back to home

mthcht / awesome-lists

Awesome Security lists for SOC/CERT/CTI

1,277 stars
158 forks
19 issues
YARAHTMLPython
Chat with CodebaseArchitecture ScanSecurity AuditExplain Codebase

AI Architecture Analysis

This repository is indexed by RepoMind. By analyzing mthcht/awesome-lists in our AI interface, you can instantly generate complete architecture diagrams, visualize control flows, and perform automated security audits across the entire codebase.

Our Agentic Context Augmented Generation (Agentic CAG) engine loads full source files into context on-demand, avoiding the fragmentation of traditional RAG systems. Ask questions about the architecture, dependencies, or specific features to see it in action.

Source files are only loaded when you start an analysis to optimize performance.
Click here to launch the interactive analysis workspace

Embed this Badge

Showcase RepoMind's analysis directly in your repository's README.

[![Analyzed by RepoMind](https://img.shields.io/badge/Analyzed%20by-RepoMind-4F46E5?style=for-the-badge)](https://repomind.in/repo/mthcht/awesome-lists)
Preview:Analyzed by RepoMind

Repository Overview (README excerpt)

Crawler view

Security lists for SOC/DFIR detections 🐾 Threat Hunting: • ThreatHunting keywords Site • ThreatHunting keywords Lists • ThreatHunting Yara rules ThreatHunting searches • Windows Services Searches • User-Agents Searches • DNS Over HTTPS Searches • Suspicious TLDs Searches • HijackLibs Searches • Phishing & DNSTWIST Searches • Browsers extensions Searches • C2 hiding in plain sigh • HTML Smuggling artifacts • PSEXEC & similar tools Searches • Time Slipping detection • Suspicious Named pipes 📂 My Detection Lists • 📋 Lists: https://github.com/mthcht/awesome-lists/tree/main/Lists • 🕵️‍♂️ ThreatHunting Guides: https://mthcht.medium.com/list/threat-hunting-708624e9266f • 🚰 Suspicious Named pipes: suspicious_named_pipe_list.csv • 🌐 Suspicious TLDs (updated automatically): [[suspicious_TLDs]](https://github.com/mthcht/awesome-lists/tree/main/Lists/TLDs) • 🌐 Suspicious ASNs (updated automatically): [[suspicious ASNs]](https://github.com/mthcht/awesome-lists/tree/main/Lists/ASNs) • 🌐 FYI Maxmind GeoIP Database (updated automatically): GeoIP DB • 🔧 Suspicious Windows Services: suspicious_windows_services_names_list.csv • ⏲️ Suspicious Windows Tasks: suspicious_windows_tasks_list.csv • 🚪 Suspicious destination port: suspicious_ports_list.csv • 🛡️ Suspicious Firewall rules: suspicious_windows_firewall_rules_list.csv • 🆔 Suspicious User-agent: suspicious_http_user_agents_list.csv • 🔏 Suspicious CERTs signer: [\[suspicious CERTS\]](https://github.com/mthcht/awesome-lists/tree/main/Lists/CERTS) • 📇 Suspicious USB Ids: suspicious_usb_ids_list.csv • 🏷️ Suspicious mutex names: suspicious_mutex_names_list.csv • 🔢 Suspicious MAC address: suspicious_mac_address_list.csv • 📛 Suspicious Hostname: suspicious_hostnames_list.csv • 🌐 Suspicious Browser Extensions: Browser Extensions • 📧 Microsoft App IDs List - BEC Detection microsoft_apps_list.csv • 🧮 Metadata Executables: executables_metadata_informations_list.csv • 🕸️ DNS over HTTPS server list: dns_over_https_servers_list.csv • 🕸️ Dynamic DNS domains list: dyndns_list.csv • 🪝 Phishing lists: Phishing domains and urls • 🕸️ Domains : [\[sinkholed servers\]](https://github.com/mthcht/awesome-lists/tree/main/Lists/Domains) • 🕳️ Sinkholed Domains : sinkholed_domains.csv • 🕳️ Sinkholed Site: SINKHOLED • 📚 Hijacklibs (updated automatically): hijacklibs_list.csv • 🌐 TOR Nodes Lists (updated