FbIN/awesome-projects
1
0
Fork 0
mirror of https://github.com/imq/awesome-projects.git synced 2026-04-21 04:56:18 +05:30
Code Issues Projects Releases Packages Wiki Activity
awesome-projects/doc/honeypots
History
Exact
imq 0bd14d4072 update
2023-04-02 23:04:25 +03:00
..
README.md update 2023-04-02 23:04:25 +03:00

README.md

Awesome Honeypots

A curated list of awesome honeypots, plus related components and much more, divided into categories such as Web, services, and others, with a focus on free and open source projects.

Contents

Related Lists

Honeypots

  • Database Honeypots

    • Delilah - Elasticsearch Honeypot written in Python (originally from Novetta).
    • ESPot - Elasticsearch honeypot written in NodeJS, to capture every attempts to exploit CVE-2014-3120.
    • ElasticPot - An Elasticsearch Honeypot.
    • Elastic honey - Simple Elasticsearch Honeypot.
    • MongoDB-HoneyProxy - MongoDB honeypot proxy.
    • NoSQLpot - Honeypot framework built on a NoSQL-style database.
    • mysql-honeypotd - Low interaction MySQL honeypot written in C.
    • MysqlPot - MySQL honeypot, still very early stage.
    • pghoney - Low-interaction Postgres Honeypot.
    • sticky_elephant - Medium interaction postgresql honeypot.
    • RedisHoneyPot - High Interaction Honeypot Solution for Redis protocol.

  • Web honeypots

    • Express honeypot - RFI & LFI honeypot using nodeJS and express.
    • EoHoneypotBundle - Honeypot type for Symfony2 forms.
    • Glastopf - Web Application Honeypot.
    • Google Hack Honeypot - Designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources.
    • HellPot - Honeypot that tries to crash the bots and clients that visit it's location.
    • Laravel Application Honeypot - Simple spam prevention package for Laravel applications.
    • Nodepot - NodeJS web application honeypot.
    • PasitheaHoneypot - RestAPI honeypot.
    • Servletpot - Web application Honeypot.
    • Shadow Daemon - Modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl, and Python apps.
    • StrutsHoneypot - Struts Apache 2 based honeypot as well as a detection module for Apache 2 servers.
    • WebTrap - Designed to create deceptive webpages to deceive and redirect attackers away from real websites.
    • basic-auth-pot (bap) - HTTP Basic Authentication honeypot.
    • bwpot - Breakable Web applications honeyPot.
    • django-admin-honeypot - Fake Django admin login screen to notify admins of attempted unauthorized access.
    • drupo - Drupal Honeypot.
    • honeyhttpd - Python-based web server honeypot builder.
    • honeyup - An uploader honeypot designed to look like poor website security.
    • owa-honeypot - A basic flask based Outlook Web Honey pot.
    • phpmyadmin_honeypot - Simple and effective phpMyAdmin honeypot.
    • shockpot - WebApp Honeypot for detecting Shell Shock exploit attempts.
    • smart-honeypot - PHP Script demonstrating a smart honey pot.
    • Snare/Tanner - successors to Glastopf
      • Snare - Super Next generation Advanced Reactive honeypot.
      • Tanner - Evaluating SNARE events.
    • stack-honeypot - Inserts a trap for spam bots into responses.
    • tomcat-manager-honeypot - Honeypot that mimics Tomcat manager endpoints. Logs requests and saves attacker's WAR file for later study
    • WordPress honeypots
      • HonnyPotter - WordPress login honeypot for collection and analysis of failed login attempts.
      • HoneyPress - Python based WordPress honeypot in a Docker container.
      • wp-smart-honeypot - WordPress plugin to reduce comment spam with a smarter honeypot.
      • wordpot - WordPress Honeypot.
    • Python-Honeypot - OWASP Honeypot, Automated Deception Framework.

  • Service Honeypots

    • ADBHoney - Low interaction honeypot that simulates an Android device running Android Debug Bridge (ADB) server process.
    • AMTHoneypot - Honeypot for Intel's AMT Firmware Vulnerability CVE-2017-5689.
    • DolosHoneypot - SDN (software defined networking) honeypot.
    • Ensnare - Easy to deploy Ruby honeypot.
    • HoneyPy - Low interaction honeypot.
    • Honeygrove - Multi-purpose modular honeypot based on Twisted.
    • Honeyport - Simple honeyport written in Bash and Python.
    • Honeyprint - Printer honeypot.
    • ListenSSH - Easily report all connection attempts on any port to AbuseIPDB.
    • Lyrebird - Modern high-interaction honeypot framework.
    • MICROS honeypot - Low interaction honeypot to detect CVE-2018-2636 in the Oracle Hospitality Simphony component of Oracle Hospitality Applications (MICROS).
    • RDPy - Microsoft Remote Desktop Protocol (RDP) honeypot implemented in Python.
    • SMB Honeypot - High interaction SMB service honeypot capable of capturing wannacry-like Malware.
    • Tom's Honeypot - Low interaction Python honeypot.
    • WebLogic honeypot - Low interaction honeypot to detect CVE-2017-10271 in the Oracle WebLogic Server component of Oracle Fusion Middleware.
    • WhiteFace Honeypot - Twisted based honeypot for WhiteFace.
    • ddospot - NTP, DNS, SSDP, Chargen and generic UDP-based amplification DDoS honeypot.
    • dionaea - Home of the dionaea honeypot.
    • dhp - Simple Docker Honeypot server emulating small snippets of the Docker HTTP API.
    • honeycomb_plugins - Plugin repository for Honeycomb, the honeypot framework by Cymmetria.
    • honeyntp - NTP logger/honeypot.
    • honeypot-camera - Observation camera honeypot.
    • honeypot-ftp - FTP Honeypot.
    • honeypots - 25 different honeypots in a single pypi package! (dns, ftp, httpproxy, http, https, imap, mysql, pop3, postgres, redis, smb, smtp, socks5, ssh, telnet, vnc, mssql, elastic, ldap, ntp, memcache, snmp, oracle, sip and irc).
    • honeytrap - Advanced Honeypot framework written in Go that can be connected with other honeypot software.
    • pyrdp - RDP man-in-the-middle and library for Python 3 with the ability to watch connections live or after the fact.
    • troje - Honeypot that runs each connection with the service within a separate LXC container.

