ELFieScanner - A C++ tool for process memory scanning & suspicious telemetry generation that attempts to detect a number of malicious techniques used by threat actors & those which have been incorporated into open-source user-mode rootkits. 162 | - https://github.com/JanielDary/ELFieScanner 163 | - Incidental - An opensource incident management platform integrating with Slack - https://www.incidental.dev/ 164 | - https://github.com/incidentalhq/incidental 165 | - Axe - AWS CloudWatch log viewer - https://github.com/mikhail-m1/axe 166 | - Kflowd - Kernel-based Process Monitoring on Linux Endpoints for File System, TCP and UDP Networking Events and optionally DNS and HTTP Application Messages via eBPF Subsystem 167 | - https://github.com/tarsal-oss/kflowd 168 | - Mailgoose - A web application that allows the users to check whether their SPF, DMARC and DKIM configuration is set up correctly - https://github.com/CERT-Polska/mailgoose 169 | - YetiHunter - tool to query snowflake environments for evidence of compromise 170 | - https://permiso.io/blog/introducing-yetihunter-an-open-source-tool-to-detect-and-hunt-for-suspicious-activity-in-snowflake 171 | - https://github.com/Permiso-io-tools/YetiHunter 172 | - Netfetch - Kubernetes tool for scanning clusters for network policies and identifying unprotected workloads - https://github.com/deggja/netfetch 173 | - Txt2stix - Python script that is designed to identify and extract IoCs and TTPs from text files, identify the relationships between them, convert them to STIX 2.1 objects, and output as a STIX 2.1 bundle 174 | - https://github.com/muchdogesec/txt2stix 175 | - Image-automation-controller - GitOps Toolkit controller that patches container image tags in Git - https://github.com/fluxcd/image-automation-controller 176 | - Eyeballvul - a future-proof benchmark for vulnerability detection in the wild 177 | - https://arxiv.org/abs/2407.08708 178 | - https://github.com/timothee-chauvin/eyeballvul 179 | - Diana - Save toil in security operations with: Detection & Intelligence Analysis for New Alerts (D.I.A.N.A.) - https://github.com/dwillowtree/diana 180 | - Ice-axe - Snowflake Native Application designed to provide insights into Snowflake account activities that may be potential threats - https://github.com/DuneGroup/ice-axe 181 | - Vals-operator - Kubernetes Operator to sync secrets between different secret backends and Kubernetes - https://github.com/digitalis-io/vals-operator 182 | - AWS-Reasonable-Account-Defaults - CloudFormation template to create reasonable account defaults around Cost Surprise Alerting - https://github.com/dubrowin/AWS-Reasonable-Account-Defaults 183 | - Apeman - AWS Attack Path Management Tool - https://github.com/hotnops/apeman 184 | - ScubaGear - Automation to assess the state of your M365 tenant against CISA's baselines - https://github.com/cisagov/ScubaGear 185 | - EvoMaster - The first open-source AI-driven tool for automatically generating system-level test cases (also known as fuzzing) for web/enterprise applications. Currently targeting whitebox and blackbox testing of Web APIs, like REST, GraphQL and RPC (e.g., gRPC and Thrift) - https://github.com/WebFuzzing/EvoMaster 186 | - ffufai - AI-powered ffuf wrapper - https://github.com/jthack/ffufai 187 | - Red-Teaming-TTPs - Useful Techniques, Tactics, and Procedures for red teamers and defenders, alike! - https://github.com/RoseSecurity/Red-Teaming-TTPs 188 | - Parliament - AWS IAM linting library - https://github.com/duo-labs/parliament 189 | - AWS-lint-iam-policies - Runs IAM policy linting