Resources

These resources have been invaluable throughout my career, and I hope you find them helpful as well.

CelesTLSH Hash Database

This database of TLSH hashes is powered by the Magonia Resarch product CelesTLSH (pronounced Celestial-s-h), a TLSH Antimalware scanner for the LimaCharlie platform.

A list of TLSH Hashes for FOSS Attack Tools

What It Does

CelesTLSH continuously monitors and indexes GitHub repositories for open-source red teaming and penetration testing tools, generating TLSH (Trend Micro Locality Sensitive Hash) signatures for each release and update. Unlike traditional hash databases that only detect exact matches, our fuzzy hashing approach can identify modified variants and derivatives with configurable similarity thresholds.

Why It Matters

Security teams can leverage this database to:

• Detect potential adversarial tools in your environment, even if slightly modified
• Enhance threat hunting capabilities with similarity-based detection
• Reduce false positives while maintaining high detection accuracy
• Quickly assess discovered artifacts during incident response

How It Works

CelesTLSH automatically tracks new releases of hundreds of security tools, computing TLSH signatures that enable similarity comparisons rather than just exact matches. This approach bridges the gap between traditional file hashing and modern fuzzy matching capabilities, giving defenders a powerful resource for detection and analysis.

Environment Hardening / Configuration

• Windows Server Security Guidelines: Official Microsoft documentation for system services security in Windows Server.
• Controlled Folder Access: Guidance on protecting system folders in Microsoft 365.

Detection

• The Pyramid of Pain: A blog post about the difficulties adversaries face when their tactics, techniques, and procedures are identified and countered.
• Malware Archaeology Cheat Sheets: A collection of cheat sheets for incident response and log management.
• Sigma: A generic signature format for SIEM systems.
• Auditd Rules: A repository containing audit rules for Linux systems.
• DNIF Content: Security content for the DNIF platform.
• OTRF: Open Threat Research Foundation's GitHub repository.
• Panther Analysis: A collection of detections for the Panther platform.
• Microsoft 365 Defender Hunting Queries: Hunting queries for Microsoft 365 Defender.
• SophosLabs IoCs: Indicators of compromise from SophosLabs.
• FalconFriday: Weekly threat hunting exercises from Falcon Force.
• Splunk Detections: A collection of detections from Splunk.
• Chronicle Detection Rules: A repository of detection rules from Chronicle.
• Elastic Detection Rules: A repository of detection rules for Elastic Security.

Tools

• Canary Tokens: A free service for generating honeypot tokens.
• Threat Hunter Playbook: A playbook for threat hunting and security analytics.
• CrowdStrike DFIR Tracker: A digital forensics and incident response tracker from CrowdStrike.
• CyberChef: A web app for encryption, encoding, compression, and data analysis.
• CyberChef Recipes: A collection of recipes for CyberChef.

Education

• Network Defense Library: A collection of cybersecurity courses.
• Sandfly Security Blog: A blog covering various cybersecurity topics.
• MITRE ATT&CK: A globally accessible knowledge base of adversary tactics and techniques.
• MITRE D3FEND: A complementary framework to MITRE ATT&CK, focused on defensive countermeasures.
• The C2 Matrix: A comprehensive matrix of command and control frameworks, techniques, and evaluation criteria.
• The DFIR Report: A website that shares digital forensics and incident response case studies.

Other

• Security Identifiers in Windows: Microsoft documentation on security identifiers in Windows Server.
• Big-Ass Data Broker Opt-Out List: A comprehensive list of data brokers and instructions on how to opt-out from their services.