Cyber Threats

• https://www.misp-project.org/

Reverse Engineering

---

Tools

• https://www.hopperapp.com/
• https://www.megabeets.net/a-journey-into-radare-2-part-1/
• https://www.megabeets.net/a-journey-into-radare-2-part-2/
• https://github.com/jmpews/HookZz
• https://github.com/TsudaKageyu/minhook

Malware

---

• Awesome Malware Analysis
• http://opensecuritytraining.info/MalwareDynamicAnalysis.html

Sandboxes

• https://dadario.com.br/docker-for-automating-honeypots-or-malware-sandboxes/
• https://github.com/r00t0vi4/security-projects/blob/master/cuckoo-sandbox.md
• https://github.com/spender-sandbox/cuckoo-modified
• https://www.optiv.com/blog/improving-reliability-of-sandbox-results
• https://github.com/honeynet/cuckooml
• https://www.alienvault.com/blogs/labs-research/hardening-cuckoo-sandbox-against-vm-aware-malware
• https://blog.malwarebytes.com/threat-analysis/2014/04/automating-malware-analysis-with-cuckoo-sandbox/
• https://github.com/buguroo/cuckooautoinstall
• https://blog.opendns.com/2015/06/16/deploy-your-own-cuckoo-sandbox/
• https://github.com/markedoe/cuckoo-sandbox/blob/master/cuckoomon.dll
• http://santi-bassett.blogspot.ca/2013/01/installing-cuckoo-sandbox-on-virtualbox.html
• https://www.proteansec.com/linux/installing-using-cuckoo-malware-analysis-sandbox/
• https://techanarchy.net/lab/cuckoo-esxi/
• https://github.com/bostonlink/cuckooforcanari
• https://github.com/davidoren/CuckooSploit
• https://github.com/rodionovd/cuckoo-osx-analyzer
• https://github.com/breachintelligence/packer-cuckoo
• https://bitbucket.org/cse-assemblyline/assemblyline
• http://scitechconnect.elsevier.com/inside-fight-against-malware-attacks/
• https://app.any.run/

Malware Lab

• https://blindseeker.com/blahg/?p=337
• https://blindseeker.com/blahg/?p=345
• https://blindseeker.com/blahg/?p=375
• https://blindseeker.com/blahg/?p=437
• https://www.sans.org/reading-room/whitepapers/incident/deployment-flexible-malware-sandbox-environment-open-source-software-36207

Sample Sources

• https://github.com/krmaxwell/maltrieve
• https://github.com/thechrisharrod/Malfind
• https://virusshare.com/

Sample Management

• https://github.com/sroberts/malwarehouse
• https://github.com/certsocietegenerale/fame/
• http://viper.li/

Analysis

• http://www.malwaremustdie.org/
• http://fumalwareanalysis.blogspot.ca/2011/08/malware-analysis-tutorial-reverse.html
• https://zeltser.com/remnux-malware-analysis-tips/
• https://zeltser.com/reverse-malware-cheat-sheet/
• https://zeltser.com/analyzing-malicious-documents/

Anti-sandbox Techniques and Countermeasures

• https://www.blackhat.com/docs/us-16/materials/us-16-Bulazel-AVLeak-Fingerprinting-Antivirus-Emulators-For-Advanced-Malware-Evasion.pdf
• https://www.youtube.com/watch?v=3sZmvlQUh5o
• http://www.slideshare.net/Cyphort/mmw-antisandbox-techniques
• https://www.alienvault.com/blogs/labs-research/how-public-tools-are-used-by-malware-developers-the-antivm-tale
• https://github.com/a0rtega/pafish
• http://vmcloak.readthedocs.io/en/latest/
• https://github.com/hfiref0x/VBoxHardenedLoader
• https://github.com/nsmfoo/antivmdetection
• https://blog.malwarebytes.com/threat-analysis/2014/02/a-look-at-malware-with-virtual-machine-detection/
• https://github.com/LordNoteworthy/al-khaser
• https://github.com/CheckPointSW/InviZzzible

VM Management

• https://www.packer.io
• https://www.vagrantup.com/
• http://www.xaprb.com/blog/2011/08/31/making-auto-resetting-virtualbox-machines/
• https://github.com/joefitzgerald/packer-windows
• https://github.com/mwrock/packer-templates
• https://github.com/jacqinthebox/packer-templates
• https://github.com/mefellows/packer-community-templates
• http://boxstarter.org/
• https://chocolatey.org/
• https://github.com/boxcutter/windows
• http://gosecure.github.io/presentations/2016-05-19_northsec/OlivierBilodeau_HugoGenesse-Malboxes.pdf
• https://github.com/GoSecure/malboxes
• https://github.com/brimstone/windows-ova

