A repository of sysmon configuration modules
-
Updated
May 4, 2024 - PowerShell
A repository of sysmon configuration modules
Advanced Sysmon ATT&CK configuration focusing on Detecting the Most Techniques per Data source in MITRE ATT&CK, Provide Visibility into Forensic Artifact Events for UEBA, Detect Exploitation events with wide CVE Coverage, and Risk Scoring of CVE, UEBA, Forensic, and MITRE ATT&CK Events.
DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.
A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365
A datasource assessment on an event level to show potential coverage or the MITRE ATT&CK framework
Timeline of Active Directory changes with replication metadata
MasterParser is a powerful DFIR tool designed for analyzing and parsing Linux logs
MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR
Win 10/11 related research
PowerShell script to help Incident Responders discover potential adversary persistence mechanisms.
PowerShell module for Office 365 and Azure log collection
Invoke-LiveResponse
Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR
Windows 10 (v1803+) ActivitiesCache.db parsers (SQLite, PowerShell, .EXE)
ThreatHunt is a PowerShell repository that allows you to train your threat hunting skills.
Powershell module for VMWare vSphere forensics
A really good DFIR automation for collecting and analyzing evidence designed for cybersecurity professionals.
Provides various Windows Server Active Directory (AD) security-focused reports.
Add a description, image, and links to the dfir topic page so that developers can more easily learn about it.
To associate your repository with the dfir topic, visit your repo's landing page and select "manage topics."