Security lists for SOC/DFIR detections

Threat Hunting:

• ThreatHunting keywords Site
• ThreatHunting keywords Lists
• ThreatHunting Yara rules

ThreatHunting searches

• Windows Services Searches
• User-Agents Searches
• DNS Over HTTPS Searches
• Suspicious TLDs Searches
• HijackLibs Searches
• Phishing & DNSTWIST Searches
• Browsers extensions Searches
• C2 hiding in plain sigh
• HTML Smuggling artifacts
• PSEXEC & similar tools Searches
• Time Slipping detection

My Detection Lists

• 📋 Lists: https://github.com/mthcht/awesome-lists/tree/main/Lists
• 🕵️‍♂️ ThreatHunting Guides: https://mthcht.medium.com/list/threat-hunting-708624e9266f
• 🚰 Suspicious Named pipes: suspicious_named_pipe_list.csv
• 🌐 Suspicious TLDs (updated automatically): [suspicious_TLDs]
• 🌐 Suspicious ASNs (updated automatically): [suspicious ASNs]
• 🔧 Suspicious Windows Services: suspicious_windows_services_names_list.csv
• ⏲️ Suspicious Windows Tasks: suspicious_windows_tasks_list.csv
• 🚪 Suspicious destination port: suspicious_ports_list.csv
• 🛡️ Suspicious Firewall rules: suspicious_windows_firewall_rules_list.csv
• 🆔 Suspicious User-agent: suspicious_http_user_agents_list.csv
• 📇 Suspicious USB Ids: suspicious_usb_ids_list.csv
• 🔢 Suspicious MAC address: suspicious_mac_address_list.csv
• 📛 Suspicious Hostname: suspicious_hostnames_list.csv
• 🧮 Metadata Executables: executables_metadata_informations_list.csv
• 🕸️ DNS over HTTPS server list: dns_over_https_servers_list.csv
• 📚 Hijacklibs (updated automatically): hijacklibs_list.csv
• 🌐 TOR Nodes Lists (updated automatically): [TOR]
• 🛠️ LOLDriver List (updated automatically): loldrivers_only_hashes_list.csv
• 🛠️ Malicious Bootloader List (updated automatically): malicious_bootloaders_only_hashes_list.csv
• 📜 Malicious SSL Certificates List (updated automatically): ssl_certificates_malicious_list.csv
• 🖥️ RMM detection: [RMM]
• 👤🔑 Important Roles and groups for AD/EntraID/AWS: [permissions]
• 💻🔒 Ransomware known file extensions: ransomware_extensions_list.csv
• 💻🔒 Ransomware known file name ransom notes: ransomware_notes_list.csv
• 📝 Windows ASR rules: windows_asr_rules.csv
• 🌐 DNSTWIST Lists (updated automatically): DNSTWIST Default Domains + script
• 🌍 VPN IP address Lists (updated automatically):
  • 🛡️ NordVPN: nordvpn_ips_list.csv
  • 🛡️ ProtonVPN: protonvpn_ip_list.csv
• 🏢 Companies IP Range Lists (updated automatically): Default Lists + script / Microsoft
• 📍 GeoIP services Lists: ip_location_sites_list.csv
• 🧬 Yara rules: Threat Hunting yara rules
• 🧬 Offensive Tools detection patterns: offensive_tool_keywords.csv
• 🧬 Greyware Tools detection patterns: greyware_tool_keyword.csv
• 🧬 AV signatures keywords: signature_keyword.csv
• 🧬 Microsoft Defender AV signatures lists: [Defender]
• 🔗 Others correlation Lists: [Others]
• 📋 Lists i need to finish: [todo]

I regularly update most of these lists after each tool i analyze in my detection keywords project

Other Lists

IOC Feeds/Blacklists:

• ABUSE.CH BLACKLISTS
• Block Lists
• DNS Block List
• Phishing Block List
• C2IntelFeeds
• Volexity TI
• Open Source TI
• C2 Tracker
• Unit42 IOC
• Sekoia IOC
• Unit42 Timely IOC
• Unit42 Articles IOC
• ThreatFOX IOC
• Zscaler ThreatLabz IOC
• Zscaler ThreatLabz Ransomware notes
• experiant.ca
• Sophos lab IOC
• ESET Research IOC
• ExecuteMalware IOC
• Cisco Talos IOC
• Elastic Lab IOC
• Blackorbid APT Report IOC
• AVAST IOC
• DoctorWeb IOC
• BlackLotusLab IOC
• prodaft IOC
• Pr0xylife DarkGate IOC
• Pr0xylife Latrodectus IOC
• Pr0xylife WikiLoader IOC
• Pr0xylife SSLoad IOC
• Pr0xylife Pikabot IOC
• Pr0xylife Matanbuchus IOC
• Pr0xylife QakBot IOC
• Pr0xylife IceID IOC
• Pr0xylife Emotet IOC
• Pr0xylife BumbleBee IOC
• Pr0xylife Gozi IOC
• Pr0xylife NanoCore IOC
• Pr0xylife NetWire IOC
• Pr0xylife AsyncRAT IOC
• Pr0xylife Lokibot IOC
• Pr0xylife RemcosRAT IOC
• Pr0xylife nworm IOC
• Pr0xylife AZORult IOC
• Pr0xylife NetSupportRAT IOC
• Pr0xylife BitRAT IOC
• Pr0xylife BazarLoader IOC
• Pr0xylife SnakeKeylogger IOC
• Pr0xylife njRat IOC
• Pr0xylife Vidar IOC
• SpamHaus drop.txt
• UrlHaus_misp
• UrlHaus
• vx-underground - Great Resource for Samples and Intelligence Reports

