Sonar helps you commit clean code every time. With over 225 unique rules to find Python bugs, code smells & vulnerabilities, Sonar finds the issues while you focus on the work. Learn more →
Top 23 threat-hunting Open-Source Projects
-
MISP https://www.misp-project.org/
-
Project mention: Cheap, Fast, Good and Simple Remote Monitoring for Small Environments | reddit.com/r/msp | 2023-05-31
There's all sorts of things you can do for various types of monitoring including Zabbix, Graylog, roll-your-own with Sysmon (see https://github.com/SwiftOnSecurity/sysmon-config), etc. The question becomes one of time - don't get so focused on DIY or free that you spend hours (or pay someone to spend hours) a month babysitting.
-
InfluxDB
Access the most powerful time series database as a service. Ingest, store, & analyze all types of time series data in a fully-managed, purpose-built database. Keep data forever with low-cost storage and superior data compression.
-
dnstwist
Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation
https://dnstwist.it/ - check your domain now
-
ThreatHunter-Playbook
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.
-
Project mention: Kali Linux 2023.1 introduces 'Purple' distro for defensive security | reddit.com/r/netsec | 2023-03-14
Utilizing that api and juniper notebooks is exactly why Hunting Elk is the way it from my understanding.
-
Allowed bulk analysis of files as well as observables, leading to a more efficient workflow for IntelOwl users. #1032
-
-
Sonar
Write Clean Python Code. Always.. Sonar helps you commit clean code every time. With over 225 unique rules to find Python bugs, code smells & vulnerabilities, Sonar finds the issues while you focus on the work.
-
-
Project mention: GitHub - kitabisa/teler-waf: teler-waf is a Go HTTP middleware that provide teler IDS functionality with teler IDS to protect against web-based attacks and improve the security of Go-based web applications. It is highly configurable and easy to integrate into existing Go applications. | reddit.com/r/golang | 2023-01-01
You can try teler tho :) - https://github.com/kitabisa/teler
-
I use this one: https://github.com/olafhartong/sysmon-modular
-
malwoverview
Malwoverview is a first response tool used for threat hunting and offers intel information from Virus Total, Hybrid Analysis, URLHaus, Polyswarm, Malshare, Alien Vault, Malpedia, Malware Bazaar, ThreatFox, Triage, InQuest and it is able to scan Android devices against VT.
-
-
Project mention: Exploit Outlook CVE-2023-23397 Yara - to detect .msg files exploiting CVE-2023-23397 in Microsoft Outlook | reddit.com/r/u_Tsofmetasploit | 2023-03-16
-
Samir has great repo for logs with attacks occurred in it, for Windows, MacOS and Network - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
-
Project mention: APT_REPORT/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf at master · blackorbird/APT_REPORT | reddit.com/r/SecOpsDaily | 2023-02-06
-
Project mention: Yeti: Organize observables, indicators of compromise, TTPs, and threats | news.ycombinator.com | 2022-10-17
-
-
beagle
Beagle is an incident response and digital forensics tool which transforms security logs and data into graphs. (by yampelo)
-
-
Project mention: Scans container images, running Docker containers and filesystems to find indicators of malware | reddit.com/r/kubernetes | 2022-07-11
-
-
matano
Open source cloud-native security lake platform (SIEM alternative) for threat hunting, detection & response, and cybersecurity analytics at petabyte scale on AWS
Project mention: Kali Linux 2023.1 introduces 'Purple' distro for defensive security | reddit.com/r/netsec | 2023-03-14Matano is very promising, and it supports SQL for queries. I suspect they are going to eat Panther's lunch soon.
-
-
ONLYOFFICE
ONLYOFFICE Docs — document collaboration in your environment. Powerful document editing and collaboration in your app or environment. Ultimate security, API and 30+ ready connectors, SaaS or on-premises
NOTE:
The open source projects on this list are ordered by number of github stars.
The number of mentions indicates repo mentiontions in the last 12 Months or
since we started tracking (Dec 2020).
The latest post mention was on 2023-05-31.
threat-hunting related posts
- Cheap, Fast, Good and Simple Remote Monitoring for Small Environments
- APT-Hunter: APT-Hunter is Threat Hunting tool for Windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity
- Adversarial Interception Mission Oriented Discovery and Disruption Framework, or AIMOD2, is a structured threat hunting approach to proactively identify, engage and prevent cyber threats denying or mitigating potential damage to the organization.
- Foreign Travel Risks
- How do I exclude specific event IDs in Sysmon?
- Splunk & Sysmon as SIEM
- Finding the Process initiating a ping
-
A note from our sponsor - Sonar
www.sonarsource.com | 2 Jun 2023
Index
What are some of the best open-source threat-hunting projects? This list will help you:
| Project | Stars | |
|---|---|---|
| 1 | MISP | 4,401 |
| 2 | sysmon-config | 4,121 |
| 3 | dnstwist | 3,962 |
| 4 | ThreatHunter-Playbook | 3,511 |
| 5 | HELK | 3,505 |
| 6 | IntelOwl | 2,773 |
| 7 | awesome-threat-detection | 2,758 |
| 8 | awesome-yara | 2,712 |
| 9 | teler | 2,441 |
| 10 | sysmon-modular | 2,192 |
| 11 | malwoverview | 2,189 |
| 12 | chainsaw | 2,068 |
| 13 | signature-base | 1,982 |
| 14 | EVTX-ATTACK-SAMPLES | 1,923 |
| 15 | APT_REPORT | 1,809 |
| 16 | yeti | 1,398 |
| 17 | SysmonTools | 1,375 |
| 18 | beagle | 1,212 |
| 19 | BLUESPAWN | 1,100 |
| 20 | YaraHunter | 1,076 |
| 21 | threathunting | 1,053 |
| 22 | matano | 1,022 |
| 23 | whids | 965 |
ONLYOFFICE Docs — document collaboration in your environment
Powerful document editing and collaboration in your app or environment. Ultimate security, API and 30+ ready connectors, SaaS or on-premises
www.onlyoffice.com