and security checks against either a single AWS account or a set of member accounts of an AWS Organization - https://github.com/welldone-cloud/aws-lint-iam-policies 190 | - IAMSpy - library that utilises the Z3 prover to attempt to answer questions about AWS IAM - https://github.com/WithSecureLabs/IAMSpy 191 | - Pacu - The AWS exploitation framework, designed for testing the security of Amazon Web Services environments. - https://github.com/RhinoSecurityLabs/pacu 192 | - PMapper - A tool for quickly evaluating IAM permissions in AWS. - https://github.com/Fennerr/PMapper 193 | - Openai-security-bots - Slack bots integrated with OpenAI APIs to streamline security team's workflows - https://github.com/openai/openai-security-bots 194 | - AWS-mine - AWS honey token manager - https://github.com/StevenSmiley/aws-mine 195 | - Grimoire - Generate datasets of cloud audit logs for common attacks - https://github.com/DataDog/grimoire 196 | - ZITADEL - Identity infrastructure, simplified for you. - https://github.com/zitadel/zitadel 197 | - Fibratus - Adversary tradecraft detection, protection, and hunting - https://github.com/rabbitstack/fibratus 198 | - API-Threat-Matrix - A comprehensive knowledge base for security professionals to keep track of and build defenses against API attack techniques. - https://github.com/Escape-Technologies/API-Threat-Matrix 199 | - Cloudsplaining - AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report. - https://github.com/salesforce/cloudsplaining 200 | - OWASP dep-scan - security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies - https://github.com/owasp-dep-scan/dep-scan 201 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Cyber-resource-list 2 | Cyber Security resource list 3 | 4 | ## Learning - AppSec 5 | - Semgrep Academy - https://academy.semgrep.dev/ 6 | - IriusRisk - https://learn.iriusrisk.com/library/ 7 | - Wiz Academy - https://www.wiz.io/academy 8 | - Linux Foundation (some $0) - https://training.linuxfoundation.org/full-catalog/?_sft_product_type=training&_sft_topic_area=cybersecurity 9 | - EdX - https://www.edx.org/learn/software-development 10 | - Secure supply chain with Sigstore - https://www.edx.org/learn/software-development/the-linux-foundation-securing-your-software-supply-chain-with-sigstore 11 | - OpenSSF - https://openssf.org/training/ 12 | 13 | ## What's popular in open source security software: 14 | - Open Source Security Index - https://opensourcesecurityindex.io/ 15 | 16 | ## Policy As Code 17 | - OPA - https://www.openpolicyagent.org/ 18 | - Docs - https://www.openpolicyagent.org/docs/latest/ 19 | 20 | ## Threat Intel Sources 21 | - Team Cymru - https://team-cymru.com/ 22 | - Anomali - https://www.anomali.com/ 23 | - Mnemonic - https://www.mnemonic.no/ 24 | - Intel 471 - https://intel471.com/ 25 | - Silobreaker - https://www.silobreaker.com/ 26 | - Cisco Talos - https://talosintelligence.com/ 27 | - Alienvault OTX - https://cybersecurity.att.com/open-threat-exchange 28 | - ThreatConnect - https://threatconnect.com/ 29 | - Red Canary - https://redcanary.com/ 30 | - Randy F Smith - https://www.ultimatewindowssecurity.com/ 31 | - Redmond Mag - https://redmondmag.com/Home.aspx 32 | - InfoSecurity Mag - https://www.infosecurity-magazine.com/ 33 | - Bleeping Computer - https://www.bleepingcomputer.com/ 34 | - Wired - https://www.wired.co.uk/topic/security 35 | - The Register - https://www.theregister.com/security/ 36 | - Fortinet - https://www.fortinet.com/blog/threat-research 37 | - Black Hills Security - https://www.blackhillsinfosec.com/ 38 | - Active