  • Distributed Honeypots

  • Anti-honeypot stuff

    • kippo_detect - Offensive component that detects the presence of the kippo honeypot.

  • ICS/SCADA honeypots

    • Conpot - ICS/SCADA honeypot.
    • GasPot - Veeder Root Gaurdian AST, common in the oil and gas industry.
    • SCADA honeynet - Building Honeypots for Industrial Networks.
    • gridpot - Open source tools for realistic-behaving electric grid honeynets.
    • scada-honeynet - Mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices.

  • Other/random

    • CitrixHoneypot - Detect and log CVE-2019-19781 scan and exploitation attempts.
    • Damn Simple Honeypot (DSHP) - Honeypot framework with pluggable handlers.
    • dicompot - DICOM Honeypot.
    • IPP Honey - A honeypot for the Internet Printing Protocol.
    • Log4Pot - A honeypot for the Log4Shell vulnerability (CVE-2021-44228).
    • Masscanned - Let's be scanned. A low-interaction honeypot focused on network scanners and bots. It integrates very well with IVRE to build a self-hosted alternative to GreyNoise.
    • medpot - HL7 / FHIR honeypot.
    • NOVA - Uses honeypots as detectors, looks like a complete system.
    • OpenFlow Honeypot (OFPot) - Redirects traffic for unused IPs to a honeypot, built on POX.
    • OpenCanary - Modular and decentralised honeypot daemon that runs several canary versions of services that alerts when a service is (ab)used.
    • ciscoasa_honeypot A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability.
    • miniprint - A medium interaction printer honeypot.

  • Botnet C2 tools

    • Hale - Botnet command and control monitor.
    • dnsMole - Analyses DNS traffic and potentionaly detect botnet command and control server activity, along with infected hosts.

  • IPv6 attack detection tool

    • ipv6-attack-detector - Google Summer of Code 2012 project, supported by The Honeynet Project organization.

  • Dynamic code instrumentation toolkit

    • Frida - Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android.

  • Tool to convert website to server honeypots

    • HIHAT - Transform arbitrary PHP applications into web-based high-interaction Honeypots.

  • Malware collector

    • Kippo-Malware - Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database.

  • Distributed sensor deployment

    • Community Honey Network - CHN aims to make deployments honeypots and honeypot management tools easy and flexible. The default deployment method uses Docker Compose and Docker to deploy with a few simple commands.
    • Modern Honey Network - Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management.

  • Network Analysis Tool

  • Log anonymizer

    • LogAnon - Log anonymization library that helps having anonymous logs consistent between logs and network captures.

  • Low interaction honeypot (router back door)

    • Honeypot-32764 - Honeypot for router backdoor (TCP 32764).
    • WAPot - Honeypot that can be used to observe traffic directed at home routers.

  • honeynet farm traffic redirector

    • Honeymole - Deploy multiple sensors that redirect traffic to a centralized collection of honeypots.

  • HTTPS Proxy

    • mitmproxy - Allows traffic flows to be intercepted, inspected, modified, and replayed.

  • System instrumentation

    • Sysdig - Open source, system-level exploration allows one to capture system state and activity from a running GNU/Linux instance, then save, filter, and analyze the results.
    • Fibratus - Tool for exploration and tracing of the Windows kernel.

  • Honeypot for USB-spreading malware

    • Ghost-usb - Honeypot for malware that propagates via USB storage devices.

  • Data Collection

    • Kippo2MySQL - Extracts some very basic stats from Kippos text-based log files and inserts them in a MySQL database.
    • Kippo2ElasticSearch - Python script to transfer data from a Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster).

  • Passive network audit framework parser

  • VM monitoring and tools

    • Antivmdetect - Script to create templates to use with VirtualBox to make VM detection harder.
    • VMCloak - Automated Virtual Machine Generation and Cloaking for Cuckoo Sandbox.
    • vmitools - C library with Python bindings that makes it easy to monitor the low-level details of a running virtual machine.

