Top Rating
- Top Contributors
  Discover the Top Open Source contributors by country or by language
- Interviews
  Discover real stories from Open Source developers
Discover

Discover your Favorite Language
Discover the top trending repositories and projects on Github. Explore the latest trends in your preferred languages.

CoffeeScript

HTML

Lua

Elixir

Rust

PHP

Clojure

MATLAB

More Languages
Awesome

Awesome repositories
Discover the most awesome repositories and projects of your favorite languages. Inspired by the Awesome-* lists trend in GitHub.

Swift

C#

Elm

Erlang

Dart

Racket

Rust

Nix

More Languages
By Country

Rankings by Country
Discover the community of talented open source contributors in each country.

🇦🇬 Antigua and Barbuda

🇾🇪 Yemen

🇬🇷 Greece

🇹🇰 Tokelau

🇬🇺 Guam

🇷🇪 Réunion

🇸🇿 Eswatini

All Countries Compare Countries

activecm/threat-tools

Stars
166
Rank 227,748 (Top 5 %)
Language
Python
License
GNU General Publi...
Created over 3 years ago
Updated about 1 year ago

activecm/threat-tools

activecm

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Tools for simulating threats

threat-tools

Tools for simulating threats

beacon-simulator permits you to mimic a compromised system calling home to a command and control (C2) server. This tool will not exfiltrate any data, but is designed to test an environment's ability to detect a wide range of C2 channels. It should be pointed at an Internet IP address that you control (like a cloud instance).

Some command examples:

./beacon-simulator.sh 192.168.0.1 443 150 12
./beacon-simulator.sh 192.168.0.7 53 200 10 udp

Run the script without switches to access the online help.
Note: the standard netcat/nc tools included with Linux do not always handle timeouts well, expecially with UDP. Please install ncat (commonly found in a package called "ncat", or if not, as part of the "nmap" package). beacon-simulator will prefer to use this if it's installed.

python3 ./beacon_simulator.py -ip 192.168.0.5 -p 2000 -i 10 -j 3 -m 1024
python3 ./beacon_simulator.py -ip 192.168.0.5 -p 2000 --interval 120 --jitter 12 --max_payload 1024 --tcp
On your client device: python3 ./tcp_client.py
On your mock C2 server device: python3 ./tcp_server.py

For using the client/server python scripts they work in pairs. The UDP Client script works with the UDP Server script and the TCP Client script works with the TCP Server script. The client/server scripts require some manual configuration within the scripts. You will have to put the destination IP(s) at “server = [your.server.goes.here]”. The port that the scripts are running on by default is 9000 but it can be changed at the line with “PORT = 9000” or “SERVER_PORT = 9000”. This script should scale to as many destinations as you would like to have. Each script has a printout of each message that is sent, received, and counts the number of beacons that have currently been sent out. By default the number of bytes sent for each beacon is a random number between 0 and 1200. This can be changed at the line with “m = random.randint(0,1200)”. By default the beaconing interval is between 30 and 60 seconds. This can be changed at the line with “rsleep = random.randint(30,60)”. The client/server scripts have a comment on most of the lines with a brief description of its purpose if you are unsure of it.

rita-legacy

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.

BeaKer

Beacon Kibana Executable Report. Aggregates Sysmon Network Events With Elasticsearch and Kibana

passer

Passive service locator, a python sniffer that identifies servers, clients, names and much more

rita

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.

threat-hunting-labs

Collection of walkthroughs on various threat hunting techniques

espy

Endpoint detection for remote hosts for consumption by RITA and Elasticsearch

docker-zeek

Run zeek with zeekctl in docker

smudge

Passive OS detection based on SYN packets without Transmitting any Data

pcap-stats

Learn about a network from a pcap file or reading from an interface

bro-install

An Installation Script for Bro IDS on Debian Based Systems

zcutter

Extracts fields from zeek logs, compatible with zeek-cut

devprof

Device profile: Define acceptable amounts of traffic for your devices and see a report of outliers.

sniffer-template

Template for building a packet sniffer

zeek-open-connections

ipfix-rita

Collect IPFIX / Netflow v9 Records and Ship them to RITA for Analysis

rita-bl

Real Intelligence Threat Analytics -- Blacklist Database

mongo-diff

A Python script for diff'ing mongo databases

zeekcfg

A node.cfg generator for zeekctl

zeek-log-transport

This script ships logs from Zeek to AC-Hunter

pi_show

Python script/library for displaying text and graphics on Raspberry Pi PiOled Hat

shell-lib

Shell Scripts Used Across ActiveCM Projects

certificate-issues

Identifies certificate problems from Zeek ssl log files

pi_project_installer

A support library and set of scripts to simplify installing software on the Raspberry Pi/Raspbian

rita-blacklist

Real Intelligence Threat Analytics -- Blacklist Database

mgosec

A Small Helper Library For Securing MongoDB Connections with Golang

bro-rita

A bro plugin for writing log data to MongoDB for use with RITA

safelist-tools

Tools for working with the safelist (formerly whitelist)

docker-ca

A Docker Image For OpenSSL Certificate Authorities (For Testing)

pcap-resources

Support files and tools for pcap analysis and packet capture

zeek-log-clean

Delete Zeek log files until disk usage is under a given threshold

save_json_stream

JSON TCP stream importer for RITA and AC-Hunter

DBTest

Managed Integration Testing Dependencies via Docker for Go

bro-rita-test

Compares bro-rita against rita's built in parsing

bro-mongodb