Counter-Measures - https://www.activecountermeasures.com/ 39 | - Scythe - https://www.scythe.io/library 40 | - F-Secure - https://blog.f-secure.com/category/threats-research/ 41 | - DomainTools - https://www.domaintools.com/resources 42 | - Sophos - https://news.sophos.com/en-us/ 43 | - Blueliv - https://blueliv.com/ & https://community.blueliv.com/ 44 | - TL;DR Sec - https://tldrsec.com/ 45 | - Insinuator.net - Walter Legowski aka SadProcessor writes here - https://insinuator.net/ 46 | - SANS instructor Lenny Zeltser's infosec site - https://zeltser.com/ 47 | - Threat intel source list - https://github.com/hslatman/awesome-threat-intelligence 48 | 49 | ## Threat Intel API Providers 50 | - abuse.ch - https://abuse.ch/ 51 | - Malware Bazaar - https://bazaar.abuse.ch/ 52 | - Feodo Tracker - https://feodotracker.abuse.ch/ 53 | - I Got Phished - https://igotphished.abuse.ch/ 54 | - SSL Blacklist - https://sslbl.abuse.ch/ 55 | - (Malware) URL Haus - https://urlhaus.abuse.ch/ 56 | - Greynoise - https://greynoise.io/ 57 | - Have I Been Pwned - https://haveibeenpwned.com/ 58 | - Censys - https://censys.io/ 59 | - Phishtank - https://www.phishtank.com/ 60 | - Openphish - https://openphish.com/ 61 | - Lenny Zeltser's IP blocklist provider list - https://zeltser.com/malicious-ip-blocklists/ 62 | - Lenny Zeltser's malicious website lookup provider list - https://zeltser.com/lookup-malicious-websites/ 63 | 64 | ## Threat Intelligence Platform Providers 65 | - RiskIQ - https://www.riskiq.com/ 66 | - Silobreaker - https://www.silobreaker.com/ 67 | - Maltego - https://www.maltego.com/ 68 | 69 | ## Tools - Documentation 70 | - Diagram as Code - https://github.com/mingrammer/diagrams 71 | 72 | ## Container/Docker/Kubernetes Security 73 | - Clint Gibler - TL;DR Sec - https://tldrsec.com/blog/container-security/ 74 | - SysDig - https://sysdig.com/ 75 | - Falco - k8s threat detection - https://sysdig.com/opensource/falco/ 76 | - Uptycs - cloud & container protection, posture assessment - https://www.uptycs.com/ 77 | - OSQuery for container detection: 78 | - https://www.uptycs.com/blog/get-started-using-osquery-for-container-security 79 | - https://developer.ibm.com/technologies/containers/articles/monitoring-containers-osquery/ 80 | - Peirates - k8s penetration tool - https://www.inguardians.com/peirates/ 81 | - Kubesploit - C2 for container environments - https://github.com/cyberark/kubesploit 82 | - Popeye - K8s config & best practise scanner - https://github.com/derailed/popeye 83 | - Wazuh - For Docker hosts and containers - https://wazuh.com/#containers-security 84 | - KubiScan - CyberArk's K8s security permissions assessment tool - https://github.com/cyberark/KubiScan 85 | 86 | ## Cloud Security Tools 87 | - CloudSecDocs - Resource list for containers, AWS, Azure, GCP, Kafka & DevOps - https://cloudsecdocs.com/ 88 | - CrowdStrike CRT - Azure/O365 assessment - https://github.com/CrowdStrike/CRT 89 | - Sygnia Cloud Scout - AD/Azure AD/AWS assessment tool - https://www.sygnia.co/cloudscout 90 | - AWSPX - AWS effective access & attack paths assessment - https://github.com/FSecureLABS/awspx 91 | - Azure - Stormspotter - attack graphing tool for Azure by Azure Red Teams - https://github.com/Azure/Stormspotter 92 | - Wazuh - Azure/AWS/GCP sec data and configuration via API then agents for cloud assets - https://wazuh.com/#cloud-security-monitoring 93 | - Microburst - Azure offensive powershell toolset - https://github.com/NetSPI/MicroBurst 94 | - IAM Zero - suggests least-privilege policies for AWS (Azure/GCP/K8s later) - https://github.com/common-fate/iamzero 