  • Binary debugger

  • Mobile Analysis Tool

    • Androguard - Reverse engineering, Malware and goodware analysis of Android applications and more.
    • APKinspector - Powerful GUI tool for analysts to analyze the Android applications.

  • Low interaction honeypot

    • Honeyperl - Honeypot software based in Perl with plugins developed for many functions like : wingates, telnet, squid, smtp, etc.
    • T-Pot - All in one honeypot appliance from telecom provider T-Mobile
    • beelzebub - A secure honeypot framework, extremely easy to configure by yaml 🚀

  • Honeynet data fusion

    • HFlow2 - Data coalesing tool for honeynet/network analysis.

  • Server

    • Amun - Vulnerability emulation honeypot.
    • Artillery - Open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.
    • Bait and Switch - Redirects all hostile traffic to a honeypot that is partially mirroring your production system.
    • Bifrozt - Automatic deploy bifrozt with ansible.
    • Conpot - Low interactive server side Industrial Control Systems honeypot.
    • Heralding - Credentials catching honeypot.
    • HoneyWRT - Low interaction Python honeypot designed to mimic services or ports that might get targeted by attackers.
    • Honeyd - See honeyd tools.
    • Honeysink - Open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network.
    • Hontel - Telnet Honeypot.
    • KFSensor - Windows based honeypot Intrusion Detection System (IDS).
    • LaBrea - Takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.
    • MTPot - Open Source Telnet Honeypot, focused on Mirai malware.
    • SIREN - Semi-Intelligent HoneyPot Network - HoneyNet Intelligent Virtual Environment.
    • TelnetHoney - Simple telnet honeypot.
    • UDPot Honeypot - Simple UDP/DNS honeypot scripts.
    • Yet Another Fake Honeypot (YAFH) - Simple honeypot written in Go.
    • arctic-swallow - Low interaction honeypot.
    • fapro - Fake Protocol Server.
    • glutton - All eating honeypot.
    • go-HoneyPot - Honeypot server written in Go.
    • go-emulators - Honeypot Golang emulators.
    • honeymail - SMTP honeypot written in Golang.
    • honeytrap - Low-interaction honeypot and network security tool written to catch attacks against TCP and UDP services.
    • imap-honey - IMAP honeypot written in Golang.
    • mwcollectd - Versatile malware collection daemon, uniting the best features of nepenthes and honeytrap.
    • potd - Highly scalable low- to medium-interaction SSH/TCP honeypot designed for OpenWrt/IoT devices leveraging several Linux kernel features, such as namespaces, seccomp and thread capabilities.
    • portlurker - Port listener in Rust with protocol guessing and safe string display.
    • slipm-honeypot - Simple low-interaction port monitoring honeypot.
    • telnet-iot-honeypot - Python telnet honeypot for catching botnet binaries.
    • telnetlogger - Telnet honeypot designed to track the Mirai botnet.
    • vnclowpot - Low interaction VNC honeypot.

  • IDS signature generation

    • Honeycomb - Automated signature creation using honeypots.

  • Lookup service for AS-numbers and prefixes

    • CC2ASN - Simple lookup service for AS-numbers and prefixes belonging to any given country in the world.

  • Data Collection / Data Sharing

  • Central management tool

    • PHARM - Manage, report, and analyze your distributed Nepenthes instances.

  • Network connection analyzer

    • Impost - Network security auditing tool designed to analyze the forensics behind compromised and/or vulnerable daemons.

  • Honeypot deployment

  • Honeypot extensions to Wireshark

    • Wireshark Extensions - Apply Snort IDS rules and signatures against packet capture files using Wireshark.

  • Client

  • Honeypot

  • PDF document inspector

    • peepdf - Powerful Python tool to analyze PDF documents.

  • Hybrid low/high interaction honeypot

  • SSH Honeypots

    • Blacknet - Multi-head SSH honeypot system.
    • Cowrie - Cowrie SSH Honeypot (based on kippo).
    • DShield docker - Docker container running cowrie with DShield output enabled.
    • endlessh - SSH tarpit that slowly sends an endless banner. (docker image)
    • HonSSH - Logs all SSH communications between a client and server.
    • HUDINX - Tiny interaction SSH honeypot engineered in Python to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
    • Kippo - Medium interaction SSH honeypot.
    • Kippo_JunOS - Kippo configured to be a backdoored netscreen.
    • Kojoney2 - Low interaction SSH honeypot written in Python and based on Kojoney by Jose Antonio Coret.
    • Kojoney - Python-based Low interaction honeypot that emulates an SSH server implemented with Twisted Conch.
    • Longitudinal Analysis of SSH Cowrie Honeypot Logs - Python based command line tool to analyze cowrie logs over time.
    • LongTail Log Analysis @ Marist College - Analyzed SSH honeypot logs.
    • Malbait - Simple TCP/UDP honeypot implemented in Perl.
    • MockSSH - Mock an SSH server and define all commands it supports (Python, Twisted).
    • cowrie2neo - Parse cowrie honeypot logs into a neo4j database.
    • go-sshoney - SSH Honeypot.
    • go0r - Simple ssh honeypot in Golang.
    • gohoney - SSH honeypot written in Go.
    • hived - Golang-based honeypot.
    • hnypots-agent) - SSH Server in Go that logs username and password combinations.
    • honeypot.go - SSH Honeypot written in Go.
    • honeyssh - Credential dumping SSH honeypot with statistics.
    • hornet - Medium interaction SSH honeypot that supports multiple virtual hosts.
    • ssh-auth-logger - Low/zero interaction SSH authentication logging honeypot.
    • ssh-honeypot - Fake sshd that logs IP addresses, usernames, and passwords.
    • ssh-honeypot - Modified version of the OpenSSH deamon that forwards commands to Cowrie where all commands are interpreted and returned.
    • ssh-honeypotd - Low-interaction SSH honeypot written in C.
    • sshForShits - Framework for a high interaction SSH honeypot.
    • sshesame - Fake SSH server that lets everyone in and logs their activity.
    • sshhipot - High-interaction MitM SSH honeypot.
    • sshlowpot - Yet another no-frills low-interaction SSH honeypot in Go.
    • sshsyrup - Simple SSH Honeypot with features to capture terminal activity and upload to asciinema.org.
    • twisted-honeypots - SSH, FTP and Telnet honeypots based on Twisted.

