蓝队网络安全绝佳资源,工具和其他集合

网络安全蓝色团队由一群人组成，他们可以识别信息技术系统中的安全漏洞，验证安全措施的有效性并监视系统，以确保已实施的防御措施在将来仍然有效。

许多网络安全专业人员通过向地方，州和联邦警务机构提供服务或与这样做的类似机构合作，有意或无意地助长了种族主义国家暴力。这种邪恶通常是通过强制性的就业机制而发生的，面临着无法获得食物，住房或医疗保健的威胁。尽管该列表可以公开获得，但维护者的意图是并希望该列表支持那些致力于对抗如此大规模的平庸邪恶的人们和组织。

自动化

• Ansible锁定-精心审核并积极维护的以信息安全为主题的Ansible角色的精选集合。
• 耳环-对于自动解密的可插入式框架，经常被用来作为一个客户端。
• DShell-用Python编写的可扩展网络取证分析框架，可快速开发插件以支持剖析网络数据包捕获。
• Dev – Sec.io-服务器强化框架，提供各种基准安全性配置的Ansible，Chef和Puppet实现。
• peepdf-可编写脚本的PDF文件分析器。
• PyREBox-基于QEMU的Python脚本可逆向工程沙箱。
• 守望台-基于容器的解决方案，用于自动化Docker容器基础映像更新，提供无人值守的升级体验。

代码库和绑定

• MultiScanner-用Python编写的文件分析框架，可通过自动针对它们运行一套工具并汇总输出来帮助评估一组文件。
• 辣妹-VirusTotal – PowerShell的接口VirusTotal.com的API。
• censys-python -Censys REST API的Python包装器。
• libcrafter-高级C ++网络数据包嗅探和制作库。
• python-dshield -Internet Storm Center / DShield API的Pythonic接口。
• python-sandboxapi-用于构建与恶意软件沙箱集成的最小，一致的Python API。
• python-stix2-用于序列化和反序列化结构化威胁信息表达（STIX）JSON内容的Python API，以及用于常见任务的高级API。

安全编排，自动化和响应（SOAR）

另请参阅安全信息和事件管理（SIEM）和IR管理控制台。

• 随机播放-用于IT专业人员和蓝色团队的图形化通用工作流（自动化）构建器。

云平台安全

另请参阅asecure.cloud/tools。

• Checkov -Terraform的静态分析（以基础结构作为代码），有助于检测CIS策略违规并防止云安全配置错误。
• Falco-行为活动监视器，旨在通过审核Linux内核并通过诸如Kubernetes指标之类的运行时数据来检测容器化应用程序，主机和网络数据包流中的异常活动。
• Istio-开放平台，用于提供统一的方式来集成微服务，管理跨微服务的流量，执行策略和汇总遥测数据。
• Kata容器-使用轻量级虚拟机来保护容器运行时，这些虚拟机的感觉和性能类似于容器，但是使用硬件虚拟化技术作为第二层防御，可以提供更强的工作负载隔离。
• 托管Kubernetes检查工具（MKIT） -查询和验证托管Kubernetes集群对象以及集群内部运行的工作负载/资源的几种与安全性相关的常见配置设置。
• Prowler-基于AWS-CLI命令的工具，用于Amazon Web Services帐户安全性评估和强化。
• Scout Suite-开源的多云安全审核工具，可用于评估云环境的安全状况。
• gVisor-用Go编写的应用程序内核，它实现Linux系统表面的很大一部分，以在应用程序和主机内核之间提供隔离边界。

通讯安全（COMSEC）

另请参阅传输层防御。

• GPG同步-在组织或团队的所有成员之间集中和自动化OpenPGP公钥分发，吊销和更新。
• 日内瓦（基因规避） -一种新颖的实验性遗传算法，可针对国家/地区级审查员发展基于数据包操纵的审查规避策略，以增加本来被阻止的内容的可用性。

开发安全

另请参见awesome-devsecops。

• Bane-用于Docker容器的自定义和更好的AppArmor配置文件生成器。
• BlackBox-通过使用GnuPG对其进行“静态”加密，将机密安全地存储在Git / Mercurial / Subversion中。
• Cilium-开源软件，用于透明保护使用Linux容器管理平台（如Docker和Kubernetes）部署的应用程序服务之间的网络连接。
• Clair-静态分析工具，用于探测通过应用程序容器（例如Docker）映像引入的漏洞。
• CodeQL-通过对代码进行查询，就好像是数据一样，从而发现整个代码库中的漏洞。
• DefectDojo-为DevOps和持续安全集成而构建的应用程序漏洞管理工具。
• Gauntlt -Pentest应用程序在常规连续集成构建管道期间。
• Git Secrets-防止您将密码和其他敏感信息提交到git存储库。
• SOPS-加密文件的编辑器，支持YAML，JSON，ENV，INI和二进制格式，并使用AWS KMS，GCP KMS，Azure Key Vault和PGP进行加密。
• Snyk-查找并修复开源依赖项和容器映像中的漏洞和许可证违规。
• SonarQube-连续检查工具，可在自动测试期间提供详细的报告，并就新引入的安全漏洞发出警报。
• Trivy-用于容器和其他工件的简单而全面的漏洞扫描程序，适用于持续集成管道。
• 保险柜-用于通过统一界面安全访问机密（例如API密钥，密码或证书）的工具。
• git-crypt – git中的透明文件加密；您选择保护的文件在提交时会加密，而在签出时会解密。

