Awesome-Security-Analyst

This is a curated list of awesome security tools used by analyst on the daily basis for Blue Teaming.

MALWARE

Malware aka Malicious Software is a file or code,usually delivered over a N/W that infects, explores, steals or conducts malicious activity. It is a collective term for viruses, trojans and other destructive computer programs used by ATP(Advanced Persistent Threat Actor)

Tool	Description	Official Link
Virus Total	Virus Total is a free service founded in 2004 that analyses files and URLs for viruses, worms, trojans and other kind of malicious content. VirusTotal inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal. VirusTotal offers a number of file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API. The web interface has the highest scanning priority among the publicly available submission methods. Submissions may be scripted in any programming language using the HTTP-based public API.	Virus Total
Hybrid Analysis	Hybrid Analysis . com is a free web based page that can be used for malware analysis service for the community, in-depth static and dynamic analysis	Hybrid Analysis
Alien Vault- Open Threat Exchange	The Alien Labs® Open Threat Exchange® (OTX™) is the world’s first and largest truly open threat intelligence community. OTX provides access to a global community of threat researchers and security professionals, with more than 100,000 participants in 140 countries, who contribute over 19 million threat indicators daily. OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques, thereby helping one another strengthen cyber defenses and raise awareness of emerging threats on a global level.	Alien Vault
Joe Sandbox	Joe Security, founded in 2011 by Stefan Bühlmann is a Swiss-based, privately owned software development company. Joe Security is the developer of Joe Sandbox, industry's deepest malware analysis system. Joe Sandbox is actively used by leading CERTs, CIRTS, SOCs, malware analysts and incident responders around the world to defend malware. Joe Security is one of the first movers in the field of dynamic malware analysis and has invented several unique analysis technologies, including hybrid code analysis and hypervisor based inspection.	Joe Sandbox
ANY.RUN	Interactive online malware analysis service for dynamic and static research of most types of threats using any environments. Replaces a set of tools for research. The service can be used for a convenient in-depth analysis of new (unidentified) malicious objects, as well as for the investigation of cyber incidentals.	Any Run

THREAT INTELLIGENCE

Tool	Description	Official Link
Microsoft Defender Threat Intelligence	Microsoft Defender Threat Intelligence (Defender TI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering threat intelligence.	Defender TI
Virus Total	Virus Total is a free service founded in 2004 that analyses files and URLs for viruses, worms, trojans and other kind of malicious content. VirusTotal inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal. VirusTotal offers a number of file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API. The web interface has the highest scanning priority among the publicly available submission methods. Submissions may be scripted in any programming language using the HTTP-based public API.	Virus Total
Alien Vault- Open Threat Exchange	The Alien Labs® Open Threat Exchange® (OTX™) is the world’s first and largest truly open threat intelligence community. OTX provides access to a global community of threat researchers and security professionals, with more than 100,000 participants in 140 countries, who contribute over 19 million threat indicators daily. OTX allows anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques, thereby helping one another strengthen cyber defenses and raise awareness of emerging threats on a global level.	Alien Vault
Threat Miner	ThreatMiner is a threat intelligence portal designed to enable analysts to research under a single interface. It is used in the SANS FOR578 Cyber Threat Intelligence course . API integration is available for many industry leading platforms including: Malware Information Sharing Platform (MISP) Splunk Demisto Rapid7 InsightConnect IBM Resilient	ThreatMiner
IBM X-Force Exchange	IBM® X-Force Exchange is a cloud-based, threat intelligence sharing platform that you can use to rapidly research the latest global security threats, aggregate actionable intelligence, consult with experts and collaborate with peers. IBM X-Force Exchange, supported by human- and machine-generated intelligence, leverages the scale of IBM X-Force to help users stay ahead of emerging threats	IBM X-FORCE Exchange
PulseDive	Pulsedive is a bootstrapped cybersecurity company focused on high-fidelity, high-value threat intelligence solutions to help organizations proactively improve their security posture. Pulsedive ingests millions of IPs, domains, and URLs collected from dozens of feeds and user submissions worldwide. With our user community actively submitting new IOCs every day, Pulsedive has data that no one else has	PulseDive