95 | - Azure Security Benchmarks - https://github.com/MicrosoftDocs/SecurityBenchmarks 96 | - CloudFormation Guard - IaC templates - https://github.com/aws-cloudformation/cloudformation-guard 97 | - CloudMapper - AWS mapper/analyzer - https://github.com/duo-labs/cloudmapper 98 | - SkyArk - CyberArk's AWS & Azure permissions analyzer - https://github.com/cyberark/SkyArk 99 | - ROADTools - O365 & Azure AD recon tools - https://github.com/dirkjanm/ROADtools 100 | - Cloudsplaining - https://opensource.salesforce.com/cloudsplaining/#/ 101 | - https://github.com/salesforce/cloudsplaining 102 | - https://cloudsplaining.readthedocs.io/en/latest/ 103 | 104 | ## SaaS Security 105 | - Raccoon - Salesforce data visibility assessment tool from NCC - https://github.com/nccgroup/raccoon 106 | 107 | ## Security Posture & Configuration Assessment 108 | - NSA - Unfetter - Mitre-based security posture analysis tool - https://nsacyber.github.io/unfetter/index.html 109 | - Mitre: 110 | - ATT&CK - Offense TTPs 111 | - https://attack.mitre.org/ 112 | - https://github.com/mitre-attack/attack-navigator 113 | - Engage - Active Defense TTPs 114 | - [[https://engage.mitre.org/](https://engage.mitre.org/) 115 | - D3fend - Defensive countermeasures 116 | - https://d3fend.mitre.org/ 117 | - CAR - Cyber Analytics Repository 118 | - https://car.mitre.org/ 119 | - EMB3D - Threats & mitigations for embedded devices 120 | - https://emb3d.mitre.org/ 121 | - Evaluation - products and people 122 | - https://mitre-engenuity.org/ 123 | - Attack2Neo - import Mitre into Neo4j 124 | - https://github.com/vmapps/attack2neo 125 | - ATT&CK mapping bast practices from US CISA 126 | - https://us-cert.cisa.gov/sites/default/files/publications/Best%20Practices%20for%20MITRE%20ATTCK%20Mapping.pdf 127 | - ATT&CK Workbench - CTID's customise/extend ATT&CK tool 128 | - https://github.com/center-for-threat-informed-defense/attack-workbench-frontend 129 | - https://medium.com/mitre-engenuity/att-ck-workbench-a-tool-for-extending-att-ck-e1718cbfe0ef 130 | - ATT&CK DataMap - show potential coverage for Mitre 131 | - https://github.com/olafhartong/ATTACKdatamap 132 | - Microsoft Attack Surface Analyzer - scan Windows for unsafe changes due to software installs - https://github.com/Microsoft/AttackSurfaceAnalyzer 133 | - Rabobank's DETTECT - Map log sources, detections and attacker behviours to show ATT&CK coverage - https://github.com/rabobank-cdc/DeTTECT 134 | - Threat Mapping Catalogue - https://github.com/intelforge/tmc 135 | 136 | ## Incident Response 137 | - Incident Playbook - Playbooks mapped to MITRE - https://github.com/austinsonger/Incident-Playbook 138 | - The Hive Project - IR application, docker - https://thehive-project.org/ 139 | 140 | ## CICD Security 141 | - Legitify by Legit Security - Security posture of Github/Gitlab instances - https://www.legitsecurity.com/legitify 142 | 143 | Code Analysis 144 | == 145 | - KICS by Checkmarx - https://docs.kics.io/latest - https://github.com/Checkmarx/kics 146 | - Trivy by Aqua - https://aquasecurity.github.io/trivy - https://github.com/aquasecurity/trivy 147 | - Checkov - Bridgecrew - Static code analysis for IaC - https://github.com/bridgecrewio/checkov - https://www.checkov.io/ 148 | - TFSec - Terraform static analysis - https://github.com/tfsec/tfsec 149 | - TFLint - Terraform error & best practise scanner - https://github.com/terraform-linters/tflint 150 | 151 | ## SIEM 152 | - Devo - https://www.devo.com/ 153 | - Elastic - https://www.elastic.co/ 154 | - Humio - https://www.humio.com/secops 