Discover mandiant/mandiant_managed_hunting Open Source project

A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.

6,897

flare-vm

The FLARE team's open-source tool to identify capabilities in executable files.

6,334

capa

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

4,775

flare-floss

3,155

red_team_tool_countermeasures

IDA Pro utilities from FLARE team

2,639

flare-ida

FakeNet-NG - Next Generation Dynamic Network Analysis Tool

2,031

flare-fakenet-ng

Windows kernel and user mode emulation.

1,677

speakeasy

Threat Pursuit Virtual Machine (VM): A fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly.

1,290

SharPersist

1,213

ThreatPursuit-VM

GoCrack is a management frontend for password cracking tools written in Go

1,204

gocrack

1,101

flare-emu

A machine learning tool that ranks strings based on their relevance for malware analysis.

735

stringsifter

672

SilkETW

641

Mandiant-Azure-AD-Investigator

Azure_Workshop

sunburst_countermeasures

The FLARE team's open-source extension to add Python 3 scripting to Ghidra.

561

Ghidrathon

Java

556

capa-rules

Standard collection of rules for capa: the tool for enumerating the capabilities of programs

528

ReelPhish

FireEye Publicly Shared Indicators of Compromise (IOCs)

493

iocs

458

DueDLLigence

450

FIDL

A sane API for IDA Pro's decompiler. Useful for malware RE and vulnerability research

flare-wmi

GoReSym

Go symbol recovery tool

379

rvmi

rVMI - A New Paradigm For Full System Analysis

352

PwnAuth

IDA Pro loader and processor modules for WebAssembly

347

idawasm

ADFSpoof

SimplifyGraph

IDA Pro plugin to assist with complex graphs

A DTrace on Windows Reimplementation

303

STrace

ShimCacheParser

OfficePurge

msi-search

macos-UnifiedLogs

ioc_writer

GeoLogonalyzer

GeoLogonalyzer is a utility to analyze remote access logs for anomalies such as travel feasibility and data center sources.

194

Vulnerability-Disclosures

FLARE Kernel Shellcode Loader

183

flare-kscldr

175

flare-qdb

Command-line and Python debugger for instrumenting and modifying native software behavior on Windows and Linux.

flare-dbg is a project meant to aid malware reverse engineers in rapidly developing debugger scripts.

161

flare-dbg

The Threat Hunting In Rapid Iterations (THIRI) Jupyter notebook is designed as a research aide to let you rapidly prototype threat hunting rules.

149

thiri-notebook

Link sources to sinks in C# applications.

146

route-sixty-sink

137

VM-Packages

Chocolatey packages supporting the analysis environment projects FLARE-VM & Commando VM.

Programmatically create hunting rules for deserialization exploitation with multiple keywords, gadget chains, object types, encodings, and rule types

135

heyserial

The FLARE team's open-source library to disassemble Common Intermediate Language (CIL) instructions.

130

dncil

Automatic analysis of SWF files based on some heuristics. Extensible via plugins.

124

flashmingo

Indicator of Compromise Scanner for CVE-2019-19781

118

Reversing

111

ioc-scanner-CVE-2019-19781

Shell

flare-bytecode_graph

The User Interface for GoCrack

gocrack-ui

Vue

Volatility-Plugins

libemu shim layer and win32 environment for Unicorn Engine

unicorn-libemu-shim

citrix-ioc-scanner-cve-2023-3519

Shell

AuditParser

Resolves DLL API entrypoints for a process w/ remote query capabilities.

remote_lookup

Visual Basic

synfulknock

Lua

SSSDKCMExtractor

JITM is an automated tool to bypass the JIT Hooking protection on a .NET sample.

jitm

Data to test capa's code and rules.

goauditparser

capa-testfiles

Max

tf_rl_tutorial

Tutorial: Statistical Relational Learning with Google TensorFlow

Jupyter Notebook

macOS-tools

Generate YARA rules for OOXML documents.

apooxml

Collection of scripts used to deobfuscate GOOTLOADER malware samples.

gootloader

PyCommand Scripts for Immunity Debugger

pycommands

Vocabulary Scraper script used in FLARE's analysis of Russian-language Carbanak source code

vocab_scraper

ARDvark parses the Apple Remote Desktop (ARD) files to pull out application usage, user activity, and filesystem listings.

ARDvark

Rekall Forensics and Incident Response Framework with rVMI extensions

rvmi-rekall

Provides access to libhashcat

gocat

ics_mem_collect

QEMU with rVMI extensions

rvmi-qemu

IDA_Pro_VoiceAttack_profile

win10_auto

pulsesecure_exploitation_countermeasures

Linux-KVM with rVMI extensions

rvmi-kvm

pivy-report

Poison Ivy Appendix/Extras

siglib

The "DFUR" Splunk application and data that was presented at the 2020 SANS DFIR Summit.

DFUR-Splunk-App

vbScript_deobfuscator

Help deobfuscate VBScript

VBA

flare-gsoc-2023

Supporting resources and documentation for FLARE @ Google Summer of Code 2023

rpdebug_qnx