  • Distributed sensor project

  • A pcap analyzer

  • Network traffic redirector

  • Honeypot Distribution with mixed content

  • Honeypot sensor

    • Honeeepi - Honeypot sensor on a Raspberry Pi based on a customized Raspbian OS.

  • File carving

  • Behavioral analysis tool for win32

  • Live CD

    • DAVIX - The DAVIX Live CD.

  • Spamtrap

  • Commercial honeynet

    • Cymmetria Mazerunner - Leads attackers away from real targets and creates a footprint of the attack.

  • Server (Bluetooth)

  • Dynamic analysis of Android apps

  • Dockerized Low Interaction packaging

    • Docker honeynet - Several Honeynet tools set up for Docker containers.
    • Dockerized Thug - Dockerized Thug to analyze malicious web content.
    • Dockerpot - Docker based honeypot.
    • Manuka - Docker based honeypot (Dionaea and Kippo).
    • honey_ports - Very simple but effective docker deployed honeypot to detect port scanning in your environment.
    • mhn-core-docker - Core elements of the Modern Honey Network implemented in Docker.

  • Network analysis

  • SIP Server

  • SIP

    • SentryPeer - Protect your SIP Servers from bad actors.

  • IOT Honeypot

    • HoneyThing - TR-069 Honeypot.
    • Kako - Honeypots for a number of well known and deployed embedded device vulnerabilities.

  • Honeytokens

    • CanaryTokens - Self-hostable honeytoken generator and reporting dashboard; demo version available at CanaryTokens.org.
    • Honeybits - Simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs and honeytokens across your production servers and workstations to lure the attacker toward your honeypots.
    • Honeyλ (HoneyLambda) - Simple, serverless application designed to create and monitor URL honeytokens, on top of AWS Lambda and Amazon API Gateway.
    • dcept - Tool for deploying and detecting use of Active Directory honeytokens.
    • honeyku - Heroku-based web honeypot that can be used to create and monitor fake HTTP endpoints (i.e. honeytokens).

Honeyd Tools

Network and Artifact Analysis

  • Sandbox

    • Argos - Emulator for capturing zero-day attacks.
    • COMODO automated sandbox
    • Cuckoo - Leading open source automated malware analysis system.
    • Pylibemu - Libemu Cython wrapper.
    • RFISandbox - PHP 5.x script sandbox built on top of funcall.
    • dorothy2 - Malware/botnet analysis framework written in Ruby.
    • imalse - Integrated MALware Simulator and Emulator.
    • libemu - Shellcode emulation library, useful for shellcode detection.

  • Sandbox-as-a-Service

    • Hybrid Analysis - Free malware analysis service powered by Payload Security that detects and analyzes unknown threats using a unique Hybrid Analysis technology.
    • Joebox Cloud - Analyzes the behavior of malicious files including PEs, PDFs, DOCs, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspicious activities.
    • VirusTotal - Analyze suspicious files and URLs to detect types of malware, and automatically share them with the security community.
    • malwr.com - Free malware analysis service and community.

Data Tools

  • Front Ends

    • DionaeaFR - Front Web to Dionaea low-interaction honeypot.
    • Django-kippo - Django App for kippo SSH Honeypot.
    • Shockpot-Frontend - Full featured script to visualize statistics from a Shockpot honeypot.
    • Tango - Honeypot Intelligence with Splunk.
    • Wordpot-Frontend - Full featured script to visualize statistics from a Wordpot honeypot.
    • honeyalarmg2 - Simplified UI for showing honeypot alarms.
    • honeypotDisplay - Flask website which displays data gathered from an SSH Honeypot.

