awesome-incident-response

Incident response toolkit

A curated collection of tools and resources for managing security incidents

A curated list of tools for incident response

GitHub
8k stars
464 watching
2k forks
last commit: 6 months ago
Linked from 18 awesome lists

awesomeawesome-listcybersecuritydfirincident-responseincident-response-toolinglistsecurity

Awesome Incident Response / IR Tools Collection / Adversary Emulation
APTSimulator 2,488 over 1 year ago Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised
Atomic Red Team (ART) 9,951 about 1 month ago Small and highly portable detection tests mapped to the MITRE ATT&CK Framework
AutoTTP 251 over 1 year ago Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers
Caldera 5,722 about 1 month ago Automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project
DumpsterFire 998 over 4 years ago Modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations
Metta 1,103 almost 6 years ago Information security preparedness tool to do adversarial simulation
Network Flight Simulator 1,271 10 months ago Lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility
Red Team Automation (RTA) 1,054 over 5 years ago RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK
RedHunt-OS 1,249 over 4 years ago Virtual machine for adversary emulation and threat hunting

Awesome Incident Response / IR Tools Collection / All-In-One Tools
Belkasoft Evidence Center The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps
CimSweep 651 over 5 years ago Suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows
CIRTkit 142 almost 8 years ago CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes
Cyber Triage Cyber Triage collects and analyzes host data to determine if it is compromised. It's scoring system and recommendation engine allow you to quickly focus on the important artifacts. It can import data from its collection tool, disk images, and other collectors (such as KAPE). It can run on an examiner's desktop or in a server model. Developed by Sleuth Kit Labs, which also makes Autopsy
Dissect 939 about 1 month ago Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group)
Doorman 620 about 2 years ago osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness
Falcon Orchestrator 186 about 1 year ago Extendable Windows-based application that provides workflow automation, case management and security response functionality
Flare 6,686 about 1 month ago A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing
Fleetdm 3,202 about 1 month ago State of the art host monitoring platform tailored for security experts. Leveraging Facebook's battle-tested osquery project, Fleetdm delivers continuous updates, features and fast answers to big questions
GRR Rapid Response 4,811 about 2 months ago Incident response framework focused on remote live forensics. It consists of a python agent (client) that is installed on target systems, and a python server infrastructure that can manage and talk to the agent. Besides the included Python API client, provides an API client library in PowerShell working on Windows, Linux and macOS for GRR automation and scripting
IRIS 1,091 about 1 month ago IRIS is a web collaborative platform for incident response analysts allowing to share investigations at a technical level
Kuiper 777 3 months ago Digital Forensics Investigation Platform
Limacharlie Endpoint security platform composed of a collection of small projects all working together that gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment for managing and pushing additional modules into memory to extend its functionality
Matano 1,482 6 months ago : Open source serverless security lake platform on AWS that lets you ingest, store, and analyze petabytes of security data into an Apache Iceberg data lake and run realtime Python detections as code
MozDef 2,167 about 3 years ago Automates the security incident handling process and facilitate the real-time activities of incident handlers
MutableSecurity 44 almost 2 years ago CLI program for automating the setup, configuration, and use of cybersecurity solutions
nightHawk 598 about 5 years ago Application built for asynchronous forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections
Open Computer Forensics Architecture Another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data
osquery Easily ask questions about your Linux and macOS infrastructure using a SQL-like query language; the provided helps you detect and respond to breaches
Redline Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile
SOC Multi-tool 341 5 months ago A powerful and user-friendly browser extension that streamlines investigations for security professionals
The Sleuth Kit & Autopsy Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things
TheHive Scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly
Velociraptor 3,020 about 1 month ago Endpoint visibility and collection tool
X-Ways Forensics Forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis
Zentral 757 about 1 month ago Combines osquery's powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients

Awesome Incident Response / IR Tools Collection / Books
Applied Incident Response Steve Anson's book on Incident Response
Art of Memory Forensics Detecting Malware and Threats in Windows, Linux, and Mac Memory
Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan by Jeff Bollinger, Brandon Enright and Matthew Valites
Digital Forensics and Incident Response: Incident response techniques and procedures to respond to modern cyber threats by Gerard Johansen
Introduction to DFIR By Scott J. Roberts
Incident Response & Computer Forensics, Third Edition The definitive guide to incident response
Incident Response Techniques for Ransomware Attacks A great guide to build an incident response strategy for ransomware attacks. By Oleg Skulkin
Incident Response with Threat Intelligence Great reference to build an incident response plan based also on Threat Intelligence. By Roberto Martinez
Intelligence-Driven Incident Response By Scott J. Roberts, Rebekah Brown
Operator Handbook: Red Team + OSINT + Blue Team Reference Great reference for incident responders
Practical Memory Forensics The definitive guide to practice memory forensics. By Svetlana Ostrovskaya and Oleg Skulkin
The Practice of Network Security Monitoring: Understanding Incident Detection and Response Richard Bejtlich's book on IR

Awesome Incident Response / IR Tools Collection / Communities
Digital Forensics Discord Server Community of 8,000+ working professionals from Law Enforcement, Private Sector, and Forensic Vendors. Additionally, plenty of students and hobbyists! Guide
Slack DFIR channel Slack DFIR Communitiy channel -

Awesome Incident Response / IR Tools Collection / Disk Image Creation Tools
AccessData FTK Imager Forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems
Bitscout 464 7 months ago Bitscout by Vitaly Kamluk helps you build your fully-trusted customizable LiveCD/LiveUSB image to be used for remote digital forensics (or perhaps any other task of your choice). It is meant to be transparent and monitorable by the owner of the system, forensically sound, customizable and compact
GetData Forensic Imager Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats
Guymager Free forensic imager for media acquisition on Linux
Magnet ACQUIRE ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems

Awesome Incident Response / IR Tools Collection / Evidence Collection
Acquire 92 about 2 months ago Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container. This makes Acquire an excellent tool to, among others, speedup the process of digital forensic triage. It uses to gather that information from the raw disk, if possible
artifactcollector 271 3 months ago The artifactcollector project provides a software that collects forensic artifacts on systems
bulk_extractor 1,129 about 1 month ago Computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. Because of ignoring the file system structure, the program distinguishes itself in terms of speed and thoroughness
Cold Disk Quick Response 334 over 2 years ago Streamlined list of parsers to quickly analyze a forensic image file ( , E01, , etc) and output nine reports
CyLR 652 over 2 years ago The CyLR tool collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host
Forensic Artifacts 1,071 5 months ago Digital Forensics Artifact Repository
ir-rescue 466 almost 4 years ago Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response
Live Response Collection Automated tool that collects volatile data from Windows, OSX, and *nix based operating systems
Margarita Shotgun 244 over 4 years ago Command line utility (that works with or without Amazon EC2 instances) to parallelize remote memory acquisition
SPECTR3 39 3 months ago Acquire, triage and investigate remote evidence via portable iSCSI readonly access
UAC 824 about 1 month ago UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts

Awesome Incident Response / IR Tools Collection / Incident Management
Catalyst 361 about 1 month ago A free SOAR system that helps to automate alert handling and incident response processes
CyberCPR Community and commercial incident management tool with Need-to-Know built in to support GDPR compliance while handling sensitive incidents
Cyphon Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents
CORTEX XSOAR Paloalto security orchestration, automation and response platform with full Incident lifecycle management and many integrations to enhance automations
DFTimewolf 299 about 1 month ago A framework for orchestrating forensic collection, processing and data export
DFIRTrack 482 5 months ago Incident Response tracking application handling one or more incidents via cases and tasks with a lot of affected systems and artifacts
Fast Incident Response (FIR) 1,751 about 1 month ago Cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike
RTIR Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker
Sandia Cyber Omni Tracker (SCOT) 245 2 months ago Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user
Shuffle 1,769 about 1 month ago A general purpose security automation platform focused on accessibility
threat_note 424 about 1 year ago Lightweight investigation notebook that allows security researchers the ability to register and retrieve indicators related to their research
Zenduty Zenduty is a novel incident management platform providing end-to-end incident alerting, on-call management and response orchestration, giving teams greater control and automation over the incident management lifecycle