automatically): [[TOR]](https://github.com/mthcht/awesome-lists/tree/main/Lists/TOR) • 🛠️ LOLDriver List (updated automatically): loldrivers_only_hashes_list.csv • 🛠️ Malicious Bootloader List (updated automatically): malicious_bootloaders_only_hashes_list.csv • 📜 Malicious SSL Certificates List (updated automatically): ssl_certificates_malicious_list.csv • 🖥️ RMM detection: [[RMM]](https://github.com/mthcht/awesome-lists/tree/main/Lists/RMM) • 👤🔑 Important Roles and groups for AD/EntraID/AWS: [[permissions]](https://github.com/mthcht/awesome-lists/tree/main/Lists/permissions) • 💻🔒 Ransomware known file extensions: ransomware_extensions_list.csv • 💻🔒 Ransomware known file name ransom notes: ransomware_notes_list.csv • 📝 Windows ASR rules: windows_asr_rules.csv • 🌐 DNSTWIST Lists (updated automatically): DNSTWIST Default Domains + script • 🌍 VPN IP address Lists (updated automatically): • 🛡️ NordVPN: nordvpn_ips_list.csv • 🛡️ ProtonVPN: protonvpn_ip_list.csv • 🛡️ SurfShark: surfshark_vpn_servers_domains_and_ips_list.csv • 🛡️ MullVad: mullvad_relay_servers_ips_list.csv • 🌍 PROXIES PROXY IP/Port Lists • 🏢 Companies IP Range Lists (updated automatically): Default Lists + script / Microsoft • 📍 GeoIP services Lists: ip_location_sites_list.csv • 🧬 Yara rules: Threat Hunting yara rules • 🧬 Offensive Tools detection patterns: offensive_tool_keywords.csv • 🧬 Greyware Tools detection patterns: greyware_tool_keyword.csv • 🧬 AV signatures keywords: signature_keyword.csv • 🧬 Microsoft Defender AV signatures lists: [[Defender]](https://github.com/mthcht/awesome-lists/tree/main/Lists/AV%20signatures/Defender) + yara • 🧬 ClamAV signatures lists: [[ClamAV]](https://github.com/mthcht/awesome-lists/tree/main/Lists/AV%20signatures/ClamAV) • 🔗 Others correlation Lists: [[Others]](https://github.com/mthcht/awesome-lists/tree/main/Lists/Others) • 📋 Lists i need to finish: [[todo]](https://github.com/mthcht/awesome-lists/tree/main/Lists/Others/todo) I regularly update most of these lists after each tool i analyze in my detection keywords project Other Lists 🛡️ DFIR: • 🔥 EricZimmerman Tools 🔥 • usnjrnl_rewind • dfir-orc • dfir-orc-config • Arsenal Recon Forensic tools • Splunk4DFIR • dfiq • Mind maps • arfifacts List - DFIRArtifactMuseum • arfifacts List - ForensicArtifacts • Autopsy • SleuthKit • [\[OS\] SIFT Workstation](https://www.sans.org/tools/sift-workstation/) • [\[OS\] Remnux](https://remnux.org/) • [\[OS\] sof-elk](https://github.com/philhagen/sof-elk) • [\[OS\] tsurugi](https://tsurugi-linux.org/) • [\[OS\] DEFT](https://distrowatch.com/table.php?distribution=deft) • [\[OS\] Flare VM](https://github.com/mandiant/flare-vm) • PSBits • Yara - Threat Hunting + TH • Yara - Forge • capa • Malcontent • [\[Event parser\] evtx](https://github.com/omerbenamram/evtx) • [\[Event Parser\] procmon-parser](https://github.com/eronnen/procmon-parser) • [\[Event Parser\] Linux - MasterParser](https://github.com/securityjoes/MasterParser) • [\[EVTX\] Hayabusa](https://github.com/Yamato-Security/hayabusa) • [\[EVTX\] WELA](https://github.com/Yamato-Security/WELA) • [\[EVTX\] chainsaw](https://github.com/WithSecureLabs/chainsaw) • [\[EVTX\] APTHunter](https://github.com/ahmedkhlief/APT-Hunter/) • [\[EVTX / Auditd\] Zircolite](https://github.com/wagga40/Zircolite) • werejugo • srum-dump • ADTimeline • PersistenceSniper • [\[O365\] Logs - Microsoft-Analyzer-Suite](https://github.com/evild3ad/Microsoft-Analyzer-Suite) • Logon Tracer • Timeline Plaso • Timeline TimeSketch • regripper • OneDrive OCR DB artifact collector exe • OneDrive OCR DB artifact collect…