  • Visualization

    • Acapulco - Automated Attack Community Graph Construction.
    • Afterglow Cloud
    • Afterglow
    • Glastopf Analytics - Easy honeypot statistics.
    • HoneyMalt - Maltego tranforms for mapping Honeypot systems.
    • HoneyMap - Real-time websocket stream of GPS events on a fancy SVG world map.
    • HoneyStats - Statistical view of the recorded activity on a Honeynet.
    • HpfeedsHoneyGraph - Visualization app to visualize hpfeeds logs.
    • IVRE - Network recon framework, published by @cea-sec & @ANSSI-FR. Build your own, self-hosted and fully-controlled alternatives to Criminalip / Shodan / ZoomEye / Censys and GreyNoise, run your Passive DNS service, collect and analyse network intelligence from your sensors, and much more!
    • Kippo stats - Mojolicious app to display statistics for your kippo SSH honeypot.
    • Kippo-Graph - Full featured script to visualize statistics from a Kippo SSH honeypot.
    • The Intelligent HoneyNet - Create actionable information from honeypots.
    • ovizart - Visual analysis for network traffic.

Guides

Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

  • Anonymouse.org - A free, web based anonymizer.
  • OpenVPN - VPN software and hosting solutions.
  • Privoxy - An open source proxy server with some privacy features.
  • Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

  • Conpot - ICS/SCADA honeypot.
  • Cowrie - SSH honeypot, based on Kippo.
  • DemoHunter - Low interaction Distributed Honeypots.
  • Dionaea - Honeypot designed to trap malware.
  • Glastopf - Web application honeypot.
  • Honeyd - Create a virtual honeynet.
  • HoneyDrive - Honeypot bundle Linux distro.
  • Honeytrap - Opensource system for running, monitoring and managing honeypots.
  • MHN - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
  • Mnemosyne - A normalizer for honeypot data; supports Dionaea.
  • Thug - Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

  • Clean MX - Realtime database of malware and malicious domains.
  • Contagio - A collection of recent malware samples and analyses.
  • Exploit Database - Exploit and shellcode samples.
  • Infosec - CERT-PA - Malware samples collection and analysis.
  • InQuest Labs - Evergrowing searchable corpus of malicious Microsoft documents.
  • Javascript Mallware Collection - Collection of almost 40.000 javascript malware samples
  • Malpedia - A resource providing rapid identification and actionable context for malware investigations.
  • Malshare - Large repository of malware actively scrapped from malicious sites.
  • Open Malware Project - Sample information and downloads. Formerly Offensive Computing.
  • Ragpicker - Plugin based malware crawler with pre-analysis and reporting functionalities
  • theZoo - Live malware samples for analysts.
  • Tracker h3x - Agregator for malware corpus tracker and malicious download sites.
  • vduddu malware repo - Collection of various malware files and source code.
  • VirusBay - Community-Based malware repository and social network.
  • ViruSign - Malware database that detected by many anti malware programs except ClamAV.
  • VirusShare - Malware repository, registration required.
  • VX Vault - Active collection of malware samples.
  • Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code - Source for the Zeus trojan leaked in 2011.
  • VX Underground - Massive and growing collection of free malware samples.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

  • AbuseHelper - An open-source framework for receiving and redistributing abuse feeds and threat intel.
  • AlienVault Open Threat Exchange - Share and collaborate in developing Threat Intelligence.
  • Combine - Tool to gather Threat Intelligence indicators from publicly available sources.
  • Fileintel - Pull intelligence per file hash.
  • Hostintel - Pull intelligence per host.
  • IntelMQ - A tool for CERTs for processing incident data using a message queue.
  • IOC Editor - A free editor for XML IOC files.
  • iocextract - Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool.
  • ioc_writer - Python library for working with OpenIOC objects, from Mandiant.
  • MalPipe - Malware/IOC ingestion and processing engine, that enriches collected data.
  • Massive Octo Spice - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
  • MISP - Malware Information Sharing Platform curated by The MISP Project.
  • Pulsedive - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
  • PyIOCe - A Python OpenIOC editor.
  • RiskIQ - Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
  • threataggregator - Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • ThreatConnect - TC Open allows you to see and share open source threat data, with support and validation from our free community.
  • ThreatCrowd - A search engine for threats, with graphical visualization.
  • ThreatIngestor - Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more.
  • ThreatTracker - A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
  • TIQ-test - Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