Awesome Incident Response / IR Tools Collection / Knowledge Bases
Digital Forensics Artifact Knowledge Base 75 8 months ago Digital Forensics Artifact Knowledge Base
Windows Events Attack Samples 2,265 almost 2 years ago Windows Events Attack Samples
Windows Registry Knowledge Base 163 3 months ago Windows Registry Knowledge Base

Awesome Incident Response / IR Tools Collection / Linux Distributions
The Appliance for Digital Investigation and Analysis (ADIA) VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available
Computer Aided Investigative Environment (CAINE) Contains numerous tools that help investigators during their analysis, including forensic evidence collection
CCF-VM 492 about 2 years ago CyLR CDQR Forensics Virtual Machine (CCF-VM): An all-in-one solution to parsing collected data, making it easily searchable with built-in common searches, enable searching of single and multiple hosts simultaneously
NST - Network Security Toolkit Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional
PALADIN Modified Linux distribution to perform various forensics task in a forensically sound manner. It comes with many open source forensics tools included
Security Onion 3,078 almost 4 years ago Special Linux distro aimed at network security monitoring featuring advanced analysis tools
SANS Investigative Forensic Toolkit (SIFT) Workstation Demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated

Awesome Incident Response / IR Tools Collection / Linux Evidence Collection
FastIR Collector Linux 173 almost 4 years ago FastIR for Linux collects different artifacts on live Linux and records the results in CSV files
MAGNET DumpIt 160 about 1 year ago Fast memory acquisition open source tool for Linux written in Rust. Generate full memory crash dumps of Linux machines

Awesome Incident Response / IR Tools Collection / Log Analysis Tools
AppCompatProcessor 197 over 3 years ago AppCompatProcessor has been designed to extract additional value from enterprise-wide AppCompat / AmCache data beyond the classic stacking and grepping techniques
APT Hunter 1,265 2 months ago APT-Hunter is Threat Hunting tool for windows event logs
Chainsaw 2,919 about 1 month ago Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows event logs
Event Log Explorer Tool developed to quickly analyze log files and other data
Event Log Observer View, analyze and monitor events recorded in Microsoft Windows event logs with this GUI tool
Hayabusa 2,353 about 1 month ago Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan
Kaspersky CyberTrace Threat intelligence fusion and analysis tool that integrates threat data feeds with SIEM solutions. Users can immediately leverage threat intelligence for security monitoring and incident report (IR) activities in the workflow of their existing security operations
Log Parser Lizard Execute SQL queries against structured log data: server logs, Windows Events, file system, Active Directory, log4net logs, comma/tab separated text, XML or JSON files. Also provides a GUI to Microsoft LogParser 2.2 with powerful UI elements: syntax editor, data grid, chart, pivot table, dashboard, query manager and more
Lorg 209 almost 6 years ago Tool for advanced HTTPD logfile security analysis and forensics
Logdissect 148 5 months ago CLI utility and Python API for analyzing log files and other data
LogonTracer 2,756 7 months ago Tool to investigate malicious Windows logon by visualizing and analyzing Windows event log
Sigma 8,490 about 1 month ago Generic signature format for SIEM systems already containing an extensive ruleset
StreamAlert 2,864 about 1 year ago Serverless, real-time log data analysis framework, capable of ingesting custom data sources and triggering alerts using user-defined logic
SysmonSearch 419 about 1 year ago SysmonSearch makes Windows event log analysis more effective and less time consuming by aggregation of event logs
WELA 769 almost 2 years ago Windows Event Log Analyzer aims to be the Swiss Army knife for Windows event logs
Zircolite 684 about 2 months ago A standalone and fast SIGMA-based detection tool for EVTX or JSON

