A preconfigured Velociraptor triage collector

MemProcFS

The following two code samples can be used to understand the difference between direct syscalls and indirect syscalls

Dump all cookies, session, and local storage to json files with Chrome/Brave/Edge's remote debugger.

Password analysis, hash analysis and modern reporting of Windows NTLM hashes and cracked passwords for use by pentesters and security consultants.

Scripts for rapid Windows endpoint "tactical triage" and investigations with Velociraptor and KAPE

This repository contains sample log data that were collected after running adversary simulations in Microsoft 365

Checksec, but for Windows: static detection of security mitigations in executables

Ollama Automated Security Intelligence Scanner

A deliberately vulnerable Microsoft Entra ID environment. Learn identity security through hands-on, realistic attack challenges.

Phishing attack against synced passkeys

Browser Reviewer is a portable forensic tool for analyzing user activity in Firefox and Chrome-based browsers. It extracts and displays browsing history, downloads, bookmarks, and autofill data. Th…

Gain insights into MS-RPC implementations that may be vulnerable using an automated approach and make it easy to visualize the data. By following this approach, a security researcher will hopefully…

A simple-to-use IR (incident response) case management tool for tracking and documenting investigations.

A DFIR Incident Response AI bot using local Ollama LLM to derrive automated findings from logs

A specialized environment for crafting, validating, and testing LimaCharlie detection rules

Pipeline that allows sending forensic artifacts to OpenRelik for automatic processing

Rustcat(rcat) - The modern Port listener and Reverse shell

A Rust library for parsing and evaluating Sigma rules

Venture: Cross-Platform GUI tool for parsing and analyzing Windows event logs

This repository generates rules to be used with WELA for auditing Windows event log audit settings.

A high-speed forensic timeline engine for Windows forensic artifact CSV output built for DFIR investigators. Quickly consolidate CSV output from processed triage evidence for Eric Zimmerman (EZ Too…

Encoded Hayabusa and Sigma rules to avoid anti-virus false positives and reduce files stored on target systems.

VelociraptorMCP is a Model Context Protocol bridge for exposing LLMs to MCP clients.

Sigma detection for Rust

Suzaku (朱雀) is a sigma-based threat hunting and fast forensics timeline generator for cloud logs.

Tool for Active Directory Certificate Services enumeration and abuse

A dataset with CloudTrail events from an attack simulation using Stratus.