Detection and Classification

Antivirus and other malware identification tools

  • AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
  • Assemblyline - A scalable distributed file analysis framework.
  • BinaryAlert - An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
  • capa - Detects capabilities in executable files.
  • chkrootkit - Local Linux rootkit detection.
  • ClamAV - Open source antivirus engine.
  • Detect It Easy(DiE) - A program for determining types of files.
  • Exeinfo PE - Packer, compressor detector, unpack info, internal exe tools.
  • ExifTool - Read, write and edit file metadata.
  • File Scanning Framework - Modular, recursive file scanning solution.
  • fn2yara - FN2Yara is a tool to generate Yara signatures for matching functions (code) in an executable program.
  • Generic File Parser - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
  • hashdeep - Compute digest hashes with a variety of algorithms.
  • HashCheck - Windows shell extension to compute hashes with a variety of algorithms.
  • Loki - Host based scanner for IOCs.
  • Malfunction - Catalog and compare malware at a function level.
  • Manalyze - Static analyzer for PE executables.
  • MASTIFF - Static analysis framework.
  • MultiScanner - Modular file scanning/analysis framework
  • Nauz File Detector(NFD) - Linker/Compiler/Tool detector for Windows, Linux and MacOS.
  • nsrllookup - A tool for looking up hashes in NIST's National Software Reference Library database.
  • packerid - A cross-platform Python alternative to PEiD.
  • PE-bear - Reversing tool for PE files.
  • PEframe - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
  • PEV - A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
  • PortEx - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.
  • Quark-Engine - An Obfuscation-Neglect Android Malware Scoring System
  • Rootkit Hunter - Detect Linux rootkits.
  • ssdeep - Compute fuzzy hashes.
  • totalhash.py - Python script for easy searching of the TotalHash.cymru.com database.
  • TrID - File identifier.
  • YARA - Pattern matching tool for analysts.
  • Yara rules generator - Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.
  • Yara Finder - A simple tool to yara match the file against various yara rules to find the indicators of suspicion.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • anlyz.io - Online sandbox.
  • any.run - Online interactive sandbox.
  • AndroTotal - Free online analysis of APKs against multiple mobile antivirus apps.
  • AVCaesar - Malware.lu online scanner and malware repository.
  • BoomBox - Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant.
  • Cryptam - Analyze suspicious office documents.
  • Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
  • cuckoo-modified - Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
  • cuckoo-modified-api - A Python API used to control a cuckoo-modified sandbox.
  • DeepViz - Multi-format file analyzer with machine-learning classification.
  • detux - A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
  • DRAKVUF - Dynamic malware analysis system.
  • firmware.re - Unpacks, scans and analyzes almost any firmware package.
  • HaboMalHunter - An Automated Malware Analysis Tool for Linux ELF Files.
  • Hybrid Analysis - Online malware analysis tool, powered by VxSandbox.
  • Intezer - Detect, analyze, and categorize malware by identifying code reuse and code similarities.
  • IRMA - An asynchronous and customizable analysis platform for suspicious files.
  • Joe Sandbox - Deep malware analysis with Joe Sandbox.
  • Jotti - Free online multi-AV scanner.
  • Limon - Sandbox for Analyzing Linux Malware.
  • Malheur - Automatic sandboxed analysis of malware behavior.
  • malice.io - Massively scalable malware analysis framework.
  • malsub - A Python RESTful API framework for online malware and URL analysis services.
  • Malware config - Extract, decode and display online the configuration settings from common malwares.
  • MalwareAnalyser.io - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
  • Malwr - Free analysis with an online Cuckoo Sandbox instance.
  • MetaDefender Cloud - Scan a file, hash, IP, URL or domain address for malware for free.
  • NetworkTotal - A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
  • Noriben - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
  • PacketTotal - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
  • PDF Examiner - Analyse suspicious PDF files.
  • ProcDot - A graphical malware analysis tool kit.
  • Recomposer - A helper script for safely uploading binaries to sandbox sites.
  • sandboxapi - Python library for building integrations with several open source and commercial malware sandboxes.
  • SEE - Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
  • SEKOIA Dropper Analysis - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
  • VirusTotal - Free online analysis of malware samples and URLs
  • Visualize_Logs - Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...)
  • Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

  • AbuseIPDB - AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet.
  • badips.com - Community based IP blacklist service.
  • boomerang - A tool designed for consistent and safe capture of off network web resources.
  • Cymon - Threat intelligence tracker, with IP/domain/hash search.
  • Desenmascara.me - One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
  • Dig - Free online dig and other network tools.
  • dnstwist - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
  • IPinfo - Gather information about an IP or domain by searching online resources.
  • Machinae - OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
  • mailchecker - Cross-language temporary email detection library.
  • MaltegoVT - Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
  • Multi rbl - Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
  • NormShield Services - Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
  • PhishStats - Phishing Statistics with search for IP, domain and website title
  • Spyse - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
  • SecurityTrails - Historical and current WHOIS, historical and current DNS records, similar domains, certificate information and other domain and IP related API and tools.
  • SpamCop - IP based spam block list.
  • SpamHaus - Block list based on domains and IPs.
  • Sucuri SiteCheck - Free Website Malware and Security Scanner.
  • Talos Intelligence - Search for IP, domain or network owner. (Previously SenderBase.)
  • TekDefense Automater - OSINT tool for gathering information about URLs, IPs, or hashes.
  • URLhaus - A project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution.
  • URLQuery - Free URL Scanner.
  • urlscan.io - Free URL Scanner & domain information.
  • Whois - DomainTools free online whois search.
  • Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.
  • ZScalar Zulu - Zulu URL Risk Analyzer.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

  • Bytecode Viewer - Combines multiple Java bytecode viewers and decompilers into one tool, including APK/DEX support.
  • Firebug - Firefox extension for web development.
  • Java Decompiler - Decompile and inspect Java apps.
  • Java IDX Parser - Parses Java IDX cache files.
  • JSDetox - JavaScript malware analysis tool.
  • jsunpack-n - A javascript unpacker that emulates browser functionality.
  • Krakatau - Java decompiler, assembler, and disassembler.
  • Malzilla - Analyze malicious web pages.
  • RABCDAsm - A "Robust ActionScript Bytecode Disassembler."
  • SWF Investigator - Static and dynamic analysis of SWF applications.
  • swftools - Tools for working with Adobe Flash files.
  • xxxswf - A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

