- Red Team Resources
Collection of penetration testing tools, scripts, and techniques for comprehensive vulnerability assessment.
- Blue Team Resources
Wide range of tools for incident response, digital forensics, threat hunting, and hardening security infrastructures.
- IOC Database
A database of IOCs, which includes but are not limited to IP addresses, domain names, URLs, file hashes, etc., associated with known threat actors and their campaigns.
- Knowledge Base
Detailed guides, walkthroughs, and tips related to the latest offensive and defensive cybersecurity tactics, techniques, and procedures (TTPs).
- Open Source
Open-source repository welcoming contributions from the community.
- Project Killchain [PKC]
- Table of Contents
- Contributions
- IOCs
- Research
- Scripts
- General Resources
- Reporting Formats
- Community Contributions
- Wallpapers
- Project Killchain Team
Project Killchain values and appreciates contributions from the cybersecurity community. Feel free to contribute code, share new tools, update our knowledge base, or expand the IOC database. Please review the contributing guidelines before making any contributions.
- Warning, attempts to become a 'contributor' via reusing old code, IOCs or not following the rules will get you blacklisted from contributing to this repo.
The IOC Database of Project Killchain is a rich repository of Indicators of Compromise (IOCs) tied to cyber threats. These IOCs, including static indicators:
-
IP Addresses
-
Domain Names
-
URLs
-
File Hashes
As well as heuristic behavioural patterns, are used to detect and analyze malicious network or system activities linked to known threat actors or campaigns.
Snap of Amadey IOC dump: 01 Aug 23
By cross-referencing system or network activities with this database, quick detection and response to threats are facilitated. Constantly updated to tackle evolving threats, this IOC Database is key to understanding threat actors' techniques.
Stealer malware, or info-stealing malware, is malicious software designed to extract sensitive data like login credentials and credit card details from compromised systems. Project Killchain tracks this malware to proactively identify, analyze, and neutralize threats using Indicators of Compromise (IOCs), which are signs of potential malicious activity. IOCs may include unique malware attributes, communication IP addresses or domains, and suspicious system modifications. This aids in quicker detection, response, and prevention of damage, providing insights for future threat hunting activities.
Redline is a type of information-stealing malware designed to collect sensitive data from infected systems. It operates by extracting browser-based data such as cookies, login credentials, credit card information, and auto-fill form data. Notorious for its user-friendly interface and inexpensive cost on the dark web, Redline has gained popularity among cybercriminals. The malware employs advanced evasion techniques to avoid detection by standard antivirus software, making it a significant threat to personal and organizational cybersecurity.
Amadey is a simple yet effective trojan used primarily for reconnaissance in cyberattack operations. It's known for its "as-a-service" model on underground markets, where it's often bought by less technically skilled cybercriminals. Once deployed, Amadey scans the infected system, collecting information such as system settings, installed programs, and running processes. This gathered data helps threat actors to understand the landscape of the compromised system and plan subsequent, more sophisticated attacks. Its simplicity and stealth make Amadey a widely used tool in the initial stages of many cybercrime campaigns.
Loader malware is a category of malicious software designed to download and install additional malware onto a compromised system. Often used as the initial stage of a multi-tier attack, loaders enable threat actors to deploy a variety of secondary payloads, such as ransomware, banking trojans, or info-stealers, depending on their objectives. With their ability to bypass detection mechanisms and regularly update payloads, loaders present a dynamic and ongoing threat to cybersecurity.
Smoke Loader is a notorious loader malware that's been in the cyber threat landscape for several years. It's used primarily to download and install additional malware onto infected systems, effectively acting as a gateway for more destructive attacks. Smoke Loader is known for its robust evasion techniques, which include code obfuscation and living-off-the-land tactics, where it leverages legitimate system processes to hide its activities. Its persistent presence and adaptability to new defensive measures make Smoke Loader a significant and continuous threat.
The Threat Hunting Repository in Project Killchain serves as a structured collection of resources, methodologies, tools, and techniques to assist in the proactive search for potential threats within a network. This repository could include:
-
TTPs (Tactics, Techniques, and Procedures): Detailed descriptions and examples of the methods used by threat actors to infiltrate and exploit networks. This helps threat hunters to anticipate and counteract malicious activities.
-
Hunting Queries: Pre-defined search queries for popular security tools and platforms, such as Splunk or Microsoft Security, that can help in spotting anomalies or suspicious patterns.
-
Analytical Tools: References to, or scripts for, various tools used in the threat hunting process. This could involve data aggregation, pattern recognition, and anomaly detection tools.
-
Hunting Procedures: Methodologies and best practices for conducting threat hunts, including advice on structuring hunts, prioritizing resources, and effectively communicating findings.
-
Case Studies: Detailed examples of previous successful threat hunts, providing practical examples and lessons learned.
PKC - Abnormal Scheduled Task Creation, via Stealer Malware IOCs
The aim of the Threat Hunting Repository is to equip security teams with the necessary resources to proactively find, isolate, and neutralize threats before they result in a security breach.
The Research Repository in Project Killchain acts as the releases of curated intelligence from the Cyber Defence Operations (cydefops.com) team.
Currently the selection of available papers include:
- Dissecting Malicious PyPi Packages
- Chinese Scammers Targeting Qatar Residents
- Malicious PyPi Packages Leading To Phishing Websites
- Malicious PyPi Packages Leading To Phishing Websites - Part 2
- Deconstructing Deception - Cl0p
- VSCode - Forwarded Ports For Data Exfiltration
- Cracking The Code - DevTunnels Unleashed
The Scripts repository in Project Killchain is a collection of scripts for time-saving whether in automation, security, forensics, or red teaming, you can find many categories of useful scripts here. Currently, the scripts here are made by us, if they are not this will be disclosed.
This repository contains scripts for various aspects of web security, aiding in automating vulnerability assessment, security checks, and other essential tasks.
This folder contains scripts for handling DNS-related security tasks, including monitoring DNS traffic, conducting reconnaissance, and improving DNS configuration security.
LazyDNS, by Kamran Saifullah
Here you'll find scripts geared towards Postman, useful for automating API testing, managing mock servers, and enhancing the overall efficiency of API development.
Here you'll find scripts geared towards automating the process of encoding a wide range of encoding algorithms for CTI, Red Teaming, Penetration Testing etc.
Here you'll find scripts geared towards automating the process of validating and verifying HTTP Security Headers in the web application specifically designed for the web application penetration tester and web developers keen towards building safe and secure web applications.
Here you'll find scripts geared towards performing reverse engineering static as well as dynamic based on Microsoft Windows a.k.a PE Executables for all architectures.
Here you'll find scripts geared towards cryptographic algorithms, encryption & decryption as well as hash calulations etc.
Here you'll find Reporting Formats
created and designed by Project-KillChain Team for community use. Currently available Reporting Formats
are as below.
The Project Killchain Team consists of few cybersecurity practitioners aiming to share knowledge with the community, the team are all volunteers and contribute to this project in their own time, they are:
Umar is CEO at Cyber Defence Operations (CyDefOps), Director of Security Consulting at Kyndryl and Cyber Special at the UK's National Crime Agency
Kamran is Lead Security Assessments/DFIR at Commercial Bank of Qatar, Principal Cyber Defence Researcher at CyDefOps, Technical Education Advisory Board at NCFE UK and Lead Maintainer of Project-KillChain.
Cam is Security Specialist - Operation Lead at Komainu, Defensive Security Researcher at Cyber Defence Operations (CyDefOps), Technical Education Advisory Board at NCFE and Lead Maintainer of Project-KillChain.
Htet is a Principal Security Architect (Global Security & Resiliency) at Kyndryl