Awesome Incident Response / IR Tools Collection / Memory Analysis Tools
AVML 883 about 1 month ago A portable volatile memory acquisition tool for Linux
Evolve 259 about 7 years ago Web interface for the Volatility Memory Forensics Framework
inVtero.net 281 over 1 year ago Advanced memory analysis for Windows x64 with nested hypervisor support
LiME 1,739 3 months ago Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
MalConfScan 483 about 1 year ago MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers
Memoryze Free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis
Memoryze for Mac Memoryze for Mac is Memoryze but then for Macs. A lower number of features, however
https://github.com/ufrisk/MemProcFS 3,215 about 1 month ago [MemProcFS] ( ) - MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system
Orochi 226 about 1 month ago Orochi is an open source framework for collaborative forensic memory dump analysis
Rekall Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples
Volatility 7,412 over 1 year ago Advanced memory forensics framework
Volatility 3 2,762 about 1 month ago The volatile memory extraction framework (successor of Volatility)
VolatilityBot 264 over 3 years ago Automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation
VolDiff 194 over 7 years ago Malware Memory Footprint Analysis based on Volatility
WindowsSCOPE Memory forensics and reverse engineering tool used for analyzing volatile memory offering the capability of analyzing the Windows kernel, drivers, DLLs, and virtual and physical memory

Awesome Incident Response / IR Tools Collection / Memory Imaging Tools
Belkasoft Live RAM Capturer Tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system
Linux Memory Grabber 266 almost 5 years ago Script for dumping Linux memory and creating Volatility profiles
MAGNET DumpIt Fast memory acquisition tool for Windows (x86, x64, ARM64). Generate full memory crash dumps of Windows machines
Magnet RAM Capture Free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows
OSForensics Tool to acquire live memory on 32-bit and 64-bit systems. A dump of an individual process’s memory space or physical memory dump can be done

Awesome Incident Response / IR Tools Collection / OSX Evidence Collection
Knockknock Displays persistent items(scripts, commands, binaries, etc.) that are set to execute automatically on OSX
macOS Artifact Parsing Tool (mac_apt) 790 3 months ago Plugin based forensics framework for quick mac triage that works on live machines, disk images or individual artifact files
OSX Auditor 3,128 over 4 years ago Free Mac OS X computer forensics tool
OSX Collector 1,879 over 5 years ago OSX Auditor offshoot for live response
The ESF Playground A tool to view the events in Apple Endpoint Security Framework (ESF) in real time

Awesome Incident Response / IR Tools Collection / Other Lists
Awesome Event IDs 593 7 months ago Collection of Event ID resources useful for Digital Forensics and Incident Response
Awesome Forensics 4,030 about 1 month ago A curated list of awesome forensic analysis tools and resources
Didier Stevens Suite 2,051 about 2 months ago Tool collection
Eric Zimmerman Tools An updated list of forensic tools created by Eric Zimmerman, an instructor for SANS institute
List of various Security APIs 895 5 months ago Collective list of public JSON APIs for use in security