155 | - Sumo Logic - https://www.sumologic.com/solutions/cloud-siem-enterprise/ 156 | - Sigma - platform agnostic SIEM rules - https://github.com/SigmaHQ/sigma 157 | - https://www.nextron-systems.com/2018/02/10/write-sigma-rules/ 158 | - https://syedhasan010.medium.com/defenders-toolkit-102-sigma-rules-4a623acb2036 159 | - Security Onion - Ready made FOSS SIEM - https://securityonionsolutions.com/ - https://github.com/Security-Onion-Solutions/securityonion 160 | - Vadim Hunter's detection rules - https://github.com/vadim-hunter/Detection-Ideas-Rules 161 | 162 | ## SOAR & Automation 163 | - Shuffle - FOSS SOAR - https://github.com/frikky/Shuffle 164 | - Tines - limited community version plus paid SOAR - https://www.tines.com/ 165 | - Siemplify - community & paid versions - https://www.siemplify.co/ 166 | - Swimlane - https://swimlane.com/ 167 | - Jimi - FOSS no-code SOAR - https://github.com/z1pti3/jimi 168 | - PowerShell Universal & PowerShell Pro Tools - From Ironman Software & Adam Driscoll - https://ironmansoftware.com/ 169 | - Automation mindset & process article - https://queue.acm.org/detail.cfm?id=3197520 170 | - Patrowl - FOSS SOAR - https://github.com/Patrowl/PatrowlEngines 171 | - https://github.com/vletoux/PingCastlePatrOwl - Pingcastle for Patrowl 172 | 173 | ## Threat Emulation 174 | - Atomic Red Team - https://atomicredteam.io/ - https://github.com/redcanaryco/atomic-red-team 175 | - Atomic Threat Coverage - TTPs, SIGMAs & KBs all in one place - https://github.com/atc-project/atomic-threat-coverage 176 | - Prelude - Atomic Red Team in your environment - https://www.prelude.org/platform/community 177 | - Thremulation - Atomic Red Team with ELK & sandbox - https://www.thremulation.io/ - https://github.com/thremulation-station/thremulation-station 178 | - Mitre Caldera - https://www.mitre.org/research/technology-transfer/open-source-software/caldera%E2%84%A2 - https://github.com/mitre/caldera 179 | - https://github.com/clong/DetectionLab 180 | - https://github.com/OTRF/SimuLand 181 | - https://github.com/davidprowe/BadBlood 182 | - AD in Azure playground - https://github.com/christophetd/Adaz 183 | - https://github.com/OTRF/Blacksmith 184 | 185 | ## Vulnerability Management 186 | - Nuclei - FOSS vuln scanner - https://github.com/projectdiscovery/nuclei 187 | - Wazuh (again) - vuln detection and reporting where agent installed - https://wazuh.com/#vulnerability-detection 188 | - Vulcan - vulnerability remediation automation - https://vulcan.io/integrations/ 189 | - 0Patch - micro patch solution - https://0patch.com/ 190 | 191 | ## Endpoint Security 192 | - Sysmon config pusher - https://github.com/LaresLLC/SysmonConfigPusher 193 | - Wazuh - HIDS/HIPS/Vulns/FIM/IR/EDR - https://wazuh.com/ - https://documentation.wazuh.com/current/index.html 194 | - Osquery - SQL queries on endpoints, very powerful - https://github.com/osquery/osquery 195 | - YARA rules & info collection - https://github.com/InQuest/awesome-yara 196 | - Velociraptor - monitor, alert, hunt on endpoints - https://www.velocidex.com/ 197 | - NCSC - security config packs Win,OSX,iOS,Ubuntu,Android - https://github.com/ukncsc/Device-Security-Guidance-Configuration-Packs 198 | - Nextron Systems - FOSS/Commercial - Compromise assessment, forensics, IOC scanners - https://www.nextron-systems.com/products/ 199 | - DeepBlueCLI - command line threat hunting on Windows - https://github.com/sans-blue-team/DeepBlueCLI 200 | - OpenEDR - Comodo's FOSS EDR - https://openedr.com/ 201 | - OSSEM - Open Source Security Events Metadata - https://github.com/OTRF/OSSEM 