访问官网
GithubSecurity lists for SOC/DFIR detections 
Threat Hunting:
My Detection Lists
- 📋 Lists: https://github.com/mthcht/awesome-lists/tree/main/Lists
- 🕵️♂️ ThreatHunting Guides: https://mthcht.medium.com/list/threat-hunting-708624e9266f
- 🚰 Suspicious Named pipes: suspicious_named_pipe_list.csv
- 🌐 Suspicious TLDs (updated automatically): [suspicious_TLDs]
- 🌐 Suspicious ASNs (updated automatically): [suspicious ASNs]
- 🔧 Suspicious Windows Services: suspicious_windows_services_names_list.csv
- ⏲️ Suspicious Windows Tasks: suspicious_windows_tasks_list.csv
- 🚪 Suspicious destination port: suspicious_ports_list.csv
- 🛡️ Suspicious Firewall rules: suspicious_windows_firewall_rules_list.csv
- 🆔 Suspicious User-agent: suspicious_http_user_agents_list.csv
- 📇 Suspicious USB Ids: suspicious_usb_ids_list.csv
- 🔢 Suspicious MAC address: suspicious_mac_address_list.csv
- 📛 Suspicious Hostname: suspicious_hostnames_list.csv
- 🧮 Metadata Executables: executables_metadata_informations_list.csv
- 🕸️ DNS over HTTPS server list: dns_over_https_servers_list.csv
- 📚 Hijacklibs (updated automatically): hijacklibs_list.csv
- 🌐 TOR Nodes Lists (updated automatically): [TOR]
- 🛠️ LOLDriver List (updated automatically): loldrivers_only_hashes_list.csv
- 🛠️ Malicious Bootloader List (updated automatically): malicious_bootloaders_only_hashes_list.csv
- 📜 Malicious SSL Certificates List (updated automatically): ssl_certificates_malicious_list.csv
- 🖥️ RMM detection: [RMM]
- 👤🔑 Important Roles and groups for AD/EntraID/AWS: [permissions]
- 💻🔒 Ransomware known file extensions: ransomware_extensions_list.csv
- 💻🔒 Ransomware known file name ransom notes: ransomware_notes_list.csv
- 📝 Windows ASR rules: windows_asr_rules.csv
- 🌐 DNSTWIST Lists (updated automatically): DNSTWIST Default Domains + script
- 🌍 VPN IP address Lists (updated automatically):
- 🛡️ NordVPN: nordvpn_ips_list.csv
- 🛡️ ProtonVPN: protonvpn_ip_list.csv
- 🏢 Companies IP Range Lists (updated automatically): Default Lists + script / Microsoft
- 📍 GeoIP services Lists: ip_location_sites_list.csv
- 🧬 Yara rules: Threat Hunting yara rules
- 🧬 Offensive Tools detection patterns: offensive_tool_keywords.csv
- 🧬 Greyware Tools detection patterns: greyware_tool_keyword.csv
- 🧬 AV signatures keywords: signature_keyword.csv
- 🧬 Microsoft Defender AV signatures lists: [Defender]
- 🧬 ClamAV signatures lists: [ClamAV]
- 🔗 Others correlation Lists: [Others]
- 📋 Lists i need to finish: [todo]
I regularly update most of these lists after each tool i analyze in my detection keywords project
Other Lists
IOC Feeds/Blacklists:
- ABUSE.CH BLACKLISTS
- Block Lists
- DNS Block List
- Phishing Block List
- C2IntelFeeds
- Volexity TI
- Open Source TI
- C2 Tracker
- Unit42 IOC
- Sekoia IOC
- Unit42 Timely IOC
- Unit42 Articles IOC
- ThreatFOX IOC
- Zscaler ThreatLabz IOC
- Zscaler ThreatLabz Ransomware notes
- experiant.ca
- Sophos lab IOC
- ESET Research IOC
- ExecuteMalware IOC
- Cisco Talos IOC
- Elastic Lab IOC
- Blackorbid APT Report IOC
- AVAST IOC
- DoctorWeb IOC
- BlackLotusLab IOC
- prodaft IOC
- Pr0xylife DarkGate IOC
- Pr0xylife Latrodectus IOC
- Pr0xylife WikiLoader IOC
- Pr0xylife SSLoad IOC
- Pr0xylife Pikabot IOC
- Pr0xylife Matanbuchus IOC
- Pr0xylife QakBot IOC
- Pr0xylife IceID IOC
- Pr0xylife Emotet IOC
- Pr0xylife BumbleBee IOC
- Pr0xylife Gozi IOC
- Pr0xylife NanoCore IOC
- Pr0xylife NetWire IOC
- Pr0xylife AsyncRAT IOC
- Pr0xylife Lokibot IOC
- Pr0xylife RemcosRAT IOC
- Pr0xylife nworm IOC
- Pr0xylife AZORult IOC
- Pr0xylife NetSupportRAT IOC
- Pr0xylife BitRAT IOC
- Pr0xylife BazarLoader IOC
- Pr0xylife SnakeKeylogger IOC
- Pr0xylife njRat IOC
- Pr0xylife Vidar IOC
- Pr0xylife Warmcookie IOC
- SpamHaus drop.txt
- UrlHaus_misp
- UrlHaus
- vx-underground - Great Resource for Samples and Intelligence Reports
Github
More github lists: https://github.com/mthcht?tab=stars&user_lists_direction=asc&user_lists_sort=name
SIEM/SOC related:
TI TTP/Framework/Model/Trackers
- Tools used by ransomware groups - @BushidoToken
- Techniques - MITRE ATT&CK
- Tactics - MITRE ATT&CK
- Mitigation - MITRE ATT&CK
- ATT&CK matrix navigator
- All MITRE data in xlsx format
- Tools used by threat actor groups - MITRE ATT&CK
- atomic-red-team
- redcanary Threat Detection report
- The-Unified-Kill-Chain
- TTP pyramid
- Pyramid of pain
- Cyber Kill chain
- MITRE D3FEND
- Ransomware.live
