30 open-source projects similar to microsoft/avml, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Avml alternative.
Velociraptor is a digital forensics and incident response platform, endpoint detection and response system, and visibility tool. It provides a query engine and remote forensic collector used to hunt for indicators of compromise and perform triage across a fleet of hosts. The system is distinguished by its specialized query language for interrogating host state and parsing binary files. It features a notebook environment that combines markdown documentation with executable query cells to standardize investigative workflows and enable collaborative reporting. The platform covers a wide range o
LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisitio
pcileech is a toolkit for executing DMA attacks, analyzing PCIe bus traffic, performing kernel patching, and conducting remote volatile memory forensics. It functions as a hardware memory acquisition tool and a PCIe DMA attack framework designed to read and write remote system memory via direct hardware interfaces. The project provides capabilities for capturing and displaying raw transaction layer packets from the PCIe bus and mounting live RAM as local drives for analysis. It enables the modification of system memory signatures and the execution of shellcode or implants within the kernel wi
RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps. Using raw RDP cache tile bitmaps extracted by tools like e.g. ANSSI's BMC-Tools (https://github.com/ANSSI-FR/bmc-tools) as input, it provides a graphical user interface and…
Extract files from Apple devices on Windows, Linux and MacOS. Mostly a wrapper for pymobiledevice3. Creates iTunes-style backups and "advanced logical backups"
WELA (Windows Event Log Analyzer, ゑ羅) is a tool for auditing Windows event log settings. Windows event logs are a vital source of information for Digital Forensics and Incident Response (DFIR), providing visibility into system activity and security events.
LogonTracer is a security auditing tool designed for logon analysis and forensic log auditing. It functions as a dockerized security auditor that utilizes a security event graph database to map account names and network addresses, allowing for the visualization of complex system compromise patterns and authentication paths. The system features a Sigma detection engine that scans imported event logs against standardized rule sets to identify known malicious activity. It also includes an anomalous behavior detector that applies statistical analysis, graph algorithms, and hidden Markov models to
SRUM-DUMP extracts data from the System Resource Utilization Management (SRUM) database and generates an Excel spreadsheet. This tool is invaluable for forensic investigations, as SRUM maintains records of applications that have run on a system within the last 30 days.
This repository contains the configuration and support files for the SOF-ELK® VM Appliance.
Hayabusa is a Windows event log analyzer, threat hunting tool, and forensic timeline generator. It functions as a detection engine that applies threat patterns to logs to identify suspicious behavior and security threats. The project distinguishes itself through the ability to synchronize detection rules from remote repositories and tune risk levels to prioritize critical alerts. It also provides specialized forensic capabilities, such as extracting event log data into chronological records for incident response investigations. The tool's broader capabilities include security log enrichment
APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity
Digital Forensics artifact repository
GRR is a distributed incident response platform and asynchronous forensic task orchestrator. It functions as a remote forensics framework designed to collect and analyze volatile data, system memory, and digital artifacts from remote hosts during security incident response. The system operates as a remote endpoint triage system, utilizing a coordinated architecture to manage a fleet of agents. It enables the execution of investigative tasks across multiple systems, allowing for the search of files and registries across a large fleet of machines to identify compromised hosts. The platform pro
PowerForensics provides an all in one platform for live disk forensic analysis
🧭 The artifactcollector is a customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
MemProcFS is a volatile memory analysis tool and cross-platform memory acquisition system. It functions as a memory forensic virtual file system, mapping physical memory and kernel objects into a virtual directory structure that allows users to analyze system artifacts using standard file system tools. The project distinguishes itself by providing a virtual file system for memory forensics, enabling the browsing and querying of physical memory as read-only files and folders. It also incorporates a Yara-based memory scanner to identify malware signatures and injected code within physical memor
Volatility is a memory forensics framework and digital forensics tool designed to extract and analyze evidence from volatile computer memory dumps. It functions as a memory dump parser and analysis platform used to identify running processes, network connections, and loaded modules from a system RAM capture. The framework enables the reconstruction of system state to uncover malicious activity, such as rootkits and injected code, during malware incident response and threat hunting. It provides capabilities for digital forensic investigations to detect unauthorized access and indicators of com
Volatility3 is a memory forensics framework and analysis tool used to parse volatile memory dumps. It extracts digital artifacts and reconstructs the runtime state of a system to recover process information, network artifacts, and other forensic evidence. The system functions as a plugin-based forensic engine and an operating system symbol resolver. It maps raw memory addresses to known system structures using symbol tables and translation layers, and provides an extensible architecture for creating custom scanners and renderers. The framework includes a command-line memory explorer for real
1. The ADTimeline PowerShell script 1. Description 2. Prerequisites 3. Usage 4. Files generated 5. Custom groups 2. The ADTimeline App for Splunk 1. Description 2. Sourcetypes 3. AD General information dashboards 4. AD threat hunting dashboards 5. Enhance your traditional event logs threat…