IP/WEB REPUTATION

Tool	Description	Official Link
Cisco Talos Intelligence Group	Cisco Talos Intelligence Group is one of the largest commercial threat intelligence teams in the world, comprised of world-class researchers, analysts and engineers.Talos maintains the official rule sets of Snort.org, ClamAV and SpamCop	CISCO TALOS
Virus Total	Virus Total is a free service founded in 2004 that analyses files and URLs for viruses, worms, trojans and other kind of malicious content. VirusTotal inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal. VirusTotal offers a number of file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API. The web interface has the highest scanning priority among the publicly available submission methods. Submissions may be scripted in any programming language using the HTTP-based public API.	Virus Total
AbiuseIPDB	AbuseIPDB is a project managed by Marathon Studios Inc. AbuseIPDB is a project dedicated to helping systems administrators and webmasters check and report IP addresses that are involved in malicious activity such as spamming, hack attempts, DDoS attacks, etc.	AbuseIPDB
Grey Noise	GreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic. This data is made available through the web-based Visualizer and GreyNoise APIs so users can contextualize existing alerts, filter false-positives, identify compromised devices, and track emerging threats.	Grey Noise
IBM X-Force Exchange	IBM® X-Force Exchange is a cloud-based, threat intelligence sharing platform that you can use to rapidly research the latest global security threats, aggregate actionable intelligence, consult with experts and collaborate with peers. IBM X-Force Exchange, supported by human- and machine-generated intelligence, leverages the scale of IBM X-Force to help users stay ahead of emerging threats	IBM X-FORCE Exchange
Bright Cloud by Open Text	BrightCloud was the first threat intelligence platform to harness the cloud and artificial intelligence to stop zero-day threats in real time. The platform is used to secure businesses and their products worldwide with threat intelligence and protection for endpoints and networks	BrightCloud

WEB ANALYSIS

Tool	Description	Official Link
Urlscan	urlscan.io is a free service to scan and analyse websites. When a URL is submitted to urlscan.io, an automated process will browse to the URL like a regular user and record the activity that this page navigation creates. This includes the domains and IPs contacted, the resources (JavaScript, CSS, etc) requested from those domains, as well as additional information about the page itself. urlscan.io will take a screenshot of the page, record the DOM content, JavaScript global variables, cookies created by the page, and a myriad of other observations. If the site is targeting the users one of the more than 900 brands tracked by urlscan.io, it will be highlighted as potentially malicious in the scan results.	URLSCANS
Browserling	Browserling solves cross-browser testing problem including SSH tunnels for local testing, Responsive testing, Screenshots, Access to latest browsers,Headless API	Browserling
Kasm Workspace	Streaming containerized apps and desktops to end-users. The Workspaces platform provides enterprise-class orchestration, data loss prevention, and web streaming technology to enable the delivery of containerized workloads to your browser.	KASM

SANDBOX

Tool	Description	Official Link
ANY.RUN	Interactive online malware analysis service for dynamic and static research of most types of threats using any environments. Replaces a set of tools for research. The service can be used for a convenient in-depth analysis of new (unidentified) malicious objects, as well as for the investigation of cyber incidentals.	ANY RUN
Browserling	Browserling solves cross-browser testing problem including SSH tunnels for local testing, Responsive testing, Screenshots, Access to latest browsers,Headless API	Browserling
Hybrid Analysis	Hybrid Analysis . com is a free web based page that can be used for malware analysis service for the community, in-depth static and dynamic analysis	Hybrid Analysis
CAPE SandBox	CAPE is an open source automated malware analysis system. It can be used to automatically run and analyse files and collect comprehensive analysis results that outline what the malware does while running inside an isolated windows operating system.	CAPE SANDBOX
Joe Sandbox	Joe Security, founded in 2011 by Stefan Bühlmann is a Swiss-based, privately owned software development company. Joe Security is the developer of Joe Sandbox, industry’s deepest malware analysis system. Joe Sandbox is actively used by leading CERTs, CIRTS, SOCs, malware analysts and incident responders around the world to defend malware. Joe Security is one of the first movers in the field of dynamic malware analysis and has invented several unique analysis technologies, including hybrid code analysis and hypervisor based inspection.	JOE SANDBOX

USEFUL LINKS

RESOURCES	Official Link
The DFIR Report - Real Intrusions by Real Attackers, The Truth Behind the Intrusion	DFIR Report
The Blue Team Notes | Dray Agha	BT Notes
Blog by Andrea Fortuna	Andrea Fortuna Blog
Weekly Roundup of Digital Forensics and Incident Response News	News Blog
TCP/IP cheatsheet	Cheatsheet
WTFBins	WTFbins
Cyber Chef	Cyber Chef
GTFOBins : List of Unix Binaries	GTFO
Blackhills Infosec Blog	Blog
Hugs4bugs	Hugs4bugs