Malware/IR-Tools-Resources
This Repo contains resource for following:
1] Malware Analysis
2] Threat Hunting
3] Incident Response
4] Threat Intelligence
Skill Set
1. Advanced Persistent Threat [APT] Reference:
Name |
Note |
---|---|
Attack Mitre | APT Details |
Cyber Research | |
Threat Actor Encyclopedia | APT Details |
ATP Google Sheet | APT Details |
FireEye | APT Details |
CyberMonitor | APT Details |
Florian Roth | APT Details |
MalPedia | APT Details |
Threat Actor Encyclopedia V 2.0 | APT Details |
2. Books:
Name |
Version |
---|---|
Practical Malware Analysis | Paid |
Learning Malware Analysis | Paid |
Malware Analysis and Detection Engineering | Paid |
Mastering Malware Analysis | Paid |
Practical Reverse Engineering | Paid |
The Art of Memory Forensics | Paid |
Windows Internals, Part 1 | Paid |
The IDA Pro Book, 2nd Edition | Paid |
Reverse Engineering for Beginners | Free |
3. Classes/Labs
4. Capture The Flag...! [CTF]
Name/Link |
---|
Flare-On Challenge |
Join ESET |
Beginner Malware Reversing Challenges |
Reverse Engineering challenges |
0x00sec |
CTF Field Guide |
5. Deobfuscation Tools:
Name |
Version |
Paltform |
Description |
---|---|---|---|
Decalage | Free |
Python |
A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more. |
De4dot | Free |
Windows |
.NET deobfuscator and unpacker. |
Floss | Free |
All OS Paltform |
The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. |
PackerAttacker | Free |
Windows |
The Packer Attacker is a generic hidden code extractor for Windows malware. |
Unpaker | Free |
Python, Windows |
Automated malware unpacker for Windows malware based on WinAppDbg. |
VirtualDeobfuscator | Free |
Python |
Reverse engineering tool for virtualization wrappers. |
XORSearch & XORStrings | Free |
Windows |
A couple programs from Didier Stevens for finding XORed data. |
Unpca.Me | Registration |
Online |
An automated malware unpacking service.H |
CyberChef | Free |
Online |
The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis. |
6. Disassembler Tools:
Name |
Version |
Paltform |
---|---|---|
X64 | Free |
Windows |
OllyDbg | Free |
Windows |
ILSpy | Free |
Windows .Net |
DNSpy | Free |
Windows .Net |
GDB | Free |
All OS Paltform |
Binary Ninja | Free |
All OS Paltform |
Qira | Free |
Linux |
7. Document Analysis Tools:
Name |
Version |
Paltform |
---|---|---|
Ole Tool | Free |
Python |
Didier's PDF Tools | Free |
Python |
Origami | Free |
Ruby |
REMnux | Free |
Virtual Machine |
Free |
Binary |
|
ViperMonkey | Free |
Python |
8. Dynamic Analysis Tools:
Name |
Version |
Paltform |
Description |
---|---|---|---|
Sysinternals | Free |
Windows |
The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. This file contains the individual troubleshooting tools and help files. |
Process Hacker | Free |
Windows |
Powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. |
NirSoft | Free |
Windows |
Collection of tools which helps during IR and MA. |
RegRipper | Free |
Windows |
A too which is use for registry analysis in forensic examinations. |
Regshot | Free |
Windows |
Regshot is allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product. |
Resource Hacker | Free |
Windows |
Ressource Hacker is a complete resource editing tool that is free, it doesnโt have unwanted notifications, and it doesnโt have adverts. It is a resource editing tool that may be used for viewing, compiling, decompiling and recompiling your resources. It does all of this for all popularly known 64bit and 32bit Windows executables. |
HxD | Free |
Windows |
Freeware Hex Editor and Disk Editor. |
Sysanalyzer | Free |
Windows |
Automated tool to collect, compare & report on the actions a binary took while running on the system. It is present in Flare VM tool set. |
Object-See | Free |
Mac OS |
Free Mac Security Tools. |
Winaudit | Free |
Windows |
Creates a comprehensive report on a machine's configuration, hardware and software. WinAudit is free, open source and can be used or distributed by anyone. It is used by IT experts in academia, government, industry as well as security conscious professionals in the armed services, defence contractors, electricity generators and police forces. |
Capturebat | Free |
Windows |
This is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture BAT monitors state changes on a low kernel level and can easily be used across various Win32 operating system versions and configurations. CaptureBAT is developed and maintained by Christian Seifert of the NZ Chapter. |
9. File Carving Tools:
Name |
Version |
Paltform |
Description |
---|---|---|---|
Bulk Extractor | Free |
Linux, Mac OS |
Fast file carving tool. |
EVTXtract | Free |
Windows |
Carve Windows Event Log files from raw binary data. |
Foremost | Free |
Linux, Mac OS |
Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. |
Hachiir3 | Free |
Python |
Hachoir is a Python library to view and edit a binary stream field by field. |
10. Honeypot Reference:
Name |
Description |
---|---|
Conpot | ICS/SCADA honeypot. |
Cowrie | SSH honeypot based on Kippo. |
DemoHunter | Low interaction Distributed Honeypots. |
Dionaea | Honeypot designed to trap malware. |
Glastopf | Web application honeypot. |
