Here is a list of open source and free tools which will help in day to day operations in SOC teams and other cyber security professionals.

Threat Intelligence

• HaveIBeenPwned – Contains password hashes from multiple data breaches.
• Cisco Talos – Comprehensive threat intelligence.
• IBM X-force Exchange – Threat Intelligence, Vulnerability and analyst reports
• Virustotal – Threat intelligence for Files, IPs, URLs from 60+ sources.
• IOCs from Unit 42 (Palo Alto Networks) – Repository contains indicators related to Unit 42 Public Reports.
• IPvoid – IP reputation
• Alienvault – Threat intelligence for Files, IPs, URLs
• Borderware – IP reputation
• Hetrixtools – Uptime Monitor & Blacklist Monitor
• Metadefender – Threat intelligence for Files, IPs, URLs, CVE, Domain
• PhishTank – Threat intelligence about phishing sites
• Spamhaus – Tracks spam and related cyber threats such as phishing, malware and botnets, provides realtime actionable and highly accurate threat intelligence.
• FireEye OpenIOCs – Contains IOCs related to multiple APTs
• OpenVAS NVT Feed – Public feed of Network Vulnerability Tests (NVTs) for OpenVAS
• IntelMQ – Solution for IT security teams (CERTs & CSIRTs, SOCs, abuse departments, etc.) for collecting and processing security feeds (such as log files) using a message queuing protocol
• MISP – Open Source Threat Intelligence Platform
• PhishStats – Phishing Statistics
• threatfeeds.io – Free and open-source threat intelligence feeds.
• Technical Blogs and Reports, by ThreatConnect
• ThreatMiner – Data mining for threat intelligence
• VirusShare – Currently contains 38,614,235 malware samples.
• 1st Dual Stack Threat Feed by MrLooquer
• IOC Finder – A free tool for collecting host system data and reporting the presence of IOCs.

Use cases management

• Uncoder SIEM Rules Translator (Convert SIEM rules one SIEM format to another includes Splunk, Qradar, Elastic, Sigma, Kafka, Azure Sentinel and more)
• SOC Prime – Threat detection marketplace
• MITRE ATT&CK – Globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
• SecurityLogicLibrary – Contains exhaustive opensource, threat-based, use case library for any security professional or team wanting to detect threat techniques, tactics and procedures using various methods and mechanisms.
• LogRhythm Usecases based on different Industries
• Elastic detection engine use cases – Lists the pre built rules in elastic detection engine
• IBM Threat use cases by log source/type
• SIEM Use cases from Gartner
• 27 SIEM Use cases from logtitan
• QRadar use case examples
• NIST use cases
• Cisco ASA Use cases discussed in Fortinet forum
• SOAR use cases from Swimlane
• Cyware SOAR use cases
• Cortex XSOAR use cases

Malware Analysis

• Any.run – Interactive Malware analysis.
• Hybrid Analysis – Free automated malware analysis.
• Manalyzer – Free static analysis.
• JoeSandbox – Malware sandbox and analysis community edition.
• Cuckoo Sandbox – Downloadable open-source malware analysis tool.
• Comodo Valkyrie – Valkyrie conducts several analysis using run-time behaviour.
• Remnux – Linux toolkit for reverse-engineering and analyzing malicious software.
• SANS must have free resources for malware analysis.
• Triage – Malware analysis sandbox designed for cross-platform support (Windows, Android, Linux, and macOS).

Incident Response

• Redline – Free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.
• Memoryze – Free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis.
• Fakenet-NG – is open source and designed for the latest versions of Windows and Linux (Linux has some restrictions). FakeNet-NG is based on the FakeNet tool developed by Andrew Honig and Michael Sikorski.The tool allows you to intercept and redirect all or specific network traffic while simulating legitimate network services
• Floss – Open source tool that automatically detects, extracts, and decodes obfuscated strings in Windows Portable Executable (PE) files.
• Flare-VM – Freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux, REMnux and others
• FTKImager – Popular imaging tool, lets you collect evidence of an incident and used in further analysis.
• SysInternals Suite – The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. This file contains the individual troubleshooting tools and help files.
• Registry browser – Allows for the searching and reporting of the entire registry at once (instead of on a hive-by-hive basis).
• Regshot – Helps you to take snapshots of registry before and after performing a task or executing a file and then compare it to find the difference.
• CaptureBAT – Helps to capture behavior with parent-child relationship when executing a process/file.
• PEStudio – Used to spot suspicious artifacts within executable files in order to ease and accelerate Malware Initial Assessment.
• Rootkit revealer – Scans and lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
• XAMPP -Allows you to build webserver, DB quickly to perform malware analysis.
• HxD – Hex and Disk editor.
• Beagle – Incident response and digital forensics tool which transforms data sources and logs into graphs. Supported data sources include FireEye HX Triages, Windows EVTX files, SysMon logs and Raw Windows memory images.

Red Team – Penetration testing tools

• osintframework – Tree view with the list of various tools for red/purple teams.
• Wireshark – Packet capture tool
• Metasploit – Pen testing framework
• Burpsuite – Application security testing community edition.
• AngryIP – Open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses, ports and more.
• SQLMap – open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
• Seclist – A collection of multiple types of lists used during security assessments, collected in one place.
• Payloads – List of useful payloads and bypasses for Web Application Security
• Exploit-DB – Exploit database for pen testers and researchers.
• Free Tools from Thycotic (Includes tools to check weak password, Windows/Unix Privileged and Windows Least Privilege Account Discovery, Browser-stored Password Discovery Tool)
• Free AD Tools from ManageEngine (Includes Last Logon Reporter, AD Query Tool, Empty password reporter, Password Expiry Notifier, Weak password users report, and more)
• SolarWinds Free IT Security Tools (Includes Firewall browser, Event logs consolidator, Access rights Auditor, Permission analyser for AD and more)
• OWASP Dependency Check – Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
• OWASP Dependency Track – Platform that allows organizations to identify and reduce risk in the software supply chain
• Container Scanning – Scanner to identify vulnerabilities in docker containers.

Do you have a suggestion for tools which is missing in this list? Please leave a comment to update this list.