  • AnalyzePDF - A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • box-js - A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
  • diStorm - Disassembler for analyzing malicious shellcode.
  • InQuest Deep File Inspection - Upload common malware lures for Deep File Inspection and heuristical analysis.
  • JS Beautifier - JavaScript unpacking and deobfuscation.
  • libemu - Library and tools for x86 shellcode emulation.
  • malpdfobj - Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner - Scan for malicious traces in MS Office documents.
  • olevba - A script for parsing OLE and OpenXML documents and extracting useful information.
  • Origami PDF - A tool for analyzing malicious PDFs, and more.
  • PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite - A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf - Python tool for exploring possibly malicious PDFs.
  • QuickSand - QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
  • Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

  • bulk_extractor - Fast file carving tool.
  • EVTXtract - Carve Windows Event Log files from raw binary data.
  • Foremost - File carving tool designed by the US Air Force.
  • hachoir3 - Hachoir is a Python library to view and edit a binary stream field by field.
  • Scalpel - Another data carving tool.
  • SFlock - Nested archive extraction/unpacking (used in Cuckoo Sandbox).

Deobfuscation

Reverse XOR and other code obfuscation methods.

  • Balbuzard - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot - .NET deobfuscator and unpacker.
  • ex_pe_xor & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • FLOSS - The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
  • NoMoreXOR - Guess a 256 byte XOR key using frequency analysis.
  • PackerAttacker - A generic hidden code extractor for Windows malware.
  • PyInstaller Extractor - A Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it.
  • uncompyle6 - A cross-version Python bytecode decompiler. Translates Python bytecode back into equivalent Python source code.
  • un{i}packer - Automatic and platform-independent unpacker for Windows binaries based on emulation.
  • unpacker - Automated malware unpacker for Windows malware based on WinAppDbg.
  • unxor - Guess XOR keys using known-plaintext attacks.
  • VirtualDeobfuscator - Reverse engineering tool for virtualization wrappers.
  • XORBruteForcer - A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings - A couple programs from Didier Stevens for finding XORed data.
  • xortool - Guess XOR key length, as well as the key itself.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

  • angr - Platform-agnostic binary analysis framework developed at UCSB's Seclab.
  • bamfdetect - Identifies and extracts information from bots and other malware.
  • BAP - Multiplatform and open source (MIT) binary analysis framework developed at CMU's Cylab.
  • BARF - Multiplatform, open source Binary Analysis and Reverse engineering Framework.
  • binnavi - Binary analysis IDE for reverse engineering based on graph visualization.
  • Binary ninja - A reversing engineering platform that is an alternative to IDA.
  • Binwalk - Firmware analysis tool.
  • BluePill - Framework for executing and debugging evasive malware and protected executables.
  • Capstone - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
  • codebro - Web based code browser using  clang to provide basic code analysis.
  • Cutter - GUI for Radare2.
  • DECAF (Dynamic Executable Code Analysis Framework) - A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
  • dnSpy - .NET assembly editor, decompiler and debugger.
  • dotPeek - Free .NET Decompiler and Assembly Browser.
  • Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
  • Fibratus - Tool for exploration and tracing of the Windows kernel.
  • FPort - Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
  • GDB - The GNU debugger.
  • GEF - GDB Enhanced Features, for exploiters and reverse engineers.
  • Ghidra - A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
  • hackers-grep - A utility to search for strings in PE executables including imports, exports, and debug symbols.
  • Hopper - The macOS and Linux Disassembler.
  • IDA Pro - Windows disassembler and debugger, with a free evaluation version.
  • IDR - Interactive Delphi Reconstructor is a decompiler of Delphi executable files and dynamic libraries.
  • Immunity Debugger - Debugger for malware analysis and more, with a Python API.
  • ILSpy - ILSpy is the open-source .NET assembly browser and decompiler.
  • Kaitai Struct - DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
  • LIEF - LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.
  • ltrace - Dynamic analysis for Linux executables.
  • mac-a-mal - An automated framework for mac malware hunting.
  • objdump - Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg - An assembly-level debugger for Windows executables.
  • OllyDumpEx - Dump memory from (unpacked) malware Windows process and store raw or rebuild PE file. This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg.
  • PANDA - Platform for Architecture-Neutral Dynamic Analysis.
  • PEDA - Python Exploit Development Assistance for GDB, an enhanced display with added commands.
  • pestudio - Perform static analysis of Windows executables.
  • Pharos - The Pharos binary analysis framework can be used to perform automated static analysis of binaries.
  • plasma - Interactive disassembler for x86/ARM/MIPS.
  • PPEE (puppy) - A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
  • Process Explorer - Advanced task manager for Windows.
  • Process Hacker - Tool that monitors system resources.
  • Process Monitor - Advanced monitoring tool for Windows programs.
  • PSTools - Windows command-line tools that help manage and investigate live systems.
  • Pyew - Python tool for malware analysis.
  • PyREBox - Python scriptable reverse engineering sandbox by the Talos team at Cisco.
  • QKD - QEMU with embedded WinDbg server for stealth debugging.
  • Radare2 - Reverse engineering framework, with debugger support.
  • RegShot - Registry compare utility that compares snapshots.
  • RetDec - Retargetable machine-code decompiler with an online decompilation service and API that you can use in your tools.
  • ROPMEMU - A framework to analyze, dissect and decompile complex code-reuse attacks.
  • Scylla Imports Reconstructor - Find and fix the IAT of an unpacked / dumped PE32 malware.
  • ScyllaHide - An Anti-Anti-Debug library and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine.
  • SMRT - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
  • strace - Dynamic analysis for Linux executables.
  • StringSifter - A machine learning tool that automatically ranks strings based on their relevance for malware analysis.
  • Triton - A dynamic binary analysis (DBA) framework.
  • Udis86 - Disassembler library and tool for x86 and x86_64.
  • Vivisect - Python tool for malware analysis.
  • WinDbg - multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
  • X64dbg - An open-source x64/x32 debugger for windows.

