A repository of sysmon configuration modules
-
Updated
May 4, 2024 - PowerShell
A repository of sysmon configuration modules
A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365
Advanced Sysmon ATT&CK configuration focusing on Detecting the Most Techniques per Data source in MITRE ATT&CK, Provide Visibility into Forensic Artifact Events for UEBA, Detect Exploitation events with wide CVE Coverage, and Risk Scoring of CVE, UEBA, Forensic, and MITRE ATT&CK Events.
DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.
MasterParser is a powerful DFIR tool designed for analyzing and parsing Linux logs
Timeline of Active Directory changes with replication metadata
MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR
A datasource assessment on an event level to show potential coverage or the MITRE ATT&CK framework
PowerShell script to help Incident Responders discover potential adversary persistence mechanisms.
PowerShell module for Office 365 and Azure log collection
Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR
Win 10/11 related research
Windows 10 (v1803+) ActivitiesCache.db parsers (SQLite, PowerShell, .EXE)
Invoke-LiveResponse
ThreatHunt is a PowerShell repository that allows you to train your threat hunting skills.
A really good DFIR automation for collecting and analyzing evidence designed for cybersecurity professionals.
Powershell module for VMWare vSphere forensics
Provides various Windows Server Active Directory (AD) security-focused reports.
Add a description, image, and links to the dfir topic page so that developers can more easily learn about it.
To associate your repository with the dfir topic, visit your repo's landing page and select "manage topics."