This page contains a collection of links which I found valuable for different reasons. It is basically an extended bookmarking section for myself, but maybe they are also useful for you.
Table of Contents
Red Team
OS, Distros, Tools
SANS “Slingshot” – Penetration testing distribution based on Ubuntu Linux
FireEye “Commando VM” – Penetration testing VM based on Windows
Burp Suite – Hacking proxy & toolset, available in a free community edition
Invoke Obfuscation – Powershell code obfuscation
LDAPFragger – C&C for LDAP
shodan.io – Discover hosts & vulnerabilities and much more in one interface
impacket – Abundant Python library to script networking & recon tasks
Tutorials, Research
Bypass Execution Policy – 15 ways how to bypass
exploit-db.com – Footprinting with Google
Kerberosity – How Kerberos works and how to attack it
Preparation Guide for OCSP – On the same blog many other relevant articles
Windows Scripting Host Documentation – Allows to execute scripts like Javascript outside the browser to perform OS exploits
Blue Team
OS / Distros
SANS “SIFT” – Incident response & forensics distribution based on Ubuntu
Security Onion – Threat hunting, defense and log management distribution
Tools
Hardening & Preparation
Policy Analyzer – Compare GPOs on different systems; useful for hardening
Windows Hardening Script – Together with using the Policy Analyzer (see above), you might want to consider running this script to have a sensibly hardened security baseline.
Mitre Att&ck Navigator – Neat tool to work on security posture
Programming
CyberChef – Decrypt and convert to and from many encodings (base64 etc.)
uncoder.io – Translate SIEM rules for different platforms.
NSACyber – The GitHub account of the NSA with very useful code, for example to detect and mitigate web shell attacks.
Regex101 – Regular Expression tester for different languages
cURL Converter – Convert cURL syntax into Python and other languages
Detection & Forensics
Volatility – Digital forensics toolkit written in Python (also included in SIFT)
Sigma – Generic Signature Format for SIEM Systems;here is also a good tutorial on how to write your own recognition patterns
Network Miner – Instead of starting your pcap analysis with Wireshark and getting lost in the bits and bytes, it’s a good idea to use this neat tool to get an overview on what’s happening on a higher level (which hosts involved, which connections observed, which files accessed, etc.). The website also offers video tutorials.
Suricata – This well-known alternative to even better known Snort is a good addition to your analysis with Network Miner (see above), because it can throw detection rules on recorded traffic (pcap files) and recognize suspicious behavior retrospectively, that might have gone unnoticed before.
urlscan.io – See website contents & security ranking without opening it
VirusTotal – Check an URL or file with more than 70 virus scanners
X-Force Exchange – Threat Intelligence
Tutorials, Research
Technology Basics
TLS Handshake Explained – Detailed yet comprehensible explanation of one of the cornerstones of safe internet communication
VPNs (IPsec) Explained – Graphics make this learning material one of the better choices
Hardening & Preparation
cyber.gov.au – Very good publications on hardening, 2FA, WEF, policies, etc.
Cyber Incident Handling Program – Slightly dated but still very relevant information by the US Department of Defence
ISECOM security research community – publications on security testing methodologies, attack surface calculator, security certifications
Center for Internet Security (CIS) Benchmarks – Nonprofit organization that offers best-practice recommendations on securing infrastructure
ENISA Trainings – European Union Agency for Cybersecurity
Windows-specific
Microsoft Auditing Recommendations – Tips for many different events, both in general terms and for specific events, for example cryptographic key operations (5059, 5061), service installations (4697), unregistering security event sources (4905), or changes of security-enabled groups (4735).
Event Log Analysis – Based on event logs as described on the Microsoft KB pages (see above for different event IDs), you can write monitoring and alerting rules. This page shows which events are created when running different tools that are usually run by attackers.
Detecting Powershell attacks with SIEM – Research by SANS
Malware
YARA Rules – Getting started with this versatile malware detection standard
Eideon.com – Tales of a Threat Hunter. Slightly dated, but very useful research
On the wire
Wireshark Capture files from Wireshark Wiki, NetReSec Forensics and Malware-Traffic-Analysis.net, the latter also with tutorials on how to find IoCs.
Network Profiling Using Flows – Network flows are less often used than log events, but very helpful for different network security monitoring tasks