85 tools and resources
A cybersecurity platform that offers vulnerability scanning, Windows Defender and 3rd party AV management, and MFA compliance reporting, among other features.
A next-generation file integrity monitoring and change detection system
A collection of YARA rules for Windows, Linux, and Other threats.
A modern tool for Windows kernel exploration and observability with a focus on security.
A command line utility for managing volume shadow copies with capabilities for evasion, persistence, and file extraction.
RegRippy is a modern Python 3 alternative to RegRipper for extracting data from Windows registry hives.
A tool that collects and displays user activity and system events on a Windows system.
Tool to disable vulnerable features in Windows and popular applications for enhanced security.
A comprehensive incident response tool for Windows computers, providing advanced memory forensics and access to locked systems.
Drltrace is a dynamic API calls tracer for Windows and Linux applications.
A repository to aid Windows threat hunters in looking for common artifacts.
ForensicMiner, Redefine DFIR Automations
A Windows Kernel driver intentionally vulnerable to help improve skills in kernel-level exploitation.
Open source application for retrieving passwords stored on a local computer with support for various software and platforms.
Automated and flexible approach for deploying Windows 10 with security standards set by the DoD.
A library to access and parse Windows NT Registry File (REGF) format.
Microsoft BitLocker is a full volume encryption feature in Windows for protecting data on lost or stolen devices, with tools and resources for implementation.
A lab designed for defenders to quickly build a Windows domain pre-loaded with security tooling and best practices in system logging configurations.
An open-source modern Dependency Walker for Windows developers.
Search engine for Windows executable files and hashes, providing insights into file prevalence, behavior, and security information.
A list of Windows privilege escalation techniques, categorized and explained in detail.
A collection of precompiled Windows exploits for privilege escalation.
Participation in the Red Team for Pacific Rim CCDC 2017 with insights on infrastructure design and competition tips.
A COM Command & Control framework using JScript for stealthy and flexible command and control capabilities on Windows systems.
Tool for deleting logs on Linux/Windows servers.
A Windows Registry hive extraction library that reads and writes Windows Registry 'hive' binary files.
Automated collection tool for incident response triage in Windows systems.
Explores malware interaction with Windows API and methods for detection and prevention.
A wrapper around jNetPcap for packet capturing with Clojure, available for Linux and Windows.
Windows anti-forensics USB monitoring tool with the ability to shutdown the computer upon detecting the unplugging of a specified USB device.
A tool that exposes the functionality of the Volume Shadow Copy Service (VSS) for creation, enumeration, and manipulation of volume shadow copies, with features for persistence and evasion.
A tool designed to extract additional value from enterprise-wide AppCompat / AmCache data
A combination of honeypot, monitoring tool, and alerting system for detecting insecure configurations.
A 32-bit assembler level analyzing debugger for Microsoft Windows.
Tool to identify and understand code-injection vulnerabilities in Windows 7 UAC whitelist system.
A library to access and parse Windows Shortcut File (LNK) format.
Darkarmour is a Windows AV evasion tool that helps bypass antivirus software, allowing for the creation of undetectable malware.
A suite of console tools for working with timestamps in Windows with 100-nanosecond precision.
FLARE-VM is a collection of software installation scripts for Windows systems designed for setting up and maintaining a reverse engineering environment on a virtual machine.
A project with Terraform and Ansible scripts to create an orchestrated BlueTeam Lab for testing attacks and forensic artifacts on Windows environment.
A collection of PowerShell modules for artifact gathering and reconnaissance of Windows-based endpoints.
CrowdStrike Falcon Orchestrator is a Windows-based application for workflow automation and security response.
KFSensor is an advanced Windows honeypot system for detecting hackers and worms by simulating vulnerable system services.
A powerful tool for extracting passwords and performing various Windows security operations.
A comprehensive utility that shows what programs are configured to run during system bootup or login, and when you start various built-in Windows applications.
PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.
CimSweep is a suite of CIM/WMI-based tools for incident response and hunting operations on Windows systems without the need to deploy an agent.
Compares target's patch levels against Microsoft vulnerability database and detects missing patches.
A browser with XSS detection capabilities
Abusing SCF files to gather user hashes from an unauthenticated writable Windows-based file share.
A repository providing guidance on collecting security-relevant Windows event logs using Windows Event Forwarding (WEF).
A comprehensive Windows command-line reference guide for security professionals, system administrators, and incident responders.
Windows Event Log Analyzer with logon timeline generator and noise reduction for fast forensics.
A pure Python parser for Windows Event Log files with access to File and Chunk headers, record templates, and event entries.
CyLR is a Live Response Collection tool for quickly and securely collecting forensic artifacts from hosts with NTFS file systems.
Windows event log fast forensics timeline generator and threat hunting tool.
A next generation version of enum4linux with enhanced features for enumerating information from Windows and Samba systems.
Enhances Windows OS security through system modifications and settings adjustments.
Cheat sheet with common enumeration and attack methods for Windows Active Directory.
GrokEVT is a tool for reading Windows event log files and converting them to a human-readable format.
DueDLLigence is an open-source tool for identifying and analyzing DLL hijacking vulnerabilities in Windows applications, providing automated analysis and remediation guidance.
A discontinued project for Windows system administration that has been archived due to the author's dissatisfaction with the Windows operating system.
A comprehensive cheat sheet for Windows and Linux terminals and command lines, covering essential commands and syntax for various tasks.
A collection of scripts to harden Windows 10 security and privacy
A library to access the Extensible Storage Engine (ESE) Database File (EDB) format used in various Windows applications.
Tool for analyzing Windows Recycle Bin INFO2 file
ProcFilter is a process filtering system for Windows with built-in YARA integration, designed for malware analysts to create YARA signatures for Windows environments.
A Sysmon configuration file template with detailed explanations and tutorial-like features.
A comprehensive cheat sheet for accessing Windows systems from Linux hosts using smbclient and rpcclient tools, covering password management, user and group enumeration, and more.
A library to access the Windows New Technology File System (NTFS) format with read-only support for NTFS versions 3.0 and 3.1.
DFIR ORC Documentation provides detailed instructions for setting up the build environment and deploying the tool.
APT Simulator is a tool for simulating a compromised system on Windows.
A workshop offering resources for local privilege escalation on Windows and Linux systems.
A Cross-Platform Forensic Framework for Google Chrome that allows investigation of history, downloads, bookmarks, cookies, and provides a full report.
Semi-tethered jailbreak for iPhone 5s to iPhone X, running iOS 12.0 and up, using the 'checkm8' bootrom exploit.
A library to access and parse Windows XML Event Log (EVTX) format, useful for digital forensics and incident response.
WinSearchDBAnalyzer can parse and recover records in Windows.edb, providing detailed insights into various data types.
Container of 200 Windows EVTX samples for testing detection scripts and training on DFIR.
A library for working with Windows NT data types, providing access and manipulation functions.
A comprehensive guide for system administrators to detect and identify potential security threats on Windows 2000 systems.
Recorded talks from Hack.lu 2018 covering various cybersecurity topics.
libevt is a library to access and parse Windows Event Log (EVT) files.
Extracts resources (bitmaps, icons, cursors, AVI movies, HTML files, and more) from dll files
AI-powered assistance feature in Windows for enhanced productivity.
Generate comprehensive reports about Windows systems with detailed system, security, networking, and USB information.