Tools

• https://www.blackhat.com/docs/us-16/materials/us-16-Otsubo-O-checker-Detection-of-Malicious-Documents-through-Deviation-from-File-Format-Specifications.pdf
• https://www.blackhat.com/docs/us-16/materials/us-16-Otsubo-O-checker-Detection-of-Malicious-Documents-through-Deviation-from-File-Format-Specifications-wp.pdf
• https://github.com/conix-security/zer0m0n
• https://github.com/conix-security/CAAS
• https://github.com/trendmicro/aleph
• https://crits.github.io/
• https://winitor.com/
• https://github.com/joxeankoret/pyew
• http://joxeankoret.com/
• http://www.openioc.org/
• http://virustotal.github.io/yara/
• https://github.com/kbandla/pydeep
• https://github.com/volatilityfoundation/volatility
• http://www.misp-project.org/tools/
• https://github.com/pidydx/SMRT
• http://procdot.com/index.htm
• https://www.canariproject.com/
• Lima Charlie: https://github.com/refractionPOINT/limacharlie
  • Advertised as an endpoint security solution but features are really like a malware sandbox agent
• https://github.com/Neo23x0/munin

Others

• https://www.youtube.com/watch?v=m9yqnwuqdSk
• https://www.blackhat.com/docs/us-16/materials/us-16-Hund-The-Beast-Within-Evading-Dynamic-Malware-Analysis-Using-Micro.pdf
• https://www.blackhat.com/docs/us-16/materials/us-16-Nipravsky-Certificate-Bypass-Hiding-And-Executing-Malware-From-A-Digitally-Signed-Executable-wp.pdf
• https://www.blackhat.com/docs/us-16/materials/us-16-Berlin-An-AI-Approach-To-Malware-Similarity-Analysis-Mapping-The-Malware-Genome-With-A-Deep-Neural-Network.pdf
• https://www.youtube.com/watch?v=m9yqnwuqdSk

Passive DNS data extraction from PCAP

---

PCAP

• Awesome PCAP Tools: https://github.com/caesar0301/awesome-pcaptools
  • Benchmarks PCAP processing tools
• Bro: https://www.bro.org/
• Suricata: https://suricata-ids.org/
  • As a passive DNS probe: https://resources.sei.cmu.edu/asset_files/Presentation/2016_017_001_449890.pdf

Passive DNS

• Sensors:
  • https://github.com/gamelinux/passivedns
  • https://www.farsightsecurity.com/passive-dns/passive-dns-sensor/
  • dnstap: http://dnstap.info/
• Clients:
  • https://github.com/chrislee35/passivedns-client
  • https://github.com/CIRCL/PyPDNS
• https://www.vanimpe.eu/2016/02/27/passive-dns-for-incident-response/
• http://www.gamelinux.org/
• https://lists.dns-oarc.net/pipermail/dns-operations/

Datastore Backends

• Moloch: https://github.com/aol/moloch
  • ELK (Elasticsearch Logstash Kibana) is a trend now https://www.elastic.co/products
  • Moloch uses Elasticsearch
  • Can be setup along-side with Suricata
• Kairos - Time series data storage: https://github.com/agoragames/kairos
• http://graphiteapp.org/

IDS/IPS

---

NIDS

• Snort: https://www.snort.org/
• Bro: https://www.bro.org/
• Suricata: https://suricata-ids.org/
• Sguil: http://bammv.github.io/sguil/index.html

HIDS

• Open Source Tripwire: https://github.com/Tripwire/tripwire-open-source
• OSSEC: https://ossec.github.io/
• Samhain: http://www.la-samhna.de/samhain/

Others

• Stratosphere IPS: https://stratosphereips.org/
• Sagan: https://quadrantsec.com/sagan_log_analysis_engine/
• Prelude Universal Open-Source SIEM: https://www.prelude-siem.org/
• Fail2ban: http://www.fail2ban.org/wiki/index.php/Main_Page
• AIDE: http://aide.sourceforge.net/
• ACARM-ng: http://www.acarm.wcss.wroc.pl/
• https://securityonion.net/
• https://www.alphasoc.com/
• https://github.com/paralax/awesome-honeypots