Kevin Caballero's starred repositories
attack_range
A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk
Microsoft365DSC
Manages, configures, extracts and monitors Microsoft 365 tenant configurations
o365_dataset
A dataset containing Office 365 Unified Audit Logs for security research and detection
stratus-red-team
:cloud: :zap: Granular, Actionable Adversary Emulation for the Cloud
Purpleteam
Purpleteam scripts simulation & Detection - trigger events for SOC detections
Hunting-Queries-Detection-Rules
KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.
KQLAnalyzer
REST server that can analyze Kusto KQL queries against the Sentinel and Microsoft 365 Defender schemas.
AzureAAD-ManagedId-RoleAssignmentsCleanupOrphanedAccounts
AzureAAD ManagedId RoleAssignments inheritance & Cleanup Orphaned Accounts
awesome-kubernetes-threat-detection
A curated list of resources about detecting threats and defending Kubernetes systems.
ChopChopGo
Rapidly Search and Hunt through Linux Forensics Artifacts
DFIR-O365RC
PowerShell module for Office 365 and Azure log collection
Azure-Sentinel
Cloud-native SIEM for intelligent security analytics for your entire enterprise.
ThreatHunter-Playbook
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient.
DFIR-Resources
Some important DFIR Resources
MDE-Quickstart
MDE Quickstart is a battle-tested MDE policy set designed to be restored with Intune Backup & Restore
SentinelAutomationModules
The Microsoft Sentinel Triage AssistanT (STAT) enables easy to create incident triage automation in Microsoft Sentinel
AzureAD-Attack-Defense
This publication is a collection of various common attack scenarios on Microsoft Entra ID (formerly known as Azure Active Directory) and how they can be mitigated or detected.
WindowsTimeline
Windows 10 (v1803+) ActivitiesCache.db parsers (SQLite, PowerShell, .EXE)
TheDefendersGuide
The Github project for The Defender's Guide by Luke Paine and Jonathan Johnson
xdg-credentials-portal
FIDO2 (WebAuthn) and FIDO U2F platform library for Linux written in Rust; includes a proposal for a new D-Bus Portal interface for FIDO2, accessible from Flatpak apps and Snaps 🔑
DFIRArtifactMuseum
The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifact validation processes as well as increase access to artifacts that may no longer be readily available anymore.
FalconFriday
Hunting queries and detections
AzureHunter
A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365