Blue ToolBox

This section contains handy links and tools for anything else not mentioned in the previous sections.

Open Source AntiVirus/AntiMalware/AntiRootkit

• ClamAV - ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.

  • https://docs.clamav.net/Introduction.html

  • For Linux users, clamAV has a new on-access scanning option. Make sure you have it enabled! https://docs.clamav.net/manual/OnAccess.html

• Immunet - Immunet is a malware and antivirus protection system that utilizes cloud computing to provide enhanced community-based security.

Secure Firmware

• Coreboot is a replacement for your BIOS / UEFI with a strong focus on boot speed, security and flexibility. It is designed to boot your operating system as fast as possible without any compromise to security, with no back doors.

• TianoCore is a community project supporting an open source implementation of the Unified Extensible Firmware Interface (UEFI). EDK II is a modern, feature-rich, cross-platform firmware development environment for the UEFI and UEFI Platform Initialization (PI) specifications.

Personal Firewall/Sandbox

• PortMaster - Portmaster is a free and open-source application firewall with audjustable defense profiles, white/blacklisting, and amazing extra features.

• OpenSnitch - Linux Application Firewall. The first thing I install.

• FireJail - Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities.

• eBPF is a technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. By making the Linux kernel programmable, infrastructure software can leverage existing layers, making them more intelligent and feature-rich without continuing to add additional layers of complexity to the system.

• eBPF for Windows is an eBPF implementation that runs on top of Windows. eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such as DoS protection and observability.

OpenSource Email Security

• https://sublimesecurity.com/ - Sublime lets you write and run custom detection and response rules to block phishing attacks, hunt for threats, and more.

VMs/OSs

• Security Onion - Security Onion is a free and open source Linux distribution for threat hunting, enterprise security monitoring, and log management.

• SANS SIFT - The SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings.

• Flare - A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.

• Remnux - REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools.

• SOF-ELK - SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. The platform is a customized build of the open source Elastic stack, consisting of the Elasticsearch storage and search engine, Logstash ingest and enrichment system, Kibana dashboard frontend, and Elastic Beats log shipper (specifically filebeat).

MacOS

• Venator-Swift - Swift Command line tool used for proactive detection of malicious activity on macOS systems.

• Santa - Santa is a binary authorization system for macOS

• KnockKnock - KnockKnock uncovers persistently installed software in order to generically reveal such malware.

• LuLu - Open-source firewall that aims to block unknown outgoing connections, protecting your privacy and your Mac!

• Operator Handbook: MacOS Defend - pg.162

Security Infrastructure Tools

• MADCert is a cross-platform tool that consists of a certificate generator, a file system certificate manager, and a command line interface for the purposes of testing.

• BLESS(Bastion's Lambda Ephemeral SSH Service) is an SSH Certificate Authority that runs as an AWS Lambda function and is used to sign SSH public keys.

• Zuul is an L7 application gateway that provides capabilities for dynamic routing, monitoring, resiliency, security, and more.

• D4 DDOS detection tool

• IPFire Open Source Firewall

• pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.

• Pi-hole is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software, intended for use on a private network. It is designed for use on embedded devices with network capability, such as the Raspberry Pi, but it can be used on other machines running Linux and cloud implementations.

• https://github.com/SpyGuard/SpyGuard -

Misc Tools

• SELinux is a security enhancement to Linux which allows users and administrators more control over access control. Access can be constrained on such variables as which users and applications can access which resources. These resources may take the form of files. Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the user and the applications which the user runs. Conversely, SELinux access controls are determined by a policy loaded on the system which may not be changed by careless users or misbehaving applications.

• AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing both known and unknown application flaws from being exploited. AppArmor supplements the traditional Unix discretionary access control (DAC) model by providing mandatory access control (MAC). It has been included in the mainline Linux kernel since version 2.6.36 and its development has been supported by Canonical since 2009.

• Graph and Charting tools

  • https://developers.google.com/chart

  • http://www.gnuplot.info/

  • http://afterglow.sourceforge.net/

• Veracrypt - Open source disk encryption

• Network Tools - Free online network toolset

• IP address ranges by country - https://lite.ip2location.com/ip-address-ranges-by-country

• TheHive (SOAR/Ticket system) - TheHive is a scalable 3-in-1 open source and free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly

• Cortex - Tool for analyzing TheHive Observables at scale.

• SANS Security Policy Templates

• CrowdSec collective behavior engine

• Google Toolbox - Misc Web based utilities

• https://grsecurity.net/