Network

Analyze network interactions.

  • Bro - Protocol analyzer that operates at incredible scale; both file and network protocols.
  • BroYara - Use Yara rules from Bro.
  • CapTipper - Malicious HTTP traffic explorer.
  • chopshop - Protocol analysis and decoding framework.
  • CloudShark - Web-based tool for packet analysis and malware traffic detection.
  • FakeNet-NG - Next generation dynamic network analysis tool.
  • Fiddler - Intercepting web proxy designed for "web debugging."
  • Hale - Botnet C&C monitor.
  • Haka - An open source security oriented language for describing protocols and applying security policies on (live) captured traffic.
  • HTTPReplay - Library for parsing and reading out PCAP files, including TLS streams using TLS Master Secrets (used in Cuckoo Sandbox).
  • INetSim - Network service emulation, useful when building a malware lab.
  • Laika BOSS - Laika BOSS is a file-centric malware analysis and intrusion detection system.
  • Malcolm - Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
  • Malcom - Malware Communications Analyzer.
  • Maltrail - A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
  • mitmproxy - Intercept network traffic on the fly.
  • Moloch - IPv4 traffic capturing, indexing and database system.
  • NetworkMiner - Network forensic analysis tool, with a free version.
  • ngrep - Search through network traffic like grep.
  • PcapViz - Network topology and traffic visualizer.
  • Python ICAP Yara - An ICAP Server with yara scanner for URL or content.
  • Squidmagic - squidmagic is a tool designed to analyze a web-based network traffic to detect central command and control (C&C) servers and malicious sites, using Squid proxy server and Spamhaus.
  • Tcpdump - Collect network traffic.
  • tcpick - Trach and reassemble TCP streams from network traffic.
  • tcpxtract - Extract files from network traffic.
  • Wireshark - The network traffic analysis tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • BlackLight - Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
  • DAMM - Differential Analysis of Malware in Memory, built on Volatility.
  • evolve - Web interface for the Volatility Memory Forensics Framework.
  • FindAES - Find AES encryption keys in memory.
  • inVtero.net - High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
  • Muninn - A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall - Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall - Script based on Volatility for automating various malware analysis tasks.
  • VolDiff - Run Volatility on memory images before and after malware execution, and report changes.
  • Volatility - Advanced memory forensics framework.
  • VolUtility - Web Interface for Volatility Memory Analysis framework.
  • WDBGARK - WinDBG Anti-RootKit Extension.
  • WinDbg - Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir - A live incident response script for gathering Windows artifacts.
  • python-evt - Python library for parsing Windows Event Logs.
  • python-registry - Python library for parsing registry files.
  • RegRipper (GitHub) - Plugin-based registry analysis tool.

Storage and Workflow

  • Aleph - Open Source Malware Analysis Pipeline System.
  • CRITs - Collaborative Research Into Threats, a malware and threat repository.
  • FAME - A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
  • Malwarehouse - Store, tag, and search malware.
  • Polichombr - A malware analysis platform designed to help analysts to reverse malwares collaboratively.
  • stoQ - Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
  • Viper - A binary management and analysis framework for analysts and researchers.

Miscellaneous

  • al-khaser - A PoC malware with good intentions that aimes to stress anti-malware systems.
  • CryptoKnight - Automated cryptographic algorithm reverse engineering and classification framework.
  • DC3-MWCP - The Defense Cyber Crime Center's Malware Configuration Parser framework.
  • FLARE VM - A fully customizable, Windows-based, security distribution for malware analysis.
  • MalSploitBase - A database containing exploits used by malware.
  • Malware Museum - Collection of malware programs that were distributed in the 1980s and 1990s.
  • Malware Organiser - A simple tool to organise large malicious/benign files into a organised Structure.
  • Pafish - Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
  • REMnux - Linux distribution and docker images for malware reverse engineering and analysis.
  • Tsurugi Linux - Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.
  • Santoku Linux - Linux distribution for mobile forensics, malware analysis, and security.

Resources

Books

Essential malware analysis reading material.

Other