Awesome Incident Response / IR Tools Collection / Other Tools
Cortex Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API
Crits Web-based tool which combines an analytic engine with a cyber threat database
Diffy 635 about 1 year ago DFIR tool developed by Netflix's SIRT that allows an investigator to quickly scope a compromise across cloud instances (Linux instances on AWS, currently) during an incident and efficiently triaging those instances for followup actions by showing differences against a baseline
domfind 24 over 5 years ago Python DNS crawler for finding identical domain names under different TLDs
Fileintel 119 about 4 years ago Pull intelligence per file hash
HELK 3,782 8 months ago Threat Hunting platform
Hindsight 1,097 about 2 months ago Internet history forensics for Google Chrome/Chromium
Hostintel 264 almost 4 years ago Pull intelligence per host
imagemounter 121 almost 2 years ago Command line utility and Python package to ease the (un)mounting of forensic disk images
Kansa 1,565 about 2 years ago Modular incident response framework in PowerShell
MFT Browser 293 3 months ago MFT directory tree reconstruction & record info
Munin 813 8 months ago Online hash checker for VirusTotal and other services
PowerSponse 38 almost 3 years ago PowerSponse is a PowerShell module focused on targeted containment and remediation during security incident response
PyaraScanner 26 over 6 years ago Very simple multi-threaded many-rules to many-files YARA scanning Python script for malware zoos and IR
rastrea2r 236 over 3 years ago Allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X
RaQet Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system
Raccine 950 about 1 year ago A Simple Ransomware Protection
Stalk Collect forensic data about MySQL when problems occur
Scout2 Security tool that lets Amazon Web Services administrators assess their environment's security posture
Stenographer 1,790 over 3 years ago Packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It's ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic
sqhunter Threat hunter based on osquery and Salt Open (SaltStack) that can issue ad-hoc or distributed queries without the need for osquery's tls plugin. sqhunter allows you to query open network sockets and check them against threat intelligence sources
sysmon-config 4,828 7 months ago Sysmon configuration file template with default high-quality event tracing
sysmon-modular 2,678 5 months ago A repository of sysmon configuration modules
traceroute-circl 37 3 months ago Extended traceroute to support the activities of CSIRT (or CERT) operators. Usually CSIRT team have to handle incidents based on IP addresses received. Created by Computer Emergency Response Center Luxembourg
X-Ray 2.0 Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors

Awesome Incident Response / IR Tools Collection / Playbooks
AWS Incident Response Runbook Samples 935 8 months ago AWS IR Runbook Samples meant to be customized per each entity using them. The three samples are: "DoS or DDoS attack", "credential leakage", and "unintended access to an Amazon S3 bucket"
Counteractive Playbooks 656 9 months ago Counteractive PLaybooks collection
GuardSIght Playbook Battle Cards 361 8 months ago A collection of Cyber Incident Response Playbook Battle Cards
IRM 982 11 months ago Incident Response Methodologies by CERT Societe Generale
PagerDuty Incident Response Documentation Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on
Phantom Community Playbooks 478 about 2 months ago Phantom Community Playbooks for Splunk but also customizable for other use
ThreatHunter-Playbook 4,049 11 months ago Playbook to aid the development of techniques and hypothesis for hunting campaigns

Awesome Incident Response / IR Tools Collection / Process Dump Tools
Microsoft ProcDump Dumps any running Win32 processes memory image on the fly
PMDump Tool that lets you dump the memory contents of a process to a file without stopping the process

Awesome Incident Response / IR Tools Collection / Sandboxing/Reversing Tools
Any Run Interactive online malware analysis service for dynamic and static research of most types of threats using any environment
CAPA 4,944 about 1 month ago detects capabilities in executable files. You run it against a PE, ELF, .NET module, or shellcode file and it tells you what it thinks the program can do
CAPEv2 2,043 about 1 month ago Malware Configuration And Payload Extraction
Cuckoo 5,567 over 2 years ago Open Source Highly configurable sandboxing tool
Cuckoo-modified 395 about 7 years ago Heavily modified Cuckoo fork developed by community
Cuckoo-modified-api 22 about 8 years ago Python library to control a cuckoo-modified sandbox
Cutter 15,972 about 2 months ago Free and Open Source Reverse Engineering Platform powered by rizin
Ghidra 52,492 about 1 month ago Software Reverse Engineering Framework
Hybrid-Analysis Free powerful online sandbox by CrowdStrike
Intezer Intezer Analyze dives into Windows binaries to detect micro-code similarities to known threats, in order to provide accurate yet easy-to-understand results
Joe Sandbox (Community) Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities; providing comprehensive and detailed analysis reports
Mastiff 175 almost 5 years ago Static analysis framework that automates the process of extracting key characteristics from a number of different file formats
Metadefender Cloud Free threat intelligence platform providing multiscanning, data sanitization and vulnerability assessment of files
Radare2 20,862 about 1 month ago Reverse engineering framework and command-line toolset
Reverse.IT Alternative domain for the Hybrid-Analysis tool provided by CrowdStrike
Rizin 2,737 about 1 month ago UNIX-like reverse engineering framework and command-line toolset
StringSifter 688 6 months ago A machine learning tool that ranks strings based on their relevance for malware analysis
Threat.Zone Cloud based threat analysis platform which include sandbox, CDR and interactive analysis for researchers
Valkyrie Comodo Valkyrie uses run-time behavior and hundreds of features from a file to perform analysis
Viper 1,543 over 1 year ago Python based binary analysis and management framework, that works well with Cuckoo and YARA
Virustotal Free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners
Visualize_Logs 139 about 2 years ago Open source visualization library and command line tools for logs (Cuckoo, Procmon, more to come)
Yomi Free MultiSandbox managed and hosted by Yoroi