202 | - SilkETW from Fireeye - Event Tracing for Windows telemetry made easier: 203 | - https://www.fireeye.com/blog/threat-research/2019/03/silketw-because-free-telemetry-is-free.html 204 | - https://github.com/fireeye/SilkETW 205 | - https://medium.com/threat-hunters-forge/threat-hunting-with-etw-events-and-helk-part-1-installing-silketw-6eb74815e4a0 206 | 207 | ## Network Security 208 | - Arkime - Packet capture & analysis - https://arkime.com/ - https://github.com/arkime/arkime 209 | - Suricata - NIDS/NIPS/NSM - https://suricata.io/ 210 | - Zeek - NIDS/NSM - https://zeek.org/ 211 | - Snort - NIPS - https://www.snort.org/ 212 | - Owlh & Wazuh - Uses Snort/Zeek/Suricata data integrated via OwlH into Wazuh adding NIDS to HIDS: 213 | - https://www.owlh.net/ 214 | - https://documentation.owlh.net/en/0.17.0/index.html 215 | - https://documentation.owlh.net/en/0.17.0/main/OwlHWazuh.html 216 | - https://wazuh.com/owlh-network-ids-integration/ 217 | - CISA's Malcolm - FOSS network traffic analysis suite - https://github.com/cisagov/malcolm 218 | 219 | ## Perimeter Defence 220 | - PerimeterX - bot defence, website defence - https://www.perimeterx.com/ 221 | - TypoDetect - discover domain name mutations similar to corporate domain names used for phishing/smishing etc - https://github.com/telefonica/typodetect 222 | 223 | ## Deception 224 | - Thinkst Canary - decoys/honeytraps - https://canary.tools/ 225 | 226 | ## Malware Analysis 227 | - Anyrun - online analysis/sandbox - https://any.run/ 228 | - Hybrid Analysis - online malware anlysis - https://www.hybrid-analysis.com/ 229 | - Joe Sandbox - online sandbox/analysis - https://www.joesandbox.com/ 230 | - Lenny Zeltser's list of online malware analysis tools - https://zeltser.com/automated-malware-analysis/ 231 | - REMnux - malware analysis toolkit OS - https://remnux.org/ 232 | - Nextron Valhalla - YARA rule feed - https://www.nextron-systems.com/valhalla/ 233 | 234 | ## Phishing 235 | - PhishCatch - browser ext and API server detects corp pwd use on external sites from Palantir - https://github.com/palantir/phishcatch 236 | 237 | ## GRC 238 | - GRC knowledge list - https://github.com/Arudjreis/awesome-security-GRC 239 | - Protecht - Enterprise Risk Management software - https://www.protechtgroup.com/en-gb/enterprise-risk-management-software 240 | - Deciduous - security decision mapping from Ryan Petrich & Kelly Shortridge: 241 | - https://swagitda.com/deciduous/ 242 | - https://swagitda.com/blog/posts/deciduous-attack-tree-app/ 243 | - https://swagitda.com/blog/posts/security-decision-trees-with-graphviz/ 244 | - https://graphviz.org/ 245 | - https://github.com/rpetrich 246 | 247 | ## Red Team Tools 248 | - Phant0m - Win Event Log Killer - https://github.com/hlldz/Phant0m 249 | - Mythic - red team framework - https://github.com/its-a-feature/Mythic 250 | - GoFetch - generate attack plans from Bloodhound - https://github.com/GoFetchAD/GoFetch 251 | 252 | ## Go/Golang Tools 253 | - The Hive Go library - https://github.com/TheHive-Project/TheHive4go 254 | - Jira Go library - https://github.com/andygrunwald/go-jira 255 | - Jira Go library (another) - https://github.com/go-jira/jira 256 | - Tenable.io Go library - https://github.com/whereiskurt/tiogo 257 | - Tenable.io Go library - https://github.com/attwad/nessie 258 | - Tenable.io Go library - https://github.com/mistsys/go-tenable 259 | - Tenable.io Go library - https://github.com/thathaneydude/go-tenable 260 | - Kibana Go library - https://github.com/ewilde/go-kibana 261 | - Elasticsearch Go library - https://github.com/elastic/go-elasticsearch 262 | - Azure SDK for Go - https://github.com/Azure/azure-sdk-for-go 263 | - Harp - Secret management toolchain from Elastic - https://github.com/elastic/harp 264 | - Cisco Firepower Go client - https://github.com/buttahtoast/fmcClient 265 | 266 | ## Python Tools 267 | - Loguru - Python logging - https://github.com/Delgan/loguru 268 | - Tenable Python library - https://github.com/tenable/pyTenable 269 | - Tenable Python CLI tool - https://github.com/packetchaos/navi 270 | 271 | ## Training 272 | - Instruqt - cloud tech & cloudsec training modules - https://instruqt.com/ 273 | 274 | ## Random Useful Sites 275 | - https://parsiya.net/ - Go/Golang, blog, hacking, reverse engineering, automation 276 | - Purp1eW0lf's Blue Team Notes - https://github.com/Purp1eW0lf/Blue-Team-Notes 277 | - US DHS CISA's tools github repos - https://github.com/search?q=user%3Acisagov+&s=stars&type=Repositories 278 | 279 | ## AD Security 280 | - https://posts.specterops.io/the-attack-path-management-manifesto-3a3b117f5e5 281 | - SpecterOps - Bloodhound FOSS - https://github.com/BloodHoundAD/BloodHound 282 | - Dockerised Bloodhound - https://github.com/belane/docker-bloodhound 283 | - Bloodhound/Cypher Queries: 284 | - https://neo4j.com/docs/cypher-refcard/current/ 285 | - https://blog.cptjesus.com/posts/introtocypher 286 | - https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/ 287 | - https://github.com/hausec/Bloodhound-Custom-Queries 288 | - https://github.com/SadProcessor 289 | - https://www.ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf 290 | - https://github.com/JoshSchwarz/Bloodhound-Cypher 291 | - https://gist.github.com/jeffmcjunkin/7b4a67bb7dd0cfbfbd83768f3aa6eb12 292 | - https://bloodhoundnotebook.com/notebooks/cypher/queries_notebook.html 293 | - https://github.com/Scoubi/BloodhoundAD-Queries 294 | - https://github.com/improsec/ImproHound - https://improsec.com/tech-blog/improhound-identify-ad-tiering-violations 295 | - BloodCheck - Manage multiple Neo4j DBs & cypher query BH datasets - https://github.com/Mr-B0b/BloodCheck 296 | - Plumhound - Bloodhound for blue & purple teams - https://github.com/PlumHound/PlumHound 297 | - Use Bloodhound with network data to predict ransomware spread - https://github.com/zeronetworks/BloodHound-Tools 298 | - Sean Metcalf - Trimarc - AD security don - https://adsecurity.org/ 299 | - SpecterOps - AD, Windows, OSX offensive & defensive tools - https://specterops.io/resources/affiliated-toolsets 300 | - Semperis - AD defence & recovery commercial products and blog includes Darren Mar-Elia GPOGuy - https://www.semperis.com/ 301 | - Purple Knight - free AD security assessment tool from Semperis - https://www.purple-knight.com/ 302 | - Pingcastle - free/commercial AD security assessment tool from Vincent Letoux - https://www.pingcastle.com/ 303 | - Stealthbits - AD & data management commercial tools - https://stealthbits.com/active-directory-security-solutions/ 304 | - Tenable AD - formerly Alsid - https://www.tenable.com/products/tenable-ad 305 | - YossiSassi's AD group change monitoring powershell - https://github.com/YossiSassi/Get-ADGroupChanges 306 | - ZBang - CyberArk's AD risk assessment tool - https://github.com/cyberark/zBang 307 | - ACLight - CyberArk's AD shadow admins discovery tool - https://github.com/cyberark/ACLight 308 | - Vincent Yiu's red team tools & tips - https://www.vincentyiu.com/ 309 | - Dirk-Jan Mollema's blog - AD & AAD stuff - https://dirkjanm.io 310 | --------------------------------------------------------------------------------