Github

More github lists: https://github.com/mthcht?tab=stars&user_lists_direction=asc&user_lists_sort=name

SIEM/SOC related:

• EDR Telemetry
• PurpleTeam Scripts
• Awesome-SOC
• Threat-Hunting with Splunk

Investigation

TI

• Virustotal
• SpamHaus
• AbuseIPDB
• Malwarebazaar
• emailrep
• cloudfare scan
• shodan
• Onyphe
• Censys
• cybergordon (reputation check)
• threatminer
• urlscan
• Apptotal (apps and extensions analysis)
• urlquery
• cloudfare scanner
• urlvoid
• urldna.io
• checkphish
• ipvoid
• mxtoolbox
• Microsoft TI
• pulsedive
• threatbook
• McAfee Threat Intelligence Exchange
• Kaspersky Security Network
• Microsoft Security Intelligence Report
• IBM X-Force Exchange
• AlienVault OTX
• greynoise
• whoxy

More TI

• echotrail
• Malware-Traffic-Analysis (PCAP files)
• redhuntlabs
• whois domaintools
• ASN check bgp.he
• viewdns
• OUI mac address lookup
• xcyclopedia
• abuse.ch
• malware-traffic-analysis
• waybackmachine
• dnshistory
• asnlookup
• fofa.info
• SecurityTrail
• ZommEye

Sandbox

• Sandbox Anyrun
• triage
• capesandbox
• joesandbox
• filescan.io
• Sandbox HA
• virustotal
• threat zone
• vmray

Data manipulation

• jsoncrack
• JS deobfuscator
• cyberchef
• PCAP online analyzer
• Hash calculator
• regex101
• CyberChef
• Javascript Deobfuscator
• JSONViewer
• TextMechanic
• UrlEncode.org
• TextFixer
• RegExr
• TextUtils
• TextCompactor
• Pretty Diff
• XML Tree
• Online XML Formatter and Beautifier
• XML Escape Tool
• DiffChecker
• CSVJSON
• HTML Formatter
• Text Tool
• String Manipulation Tool
• unshorten it
• urlunscrambler
• longurl
• Message Header
• MXToolbox EmailHeaders
• Email Header Analyzer
• Email Header Analysis
• Gitlab dashboard from Excel
• OPENAI
• uncoder
• DeHashed

Detection Resources

• MITRE techniques
• MITRE Updates
• MITRE D3fend
• MITRE Navigator
• MITRE Datasources
• GTFOBIN
• LOLBAS
• LOTS
• loldrivers
• WTFBIN
• Sigma
• Splunk Rules
• Elastic Rules
• DFIR-Report Sigma-Rules
• JoeSecurity Sigma-Rules
• mdecrevoisier Sigma-Rules
• P4T12ICK Sigma-Rules
• tsale Sigma-Rules
• list of detections resources
• detection engineering resources
• awesome-threat-detection

DFIR

• EricZimmerman Tools
• dfir-orc
• dfir-orc-config
• Splunk4DFIR
• dfiq
• PSBits
• Yara TH + TH
• Hayabusa
• chainsaw
• regripper
• RdpCacheStitcher
• ripgrep
• Kape
• Kape Files
• More Kape ressources
• VolatileDataCollector
• Velociraptor
• MemDump
• MemProcFS
• avml
• Lime
• WinPmem
• Volatility
• Windows artifacts
• UAC

Security News

• Twitter
• CERT-FR
• CERT FR Alerts
• CERT FR Avis
• NIST CVEs
• JPCERT
• CISA news
• thedfirreport Feed
• Splunk Research Blog
• Unit42 Feed
• DFIR weekly sumary - thisweekin4n6
• Google Threat Intelligence
• Sekoi Blog
• akamai Feed
• Elastic Blog
• Checkpoint research Feed
• Cisco Talos Feed
• Crowdstrike Feed
• Hexacorn Blog
• simone kraus Blog
• Michael Haag Blog
• EricaZelic Blog
• Adam Chester Blog Feed
• Mauricio Velazco Blog
• Clément Notin Feed
• tenable Blog
• horizon3 Feed
• Incidents reports Feed
• NCC Group Research Feed
• SpecterOps Feed
• Redcanary Feed
• Sophos Research Feed
• virusbulletin
• Offensive Research - DSAS by INJECT
• HackerNews Feed
• Bleepingcomputer Feed
• detect.fyi

Formations

DFIR

• @inversecos - APT Emulation Labs: xintra
• 13cubed - Investigating Windows Endpoints: 13cubed.com
• @0gtweet - Forensic course: Mastering Windows Forensics
• SANS: SANS508
• Defensive-security: Linux-live-forensics
• @TheDFIRReport : LABs with logs from the existing reports dfir-labs
• @DebugPrivilege : Forensic Debugging free course InsightEngineering
• @ACEresponder: Courses with Detailed Explanations and Labs aceresponder.com
• @binaryz0ne: DFIR challenges with Datasets

SOC

• tryhackme - SOC lvl1

• letsdefend.io @chrissanders88 - letsdefend.io

• SANS: SANS555

• Splunk Boss Of The SOC - BOTS

  • BOTS dataset v1
  • BOTS dataset v2
  • BOTS dataset v3

Others

• Crontab check
• Subnet Calculator
• chmod calculator
• Epoch time converter
• cyberchef