应用或二进制强化

• DynInst-用于二进制检测，分析和修改的工具，对二进制修补很有用。
• DynamoRIO-运行时代码操纵系统，支持程序的任何部分在执行时进行代码转换，并实现为进程级虚拟机。
• Egalito-二进制重新编译器和工具框架，可以完全反汇编，转换和重新生成用于二进制强化和安全性研究的普通Linux二进制文件。
• Valgrind-用于构建动态分析工具的仪器框架。

合规测试和报告

• Chef InSpec-用于描述安全性和合规性规则的语言，该规则成为可以针对IT基础结构运行以发现并报告不合规情况的自动化测试。
• OpenSCAP Base-库和命令行工具（oscap）均用于根据SCAP基线配置文件评估系统，以报告扫描系统的安全状态。

模糊测试

另请参阅令人毛骨悚然。

• FuzzBench-一种免费服务，可根据Google规模的各种实际基准评估模糊器。
• OneFuzz-自托管的即服务即服务（FaaS）平台。

政策执行

• OpenPolicyAgent-跨云本机堆栈的统一工具集和策略框架。
• Tang-将数据绑定到网络状态的服务器；仅当客户端位于某个（受保护的）网络上时才向客户端提供数据。

蜜罐

另请参阅真棒蜜罐。

• CanaryTokens-可自承载的honeytoken生成器和报告仪表板；演示版本可在CanaryTokens.org上获得。
• 库什塔克（Kushtaka） -资源不足的蓝队的可持续性多合一蜜罐和蜜罐编排器。

Tarpits

• Endlessh-缓慢地发送无尽标语的SSH tarpit。
• LaBrea-回答ARP请求中未使用IP空间的程序，其外观仿冒，它们会非常缓慢地响应其他请求，从而减慢扫描程序，蠕虫等的速度。

基于主机的工具

• 火炮-组合蜜罐，文件系统监视器和警报系统，旨在保护Linux和Windows操作系统。
• chkrootkit-在GNU / Linux系统上本地检查rootkit的迹象。
• 人群检查-适用于Windows系统的免费工具，旨在提醒您存在可能通过网络进行通信的恶意软件。
• Fail2ban-入侵防御软件框架，可保护计算机服务器免受暴力攻击。
• 开源HIDS SECurity（OSSEC） -完全开源和免费的，功能丰富的基于主机的入侵检测系统（HIDS）。
• Rootkit Hunter（rkhunter） -兼容POSIX的Bash脚本，用于扫描主机以查找各种恶意软件迹象。

沙箱

• Firejail -SUID程序，使用Linux名称空间和seccomp-bpf来限制不受信任的应用程序的运行环境，从而降低安全漏洞的风险。

应急响应工具

另请参阅令人敬畏的事件响应。

• LogonTracer-通过可视化和分析Windows事件日志来调查恶意Windows登录。
• 易失性-高级内存取证框架。
• aws_ir-使用零安全准备假设自动执行事件响应。

红外线管理控制台

另请参阅安全协调，自动化和响应（SOAR）。

• CIRTKit-基于Viper构建的可编写脚本的数字取证和事件响应（DFIR）工具包。
• 快速事件响应（FIR） -网络安全事件管理平台，可轻松创建，跟踪和报告网络安全事件。
• Rekall-先进的法证和事件响应框架。
• TheHive-可扩展的免费安全事件响应平台，旨在简化SOC，CSIRT和CERT的工作，并与MISP紧密集成。
• Threat_note -Defence Point Security构建的Web应用程序，允许安全研究人员添加和检索与他们的研究相关的指标。

取证

• AutoMacTC-模块化的自动取证分类视图收集框架，旨在访问macOS上的各种取证工件，进行解析，并以可行的格式显示它们。
• OSXAuditor-免费的macOS计算机取证工具。
• OSXCollector-适用于macOS的取证证据和分析工具包。
• ir-rescue -Windows Batch脚本和Unix Bash脚本，用于在事件响应期间全面收集主机取证数据。
• Margarita Shotgun-命令行实用程序（可与或不与Amazon EC2实例一起使用）并行化远程内存获取。

网络外围防御

• Gatekeeper-第一个开源分布式拒绝服务（DDoS）保护系统。
• fwknop-通过防火墙中的“单包授权”保护端口。
• ssh-audit-简单的工具，可以快速提出建议以改善SSH服务器的安全性。

防火墙设备或发行版

• OPNsense-基于FreeBSD的防火墙和路由平台。
• pfSense-防火墙和路由器FreeBSD分发。

操作系统发行版

• 计算机辅助调查环境（CAINE） -意大利GNU / Linux实时发行版，预先打包了许多数字取证和证据收集工具。
• Security Onion-免费和开源的GNU / Linux发行版，用于入侵检测，企业安全监视和日志管理。

网络钓鱼意识和报告

另请参阅swesome-pentest§社会工程工具。

• CertSpotter – SSLMate的证书透明性日志监视器，当为您的一个域颁发SSL / TLS证书时提醒您。
• Gophish-强大的开源网络钓鱼框架，可轻松测试组织对网络钓鱼的危害。
• Phisher国王-通过模拟真实的网络钓鱼攻击来测试和提高用户意识的工具。
• NotifySecurity -Outlook加载项，用于帮助您的用户向安全团队报告可疑电子邮件。
• 网络钓鱼情报引擎（PIE） -有助于检测和响应网络钓鱼攻击的框架。
• Swordphish-平台，可用于创建和管理（伪造）网络钓鱼活动，以训练人们识别可疑邮件。
• mailspoof-扫描SPF和DMARC记录以查找可能允许电子邮件欺骗的问题。
• phishing_catcher-可配置脚本，用于使用CertStream服务在证书透明度日志（CTL）中按域名监视可疑TLS证书的颁发。

备战训练和作战

（也称为对手模拟，威胁模拟或类似的东西。）

• APTSimulator-使系统看起来像是APT攻击的受害者的工具集。
• Atomic Red Team-可执行的简单，自动化测试库，用于测试安全性控件。
• DumpsterFire-模块化，菜单驱动的跨平台工具，用于为Blue Team演练和传感器/警报映射构建可重复的，延迟的，分布式的安全事件。
• Metta-自动化的信息安全防范工具，可以进行对抗性模拟。
• Network Flight Simulator（flightsim） -用于生成恶意网络流量并帮助安全团队评估安全控制并审核其网络可见性的实用程序。
• RedHunt OS-基于Ubuntu的开放虚拟设备（.ova），预配置了多个威胁仿真工具以及防御者的工具包。

安全监控

端点检测和响应（EDR）

• Wazuh-基于OSSEC HIDS分支的开源，基于多平台代理的安全性监视。

网络安全监控（NSM）

另请参见awesome-pcaptools。

• ChopShop-帮助分析人员创建和执行基于APT贸易工具的基于Pynids的解码器和检测器的框架。
• Maltrail-恶意网络流量检测系统。
• Moloch-扩展您当前的安全基础架构，以标准PCAP格式存储和索引网络流量，从而提供快速的索引访问。
• OwlH-通过可视化Suricata，Zeek和Moloch生命周期来帮助大规模管理网络IDS。
• Real Intelligence Threat Analysis（RITA） -用于网络流量分析的开源框架，可吸收Zeek日志并检测信标，DNS隧道等。
• 侦听器-检测网络上是否存在响应器LLMNR / NBT-NS / MDNS中毒器。
• Snort-广泛部署的免费软件IPS，能够进行实时数据包分析，流量记录和基于规则的自定义触发器。
• SpoofSpotter-捕获欺骗的NetBIOS名称服务（NBNS）响应并警告电子邮件或日志文件。
• Stenographer-完整数据包捕获实用程序，用于将数据包缓冲到磁盘以进行入侵检测和事件响应。
• Suricata-免费的，跨平台的IDS / IPS，具有联机和脱机分析模式以及可通过Lua编写的深度数据包检查功能。
• 海啸-具有可扩展插件系统的通用网络安全扫描程序，可高度自信地检测高严重性漏洞。
• VAST-用于数据驱动的安全调查的免费和开源网络遥测引擎。
• Wireshark-免费和开源的数据包分析器，可用于网络故障排除或法医网络流分析。
• Zeek-专注于安全监控的强大网络分析框架，以前称为Bro。
• netsniff-ng-具有众多实用程序的免费，快速的GNU / Linux网络工具包，例如连接跟踪工具（flowtop），流量生成器（trafgen）和自治系统（AS）跟踪路由实用程序（astraceroute）。

安全信息和事件管理（SIEM）

• AlienVault OSSIM-由AlienVault开放威胁交换（OTX）驱动的单服务器开源SIEM平台，具有资产发现，资产清单，行为监控和事件关联功能。
• 前奏SIEM OSS-开源，无代理的SIEM，历史悠久，具有多种商业变体，具有安全事件收集，规范化和来自任意日志输入和大量流行的监视工具的警报。

服务和性能监控

另请参见awesome-sysadmin＃monitoring。

• Icinga -Nagios的模块化重新设计，带有可插拔的用户界面以及一组扩展的数据连接器，收集器和报告工具。
• Locust-开源负载测试工具，您可以在其中使用Python代码定义用户行为，并使数以百万计的同时用户涌入您的系统。
• Nagios-流行的网络和服务监视解决方案和报告平台。
• OpenNMS-免费且功能丰富的网络监视系统，支持多种配置，多种警报机制（电子邮件，XMPP，SMS）以及多种数据收集方法（SNMP，HTTP，JDBC等）。
• osquery-适用于macOS，Windows和Linux的操作系统检测框架，将操作系统公开为可以用类似SQL的语法查询的高性能关系数据库。
• Zabbix-成熟的企业级平台，用于监视大规模IT环境。

威胁搜寻

（也称为狩猎团队和威胁检测。）

另请参阅“真棒威胁检测”。

• CimSweep-基于CIM / WMI的工具套件，可在所有Windows版本中进行远程事件响应和搜寻操作。
• DeepBlueCLI-用于通过Windows事件日志进行寻线分组的PowerShell模块。
• GRR快速响应-事件响应框架专注于远程实时取证，该组件由安装在资产上的Python代理和基于Python的服务器基础结构组成，使分析师能够快速分类攻击并进行远程分析。
• Hunting ELK（HELK） -基于Elasticsearch，Logstash，Kafka和Kibana的多合一自由软件威胁搜寻堆栈，并具有包括Jupyter Notebook在内的各种内置集成分析功能。
• MozDef-自动执行安全事件处理流程，并促进事件处理程序的实时活动。
• PSHunt -PowerShell模块，设计用于扫描远程端点以发现威胁的迹象或调查它们以获取与那些系统状态有关的更全面的信息。
• PSRecon-类似PSHunt的工具，用于分析远程Windows系统，该工具还会生成其发现的独立HTML报告。
• PowerForensics-基于一个基于PowerShell的平台，可以执行实时硬盘取证分析。
• rastrea2r-多平台工具，用于同时在许多端点上对可疑IOC进行分类，并与防病毒控制台集成。
• Redline -FireEye，Inc.提供的免费端点审计和分析工具，提供基于主机的调查功能。

威胁情报

另请参阅真棒威胁情报。

• Active Directory控制路径-可视化Active Directory权限配置并对其进行图形化处理（“控制关系”），以审核诸如“谁可以阅读CEO的电子邮件？”之类的问题。和类似的。
• AttackerKB-免费和公共众包的漏洞评估平台，可帮助确定高风险补丁程序的优先级并消除漏洞疲劳。
• 数据-网络钓鱼凭据分析和自动化工具，可以直接接受可疑的网络钓鱼URL，也可以在观察到的包含此类URL的网络流量上触发。
• Forager-使用Python3构建的多线程威胁情报收集，具有基于文本的简单配置和数据存储，以简化使用和数据可移植性。
• GRASSMARLIN-通过被动映射，计算和报告ICS / SCADA网络拓扑和端点，提供IP网络对工业控制系统（ICS）以及监督控制和数据采集（SCADA）的态势感知。
• MLSec组合-收集并组合多个威胁情报源，并将其组合成一种可定制的，基于CSV的标准化格式。
• 恶意软件信息共享平台和威胁共享（MISP） -用于收集，存储，分发和共享网络安全指标的开源软件解决方案。
• ThreatIngestor-可扩展工具，用于从威胁源（包括Twitter，RSS源或其他源）提取和汇总IOC。
• 不受约束-利用Mitre的ATT＆CK框架确定安全态势中的防御性漏洞。
• Viper-二进制分析和管理框架，可轻松组织恶意软件和利用样本。

Tor Onion服务防御

另请参见awesome-tor。

• OnionBalance-提供负载平衡，同时通过消除单个故障点使Onion服务更具弹性和可靠性。
• Vanguards-版本3洋葱服务防护发现缓解攻击脚本（旨在最终包含在Tor核心中）。

传输层防御

• Certbot-一种免费工具，用于使用配置各种Web和电子邮件服务器软件的插件自动从LetsEncrypt根CA发行和更新TLS证书。
• MITMEngine -Golang库，用于在服务器端检测TLS拦截事件。
• OpenVPN-开源的基于SSL / TLS的虚拟专用网络（VPN）。
• Tor-审查制度的规避和匿名覆盖网络，提供分布式的，经过密码验证的名称服务（.onion域），以增强发布者的隐私和服务可用性。

基于macOS的防御

另请参阅drduh / macOS-Security-and-Privacy-Guide。

• BlockBlock-监视常见的持久性位置并在添加持久性组件时发出警报，这有助于检测和阻止恶意软件的安装。
• LuLu-免费的macOS防火墙。
• 圣诞老人-在macOS的允许/拒绝列表系统中跟踪顽皮或不错的二进制文件。
• 要点-从终端轻松配置macOS安全设置。
• macOS Fortress-内核级，操作系统级和客户端级安全功能的自动配置，包括私有化代理和macOS的防病毒扫描。

基于Windows的防御

另请参见awesome-windows＃security和awesome-windows-domain-hardening。

• HardenTools-禁用许多危险的Windows功能的实用程序。
• NotRuler-尝试破坏Microsoft Exchange服务器时，同时检测由Ruler攻击工具使用的客户端规则和启用VBScript的表单。
• Sandboxie-免费和开放源代码的通用Windows应用程序沙箱工具。
• Sigcheck-根据Microsoft的证书信任列表（CTL）审核Windows主机的根证书存储。
• 粘滞键杀手-从主机名列表建立Windows RDP会话，并扫描可访问性工具后门，并在发现后门时发出警报。
• Windows安全主机基准-组策略对象，合规性检查和配置工具，提供了一种自动，灵活的方法来安全地部署和维护Windows 10的最新版本。
• WMI监视器-将新创建的WMI使用者和进程记录到Windows应用程序事件日志中。

以上由Google智障翻译生成,看不通顺的可以看下面的英文版本.

Automation

• Ansible Lockdown – Curated collection of information security themed Ansible roles that are both vetted and actively maintained.
• Clevis – Plugable framework for automated decryption, often used as a Tang client.
• DShell – Extensible network forensic analysis framework written in Python that enables rapid development of plugins to support the dissection of network packet captures.
• Dev-Sec.io – Server hardening framework providing Ansible, Chef, and Puppet implementations of various baseline security configurations.
• peepdf – Scriptable PDF file analyzer.
• PyREBox – Python-scriptable reverse engineering sandbox, based on QEMU.
• Watchtower – Container-based solution for automating Docker container base image updates, providing an unattended upgrade experience.

Code libraries and bindings

• MultiScanner – File analysis framework written in Python that assists in evaluating a set of files by automatically running a suite of tools against them and aggregating the output.
• Posh-VirusTotal – PowerShell interface to VirusTotal.com APIs.
• censys-python – Python wrapper to the Censys REST API.
• libcrafter – High level C++ network packet sniffing and crafting library.
• python-dshield – Pythonic interface to the Internet Storm Center/DShield API.
• python-sandboxapi – Minimal, consistent Python API for building integrations with malware sandboxes.
• python-stix2 – Python APIs for serializing and de-serializing Structured Threat Information eXpression (STIX) JSON content, plus higher-level APIs for common tasks.

Security Orchestration, Automation, and Response (SOAR)

See also Security Information and Event Management (SIEM), and IR management consoles.

• Shuffle – Graphical generalized workflow (automation) builder for IT professionals and blue teamers.

Cloud platform security

See also asecure.cloud/tools.

• Checkov – Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration.
• Falco – Behavioral activity monitor designed to detect anomalous activity in containerized applications, hosts, and network packet flows by auditing the Linux kernel and enriched by runtime data such as Kubernetes metrics.
• Istio – Open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.
• Kata Containers – Secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense.
• Managed Kubernetes Inspection Tool (MKIT) – Query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.
• Prowler – Tool based on AWS-CLI commands for Amazon Web Services account security assessment and hardening.
• Scout Suite – Open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
• gVisor – Application kernel, written in Go, that implements a substantial portion of the Linux system surface to provide an isolation boundary between the application and the host kernel.

Communications security (COMSEC)

See also Transport-layer defenses.

• GPG Sync – Centralize and automate OpenPGP public key distribution, revocation, and updates amongst all members of an organization or team.
• Geneva (Genetic Evasion) – Novel experimental genetic algorithm that evolves packet-manipulation-based censorship evasion strategies against nation-state level censors to increase availability of otherwise blocked content.

DevSecOps

See also awesome-devsecops.

• Bane – Custom and better AppArmor profile generator for Docker containers.
• BlackBox – Safely store secrets in Git/Mercurial/Subversion by encrypting them “at rest” using GnuPG.
• Cilium – Open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.
• Clair – Static analysis tool to probe for vulnerabilities introduced via application container (e.g., Docker) images.
• CodeQL – Discover vulnerabilities across a codebase by performing queries against code as though it were data.
• DefectDojo – Application vulnerability management tool built for DevOps and continuous security integration.
• Gauntlt – Pentest applications during routine continuous integration build pipelines.
• Git Secrets – Prevents you from committing passwords and other sensitive information to a git repository.
• SOPS – Editor of encrypted files that supports YAML, JSON, ENV, INI and binary formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, and PGP.
• Snyk – Finds and fixes vulnerabilities and license violations in open source dependencies and container images.
• SonarQube – Continuous inspection tool that provides detailed reports during automated testing and alerts on newly introduced security vulnerabilities.
• Trivy – Simple and comprehensive vulnerability scanner for containers and other artifacts, suitable for use in continuous integration pipelines.
• Vault – Tool for securely accessing secrets such as API keys, passwords, or certificates through a unified interface.
• git-crypt – Transparent file encryption in git; files which you choose to protect are encrypted when committed, and decrypted when checked out.

Application or Binary Hardening

• DynInst – Tools for binary instrumentation, analysis, and modification, useful for binary patching.
• DynamoRIO – Runtime code manipulation system that supports code transformations on any part of a program, while it executes, implemented as a process-level virtual machine.
• Egalito – Binary recompiler and instrumentation framework that can fully disassemble, transform, and regenerate ordinary Linux binaries designed for binary hardening and security research.
• Valgrind – Instrumentation framework for building dynamic analysis tools.

Compliance testing and reporting

• Chef InSpec – Language for describing security and compliance rules, which become automated tests that can be run against IT infrastructures to discover and report on non-compliance.
• OpenSCAP Base – Both a library and a command line tool (oscap) used to evaluate a system against SCAP baseline profiles to report on the security posture of the scanned system(s).

Fuzzing

See also Awesome-Fuzzing.

• FuzzBench – Free service that evaluates fuzzers on a wide variety of real-world benchmarks, at Google scale.
• OneFuzz – Self-hosted Fuzzing-as-a-Service (FaaS) platform.

Policy enforcement

• OpenPolicyAgent – Unified toolset and framework for policy across the cloud native stack.
• Tang – Server for binding data to network presence; provides data to clients only when they are on a certain (secured) network.

Honeypots

See also awesome-honeypots.

• CanaryTokens – Self-hostable honeytoken generator and reporting dashboard; demo version available at CanaryTokens.org.
• Kushtaka – Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.

Tarpits

• Endlessh – SSH tarpit that slowly sends an endless banner.
• LaBrea – Program that answers ARP requests for unused IP space, creating the appearance of fake machines that answer further requests very slowly in order to slow down scanners, worms, etcetera.

Host-based tools

• Artillery – Combination honeypot, filesystem monitor, and alerting system designed to protect Linux and Windows operating systems.
• chkrootkit – Locally checks for signs of a rootkit on GNU/Linux systems.
• Crowd Inspect – Free tool for Windows systems aimed to alert you to the presence of malware that may be communicating over the network.
• Fail2ban – Intrusion prevention software framework that protects computer servers from brute-force attacks.
• Open Source HIDS SECurity (OSSEC) – Fully open source and free, feature-rich, Host-based Instrusion Detection System (HIDS).
• Rootkit Hunter (rkhunter) – POSIX-compliant Bash script that scans a host for various signs of malware.

Sandboxes

• Firejail – SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.

Incident Response tools

See also awesome-incident-response.

• LogonTracer – Investigate malicious Windows logon by visualizing and analyzing Windows event log.
• Volatility – Advanced memory forensics framework.
• aws_ir – Automates your incident response with zero security preparedness assumptions.

IR management consoles

See also Security Orchestration, Automation, and Response (SOAR).

• CIRTKit – Scriptable Digital Forensics and Incident Response (DFIR) toolkit built on Viper.
• Fast Incident Response (FIR) – Cybersecurity incident management platform allowing for easy creation, tracking, and reporting of cybersecurity incidents.
• Rekall – Advanced forensic and incident response framework.
• TheHive – Scalable, free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, and CERTs, featuring tight integration with MISP.
• threat_note – Web application built by Defense Point Security to allow security researchers the ability to add and retrieve indicators related to their research.

Evidence collection

• AutoMacTC – Modular, automated forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis.
• OSXAuditor – Free macOS computer forensics tool.
• OSXCollector – Forensic evidence collection & analysis toolkit for macOS.
• ir-rescue – Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
• Margarita Shotgun – Command line utility (that works with or without Amazon EC2 instances) to parallelize remote memory acquisition.

Network perimeter defenses

• Gatekeeper – First open source Distributed Denial of Service (DDoS) protection system.
• fwknop – Protects ports via Single Packet Authorization in your firewall.
• ssh-audit – Simple tool that makes quick recommendations for improving an SSH server’s security posture.

Firewall appliances or distributions

• OPNsense – FreeBSD based firewall and routing platform.
• pfSense – Firewall and router FreeBSD distribution.

Operating System distributions

• Computer Aided Investigative Environment (CAINE) – Italian GNU/Linux live distribution that pre-packages numerous digital forensics and evidence collection tools.
• Security Onion – Free and open source GNU/Linux distribution for intrusion detection, enterprise security monitoring, and log management.

Phishing awareness and reporting

See also awesome-pentest § Social Engineering Tools.

• CertSpotter – Certificate Transparency log monitor from SSLMate that alerts you when a SSL/TLS certificate is issued for one of your domains.
• Gophish – Powerful, open-source phishing framework that makes it easy to test your organization’s exposure to phishing.
• King Phisher – Tool for testing and promoting user awareness by simulating real world phishing attacks.
• NotifySecurity – Outlook add-in used to help your users to report suspicious e-mails to security teams.
• Phishing Intelligence Engine (PIE) – Framework that will assist with the detection and response to phishing attacks.
• Swordphish – Platform allowing to create and manage (fake) phishing campaigns intended to train people in identifying suspicious mails.
• mailspoof – Scans SPF and DMARC records for issues that could allow email spoofing.
• phishing_catcher – Configurable script to watch for issuances of suspicious TLS certificates by domain name in the Certificate Transparency Log (CTL) using the CertStream service.

Preparedness training and wargaming

(Also known as adversary emulation, threat simulation, or similar.)

• APTSimulator – Toolset to make a system look as if it was the victim of an APT attack.
• Atomic Red Team – Library of simple, automatable tests to execute for testing security controls.
• DumpsterFire – Modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events for Blue Team drills and sensor/alert mapping.
• Metta – Automated information security preparedness tool to do adversarial simulation.
• Network Flight Simulator (flightsim) – Utility to generate malicious network traffic and help security teams evaluate security controls and audit their network visibility.
• RedHunt OS – Ubuntu-based Open Virtual Appliance (.ova) preconfigured with several threat emulation tools as well as a defender’s toolkit.

Security monitoring

Endpoint Detection and Response (EDR)

• Wazuh – Open source, multiplatform agent-based security monitoring based on a fork of OSSEC HIDS.

Network Security Monitoring (NSM)

See also awesome-pcaptools.

• ChopShop – Framework to aid analysts in the creation and execution of pynids-based decoders and detectors of APT tradecraft.
• Maltrail – Malicious network traffic detection system.
• Moloch – Augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access.
• OwlH – Helps manage network IDS at scale by visualizing Suricata, Zeek, and Moloch life cycles.
• Real Intelligence Threat Analysis (RITA) – Open source framework for network traffic analysis that ingests Zeek logs and detects beaconing, DNS tunneling, and more.
• Respounder – Detects the presence of the Responder LLMNR/NBT-NS/MDNS poisoner on a network.
• Snort – Widely-deployed, Free Software IPS capable of real-time packet analysis, traffic logging, and custom rule-based triggers.
• SpoofSpotter – Catch spoofed NetBIOS Name Service (NBNS) responses and alert to an email or log file.
• Stenographer – Full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes.
• Suricata – Free, cross-platform, IDS/IPS with on- and off-line analysis modes and deep packet inspection capabilities that is also scriptable with Lua.
• Tsunami – General purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
• VAST – Free and open-source network telemetry engine for data-driven security investigations.
• Wireshark – Free and open-source packet analyzer useful for network troubleshooting or forensic netflow analysis.
• Zeek – Powerful network analysis framework focused on security monitoring, formerly known as Bro.
• netsniff-ng – Free and fast GNU/Linux networking toolkit with numerous utilities such as a connection tracking tool (flowtop), traffic generator (trafgen), and autonomous system (AS) trace route utility (astraceroute).

Security Information and Event Management (SIEM)

• AlienVault OSSIM – Single-server open source SIEM platform featuring asset discovery, asset inventorying, behavioral monitoring, and event correlation, driven by AlienVault Open Threat Exchange (OTX).
• Prelude SIEM OSS – Open source, agentless SIEM with a long history and several commercial variants featuring security event collection, normalization, and alerting from arbitrary log input and numerous popular monitoring tools.

Service and performance monitoring

See also awesome-sysadmin#monitoring.

• Icinga – Modular redesign of Nagios with pluggable user interfaces and an expanded set of data connectors, collectors, and reporting tools.
• Locust – Open source load testing tool in which you can define user behaviour with Python code and swarm your system with millions of simultaneous users.
• Nagios – Popular network and service monitoring solution and reporting platform.
• OpenNMS – Free and feature-rich networking monitoring system supporting multiple configurations, a variety of alerting mechanisms (email, XMPP, SMS), and numerous data collection methods (SNMP, HTTP, JDBC, etc).
• osquery – Operating system instrumentation framework for macOS, Windows, and Linux, exposing the OS as a high-performance relational database that can be queried with a SQL-like syntax.
• Zabbix – Mature, enterprise-level platform to monitor large-scale IT environments.

Threat hunting

(Also known as hunt teaming and threat detection.)

See also awesome-threat-detection.

• CimSweep – Suite of CIM/WMI-based tools enabling remote incident response and hunting operations across all versions of Windows.
• DeepBlueCLI – PowerShell module for hunt teaming via Windows Event logs.
• GRR Rapid Response – Incident response framework focused on remote live forensics consisting of a Python agent installed on assets and Python-based server infrastructure enabling analysts to quickly triage attacks and perform analysis remotely.
• Hunting ELK (HELK) – All-in-one Free Software threat hunting stack based on Elasticsearch, Logstash, Kafka, and Kibana with various built-in integrations for analytics including Jupyter Notebook.
• MozDef – Automate the security incident handling process and facilitate the real-time activities of incident handlers.
• PSHunt – PowerShell module designed to scan remote endpoints for indicators of compromise or survey them for more comprehensive information related to state of those systems.
• PSRecon – PSHunt-like tool for analyzing remote Windows systems that also produces a self-contained HTML report of its findings.
• PowerForensics – All in one PowerShell-based platform to perform live hard disk forensic analysis.
• rastrea2r – Multi-platform tool for triaging suspected IOCs on many endpoints simultaneously and that integrates with antivirus consoles.
• Redline – Freeware endpoint auditing and analysis tool that provides host-based investigative capabilities, offered by FireEye, Inc.

Threat intelligence

See also awesome-threat-intelligence.

• Active Directory Control Paths – Visualize and graph Active Directory permission configs (“control relations”) to audit questions such as “Who can read the CEO’s email?” and similar.
• AttackerKB – Free and public crowdsourced vulnerability assessment platform to help prioritize high-risk patch application and combat vulnerability fatigue.
• DATA – Credential phish analysis and automation tool that can accept suspected phishing URLs directly or trigger on observed network traffic containing such a URL.
• Forager – Multi-threaded threat intelligence gathering built with Python3 featuring simple text-based configuration and data storage for ease of use and data portability.
• GRASSMARLIN – Provides IP network situational awareness of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) by passively mapping, accounting for, and reporting on your ICS/SCADA network topology and endpoints.
• MLSec Combine – Gather and combine multiple threat intelligence feed sources into one customizable, standardized CSV-based format.
• Malware Information Sharing Platform and Threat Sharing (MISP) – Open source software solution for collecting, storing, distributing and sharing cyber security indicators.
• ThreatIngestor – Extendable tool to extract and aggregate IOCs from threat feeds including Twitter, RSS feeds, or other sources.
• Unfetter – Identifies defensive gaps in security posture by leveraging Mitre’s ATT&CK framework.
• Viper – Binary analysis and management framework enabling easy organization of malware and exploit samples.

Tor Onion service defenses

See also awesome-tor.

• OnionBalance – Provides load-balancing while also making Onion services more resilient and reliable by eliminating single points-of-failure.
• Vanguards – Version 3 Onion service guard discovery attack mitigation script (intended for eventual inclusion in Tor core).

Transport-layer defenses

• Certbot – Free tool to automate the issuance and renewal of TLS certificates from the LetsEncrypt Root CA with plugins that configure various Web and e-mail server software.
• MITMEngine – Golang library for server-side detection of TLS interception events.
• OpenVPN – Open source, SSL/TLS-based virtual private network (VPN).
• Tor – Censorship circumvention and anonymizing overlay network providing distributed, cryptographically verified name services (.onion domains) to enhance publisher privacy and service availability.

macOS-based defenses

See also drduh/macOS-Security-and-Privacy-Guide.

• BlockBlock – Monitors common persistence locations and alerts whenever a persistent component is added, which helps to detect and prevent malware installation.
• LuLu – Free macOS firewall.
• Santa – Keep track of binaries that are naughty or nice in an allow/deny-listing system for macOS.
• Stronghold – Easily configure macOS security settings from the terminal.
• macOS Fortress – Automated configuration of kernel-level, OS-level, and client-level security features including privatizing proxying and anti-virus scanning for macOS.

Windows-based defenses

See also awesome-windows#security and awesome-windows-domain-hardening.

• HardenTools – Utility that disables a number of risky Windows features.
• NotRuler – Detect both client-side rules and VBScript enabled forms used by the Ruler attack tool when attempting to compromise a Microsoft Exchange server.
• Sandboxie – Free and open source general purpose Windows application sandboxing utility.
• Sigcheck – Audit a Windows host’s root certificate store against Microsoft’s Certificate Trust List (CTL).
• Sticky Keys Slayer – Establishes a Windows RDP session from a list of hostnames and scans for accessibility tools backdoors, alerting if one is discovered.
• Windows Secure Host Baseline – Group Policy objects, compliance checks, and configuration tools that provide an automated and flexible approach for securely deploying and maintaining the latest releases of Windows 10.
• WMI Monitor – Log newly created WMI consumers and processes to the Windows Application event log.

GitHub项目地址

awesome-cybersecurity-blueteam