Awesome Incident Response / IR Tools Collection / Scanner Tools
Fenrir 702 almost 3 years ago Simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI
LOKI 3,419 about 2 months ago Free IR scanner for scanning endpoint with yara rules and other indicators(IOCs)
Spyre 164 about 2 months ago Simple YARA-based IOC scanner written in Go

Awesome Incident Response / IR Tools Collection / Timeline Tools
Aurora Incident Response 772 over 1 year ago Platform developed to build easily a detailed timeline of an incident
Highlighter Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise
Morgue 1,016 over 5 years ago PHP Web app by Etsy for managing postmortems
Plaso 1,745 3 months ago a Python-based backend engine for the tool log2timeline
Timesketch 2,641 about 1 month ago Open source tool for collaborative forensic timeline analysis

Awesome Incident Response / IR Tools Collection / Videos
The Future of Incident Response Presented by Bruce Schneier at OWASP AppSecUSA 2015

Awesome Incident Response / IR Tools Collection / Windows Evidence Collection
AChoir 184 over 2 years ago Framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows
Crowd Response Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats
Cyber Triage Cyber Triage has a lightweight collection tool that is free to use. It collects source files (such as registry hives and event logs), but also parses them on the live host so that it can also collect the executables that the startup items, scheduled, tasks, etc. refer to. It's output is a JSON file that can be imported into the free version of Cyber Triage. Cyber Triage is made by Sleuth Kit Labs, which also makes Autopsy
DFIR ORC DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artifacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on
FastIR Collector 507 almost 4 years ago Tool that collects different artifacts on live Windows systems and records the results in csv files. With the analyses of these artifacts, an early compromise can be detected
Fibratus 2,246 about 1 month ago Tool for exploration and tracing of the Windows kernel
Hoarder 194 about 4 years ago Collecting the most valuable artifacts for forensics or incident response investigations
IREC All-in-one IR Evidence Collector which captures RAM Image, $MFT, EventLogs, WMI Scripts, Registry Hives, System Restore Points and much more. It is FREE, lightning fast and easy to use
Invoke-LiveResponse 145 almost 3 years ago Invoke-LiveResponse is a live response tool for targeted collection
IOC Finder Free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only. No longer maintained. Only fully supported up to Windows 7 / Windows Server 2008 R2
IRTriage 130 over 8 years ago Incident Response Triage - Windows Evidence Collection for Forensic Analysis
KAPE Kroll Artifact Parser and Extractor (KAPE) by Eric Zimmerman. A triage tool that finds the most prevalent digital artifacts and then parses them quickly. Great and thorough when time is of the essence
LOKI 3,419 about 2 months ago Free IR scanner for scanning endpoint with yara rules and other indicators(IOCs)
MEERKAT 436 2 months ago PowerShell-based triage and threat hunting for Windows
Panorama 39 almost 8 years ago Fast incident overview on live Windows systems
PowerForensics 1,389 about 1 year ago Live disk forensics platform, using PowerShell
PSRecon 479 over 7 years ago PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally
RegRipper 562 about 1 month ago Open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis

Backlinks from these awesome lists:

More related projects: