Wednesday, November 14, 2018

Free Risk Assessment Tool - Titania

Risk Assessment Tool:

                                 is a quick to implement, easy to use tool that helps you lock down your workstations and servers against attack. Discover new vulnerabilities (that others might find) & harden your network today.

Cyber Essentials, the inspiration for our Risk Assessment Tool, is a Government-backed and industry supported scheme to guide businesses in protecting themselves from cyber threats. It is derived from years of research on business breaches - which resulted in practical, easy to implement actions removing up to 80% of your cyber risk.

The five controls, designed to maximise protection of your business are: 
  •     Boundary Firewalls and Internet Gateways
  •     Secure Configuration
  •     Access Control
  •     Malware Protection
  •     Patch Management

Despite its relative simplicity, basic knowledge of information security is required to understand and complete the Cyber Essentials self-assessment questionnaire (both in language and practice). This knowledge is something many businesses either don’t have or is it costly to hire (IT experts are often busy, costly or both!).

Titania’s automated audits help at every step, our free Risk Assessment Tool is simple enough for SME’s and our enterprise tools (Paws and Nipper Studio) will accelerate compliance, cut costs and free up your experts for the many projects on their “to do” list...

Lancaster University study of Cyber Essentials found:

“This, more than anything else should be understood by SMEs, taking no action to combat cyber threats simply isn’t an option. With Cyber Essentials tools, more than 99% of the vulnerabilities in SMEs interviewed were mitigated.”

Download Link : https://www.titania.com/downloads/riskassessmenttool-1.3.291-win64.exe

Ref / Key Link : https://www.titania.com/customers/bonus-tools/risk-assessment-tool

Tuesday, October 30, 2018

YARA - Rule Management

YaraGuardian

 

A django web interface for managing Yara rules. The manager enables users to:

* Search for specific rules based on rule characteristics
* Categorize and organize rules easily and in bulk
* Make bulk edits on desired/filtered rules
* Track characteristics of the entire rule repository
* Automatically prevent and detect duplicate entries
 
 
 
Ref / Download Link : https://github.com/PUNCH-Cyber/YaraGuardian
 

YaraManager

 

Web based Manager for Yara Rules.

Ref / Download Link : https://github.com/kevthehermit/YaraManager

YaraEditor:


Web is a powerful website framework to write, test and organize your Yara rules. It features syntax highlighting, team collaboration features and publishing workflow.





 
FEATURES
  • Self-hosted solution (PHP/Mysql server needed)
  • Can run on Synology NAS (with Web Station)
  • REST API (submit, delete, update, get), with API Key
  • Authentication with modified UserCake library
  • Users Rights management
  • Easy to customize, with only one config file to change
  • Files management (creation/edition/removal)
  • Files exports
  • Rules management (creation/edition/removal)
  • Rules viewer
  • Rules export
  • Rules import
  • Give a name on rules/files copy
  • Stats page
  • Search page (with magic field)
  • Permissions (contributor, publisher, ...)
  • History page
  • Recycle Bin
  • Syntax check (with yara pythong)
  • Rule test (with yara pythong)
  • Tests page (string -ANSI/UNICODE-, Hex strings, Files -local storage-)
  • User comments (with conversations)

 Ref  / Download Link : https://github.com/Tigzy/yaraeditor

Plyara:


is a script and library that lexes and parses a file consisting of one more YARA rules into a python dictionary representation. The goal of this tool is to make it easier to perform bulk operations or transformations of large sets of YARA rules, such as extracting indicators, updating attributes, and analyzing a corpus. Other applications include linters and dependency checkers.

Ref / Download Link : https://plyara.readthedocs.io/en/latest/





Monday, September 17, 2018

Free / Open Source Compromise Assessment Tools

OTX ( Open Threat Exchange ):

 

                                     AlienVault provides OTX Endpoint Threat Hunter and its free, fast, and simple.


AlienVault threat hunting service delivers as much threat intelligence power as OTX Endpoint Threat Hunter. It is the Open & free service that natively uses the community-powered threat intelligence of OTX to scan your endpoints for known indicators of compromise (IOCs).

OTX Endpoint Threat Hunter uses the same agent-based approach as expensive endpoint security tools and DIY open source agents without the expense, complexity, or guesswork. 


How It Works
  • OTX Endpoint Threat Hunter is available to any registered Open Threat Exchange (OTX) user. It’s free to join OTX.
  • To get started, download and install the AlienVault® Agent on the Windows or Linux devices you want to monitor. The AlienVault Agent is immediately ready to find threats.
  • You can launch a query on any endpoint from OTX by selecting a pre-defined query that looks for IOCs in one or more OTX pulses.
  • Once launched, the AlienVault Agent executes the query, and the results of the query display on a summary page within OTX.


CERTitude:

 

       is a Python-based tool which aims at assessing the compromised perimeter during incident response assignments. It allows analysts to perform large scale scans of Windows-based information systems by searching for behavioral patterns described in IOC (Indicator of Compromise) files. The tool is currently composed of two main components:
  • The Python Flask-based web interface, used to configure the scans and visualize their results;
  • The scanner that connects to remote targets and runs the search for IOCs.
CERTitude is an open-source tool developed by the CERT-Wavestone. It is brought to you freely, but user support is only provided on a best-effort basis.

Compatibility

CERTitude is compatible with a wide range of target Windows operating systems, from XP / 2003 to Windows 10 / Server 2016. Though CERTitude can be run from a Linux host, it is only fully supported on Windows as some features may not be implemented on Linux.

Features:

  • Ability to scan hosts in a way that prevents the target workstation from knowing what the investigator is searching for
  • Ability to retrieve some pieces of data from the hosts
  • Multiple scanner instances (for IOCs and/or hash scans) can be run at the same time for parallel scanning
  • Built with security considerations in mind (protected database, secure communications with hosts using IPSec)


 

 


Monday, September 10, 2018

Free and open-source threat intelligence Feeds / Tools / Frameworks

GOSINT:
              framework is a project used for collecting, processing, and exporting high quality indicators of compromise (IOCs).

GOSINT allows a security analyst to collect and standardize structured and unstructured threat intelligence.

Applying threat intelligence to security operations enriches alert data with additional confidence, context, and co-occurrence. This means that you apply research from third parties to security event data to identify similar, or identical, indicators of malicious behavior. The framework is written in Go with a JavaScript frontend.



 Download Link : https://github.com/ciscocsirt/gosint / https://gosint.readthedocs.io/en/latest/index.html

Threatfeeds.io:

                           It's a another Free and open-source threat intelligence feeds.


Ref Link : https://threatfeeds.io/

Yeti:
       is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository. Yeti will also automatically enrich observables (e.g. resolve domains, geolocate IPs) so that you don't have to. Yeti provides an interface for humans (shiny Bootstrap-based UI) and one for machines (web API) so that your other tools can talk nicely to it.  


Quick install (the command we all love)
$ curl https://raw.githubusercontent.com/yeti-platform/yeti/master/extras/ubuntu_bootstrap.sh | sudo /bin/bash 

 Ref Link : https://yeti-platform.github.io/

TC ( Threat Connect ) Open: 

                                     is a completely free way for individual researchers to get started with threat intelligence. TC Open allows you to see and share open source threat data, with support and validation from our free community.



  • Access to 100+ open source intelligence feeds (OSINT)
  • Access to threat, incident, and adversary data
  • Ability to collaborate or consume active and historic indicators, incidents, and threats
  • Validate your findings with peers in the ThreatConnect Common Community
ThreatConnect wants as many cyber professionals to get into the habit of sharing threat data and intelligence with one another as possible. Together, we are much stronger and more likely to thwart adversaries. We created TC Open to be a completely free, non-threatening way to get started. It is perfect for individual researchers who are just starting and experienced professionals, alike.

Request Link : https://www.threatconnect.com/free/



Monday, August 27, 2018

Active Directory (AD) Security audit tool - PingCastle

PingCastle:

   is a free, Windows-based utility to audit the risk level of your AD infrastructure and check for vulnerable practices.

How its Works :

 


You can run it on an ad-hoc basis to generate a detailed HTML report, but that's just the tip of the iceberg. It can be used to schedule reports and email them (or push them to webdav shares), create spreadsheets, or even automatically create PowerPoint presentations of the data.


PingCastle AD Security Maturity Model:







It's a simple zipped download that you can just run as a normal domain user, no install required.




 https://www.pingcastle.com/PingCastleFiles/PingCastle_2.5.1.0.zip

How to Execute / Run :

https://www.pingcastle.com/download/command-line-mode/

Tuesday, August 14, 2018

Free Indicators of Compromise (IOC) Tools - FireEye

IOC Finder

FireEye Indicators of Compromise (IOC) Finder is a free tool for collecting host system data and reporting the presence of IOCs. IOCs are open-standard XML documents that help incident responders capture diverse information about threats.


The IOC Finder features:
  • Collection of full data, sufficient for general IOC matching requirements
  • Usage of a portable storage device for collection from multiple hosts
  • IOC hit reporting in simple text, full HTML and full MS Word XML formats
  • Generation of reports for specific hosts or all hosts

Download Link : https://www.fireeye.com/services/freeware/ioc-finder.html

IOC Editor

 
FireEye Indicators of Compromise (IOC) Editor is a free tool that provides an interface for managing data and manipulating the logical structures of IOCs. IOCs are XML documents that help incident responders capture diverse information about threats, including attributes of malicious files, characteristics of registry changes and artifacts in memory.

The IOC Editor includes:
  • Manipulation of the logical structures that define the IOC
  • Application of meta-information to IOCs, including detailed descriptions or arbitrary labels
  • Conversion of IOCs into XPath filters
  • Management of lists of “terms” used within IOCs
 Download Link : https://www.fireeye.com/services/freeware/ioc-editor.html

IOC Writer

IOC Writer provide a python library that allows for basic creation and editing of OpenIOC objects.

Provide a python library that allows for basic creation and editing of OpenIOC objects. It supports a basic CRUD (Create, Read, Update, Delete) for various items.
Items do not have built in Read operations, since all items can be accesed with built in ElementTree syntax or the use of XPATH to select portions of the IOC.

Download Link : https://github.com/mandiant/ioc_writer























































Friday, August 10, 2018

Packet Capture ( PCAP ) File Analysis Tools

PacketTotal:

                  allows you to upload a PCAP, or packet capture, file and have it automatically analyzed and parsed against BRO IDS and Suricata signatures in order to provide information on what may have been detected in the capture file.

                         


URL : https://packettotal.com/

Microsoft Message Analyzer:

 is the successor to Microsoft Network Monitor. It is helpful in capturing, displaying, and analyzing protocol messaging traffic and other system messages. It is not only an effective tool for troubleshooting network issues, but for testing and verifying protocol implementations as well.
                  




              

Message Analyzer can certainly be used to analyze .pcap files.  The tool is generic and not specific to Microsoft, but certainly more focus is put on the Windows scenarios so Microsoft related parsers are kept up to date.  However, you can analyze virtually any kind of data, going beyond network captures like EVT, ETW, CSV and many more.

Tools -> Options -> Parsing

Download Link : https://www.microsoft.com/en-in/download/details.aspx?id=44226

CapAnalysis:

               is a web visual tool for information security specialists, system administrators and everyone who needs to analyze large amounts of captured network traffic.