Honeyd | Create a virtual honeynet. |
HoneyDrive | Honeypot bundle Linux distro. |
Honeytrap | Opensource system for running monitoring and managing honeypots. |
MHN | MHN is a centralized server for management and data collection of honeypots.MHN allows you to deploy sensors quickly and to collect data immediately viewable from a neat web interface. |
Mnemosyne | A normalizer for honeypot data; supports Dionaea. |
Thug | Low interaction honeyclient for investigating malicious websites. |
. [Reference](https://github.com/rshipp/awesome-malware-analysis)
11. Malware Analysis Course:
Name |
Version |
Organiser |
---|---|---|
Paid |
FireEye |
|
Paid |
SANS |
|
Paid |
SecurityXploded |
|
Free |
SecurityXploded |
|
Free |
SecurityXploded |
12. Malware Samples:
Name |
Version |
Registation |
E-mail ID |
---|---|---|---|
Free |
Yes |
||
Free |
Yes |
||
Free |
Yes |
N/A |
|
Free |
No |
N/A |
|
Free |
Yes |
||
Free |
Yes |
N/A |
|
Free |
No |
N/A |
|
Free |
Yes |
N/A |
|
Free |
No |
N/A |
|
Free |
No |
N/A |
|
Free |
No |
N/A |
|
Free |
No |
N/A |
|
Free |
No |
N/A |
This link contains malware sample.Run this sample only in controled environment (VM Environment)
13. Memory Acquisition Tools:
Name |
Version |
Paltform |
---|---|---|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows, Mac Os |
|
Free |
Windows |
|
Free |
Linux |
14. Memory Analysis Tools:
Name |
Version |
Paltform |
Description |
---|---|---|---|
Free | Windows, Linux, MacOs |
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. |
|
Free | Windows, Linux, MacOs |
Rekall is the most complete Memory Analysis framework. Rekall provides an end-to-end solution to incident responders and forensic analysts. From state of the art acquisition tools, to the most advanced open source memory analysis framework. Rekall provides cross-platform solutions on Windows, Mac OSX, and Linux. Additionally, as stated above each operating system has itโs own memory acquisition tool provided by Rekall called pmem. |
|
Free | Windows |
Redline FireEye's premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile. |
15. Network Analysis Tools:
Name |
Version |
Paltform |
---|---|---|
Free |
Windows, Linux, Mac Os |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows, Linux |
|
Free |
Linux |
|
Free |
Windows |
16.Offline Sanbox:
Name |
Version |
Paltform |
Description |
---|---|---|---|
Free |
Windows, Linux, Android |
Document Analyzer, File Analyzer |
|
Free |
Linux |
Document Analyzer, File Analyzer, Memory Analyzer |
|
Free |
Windows |
Document Analyzer, File Analyzer |
|
Free |
Windows |
Document Analyzer, File Analyzer |
17. Online Sandbox:
Name |
Registration |
Paltform |
Description |
Sample Download |
---|---|---|---|---|
Yes |
Windows, Android |
Document Analyzer, File Analyzer |
Yes |
|
No |
Windows, Android |
URL Analyzer, Document Analyzer, File Analyzer, APK Analyzer |
No |
|
No |
Windows, Linux, Android |
URL Analyzer, Document Analyzer, File Analyzer |
No |
|
User Preference |
Windows |
URL Analyzer, Document Analyzer, File Analyzer, Yara Analyzer, Hash Analyzer, IP Analyzer |
Yes |
|
Yes |
Windows |
Document Analyzer, File Analyzer |
No |
|
User Preference |
Windows, Android, Linux, Mac Os |
URL Analyzer, Document Analyzer, File Analyzer, APK Analyzer, Hash Analyzer, IP Analyzer, Domain Analyzer |
No |
|
User Preference |
Windows |
URL Analyzer, Document Analyzer, File Analyzer |
Yes |
|
User Preference |
Windows |
URL Analyzer |
N.A |
|
User Preference |
Windows |
URL Analyzer |
N.A |
|
No |
Windows |
URL Analyzer |
N.A |
|
No |
Windows |
Hash Analyzer, IP Analyzer, Domain Analyzer |
No |
|
Yes |
Windows |
Document Analyzer, File Analyzer |
No |
|
Yes |
Windows |
IOC Search engine |
No |
|
Yes |
Windows |
Document Analyzer, File Analyzer |
No |
|
Yes |
Windows |
Document Analyzer, File Analyzer |
No |
|
Yes |
Windows, Linux, Android |
URL Analyzer, Document Analyzer, File Analyzer, APK Analyzer, Domain Analyzer |
Yes |
18. Portable Executable [PE] Analysis Tools:
Name |
Version |
Paltform |
---|---|---|
Free |
Windows, Linux, Mac Os |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows |
|
Free |
Windows |
19. Reverse Engineering Tools:
Name |
Version |
Paltform |
---|---|---|
Paid |
Windows |
|
Free |
Windows, Linux, Mac Os |
|
Free |
Windows |
|
Free |
Linux |
20. Scripts:
Name |
Paltform |
Author |
---|---|---|
Python |
Ptr32Void |
|
Python |
Deadbits |
|
C, IDA, Python, Ruby, Yara |
Spider Labs |
|
Python |
Shilpesh Trivedi |
|
Python |
Xen0ph0n |
|
Python, IDA |
OALabs |
|
Python |
Shilpesh Trivedi |
|
Tools |
Hasherezade |
|
Python, Yara, Tools |
Florian Roth |
21. Threat Hunting:
-
21.1. Threat Hunting Reference:
Name
Description
Website for Information related to Hunting Techniques.
Website for Information to start Threat Hunting.
A very handfull book.
-
21.2. Threat Hunting Practical Activities:
Name
Description
This is a container for windows events samples associated to specific attack and post-exploitation techniques. Can be useful for, 1] Testing your detection scripts based on EVTX parsing, 2] Training on DFIR and threat hunting using event logs, 3] Designing detection use cases using Windows and Sysmon event logs, 4] Avoid/Bypass the noisy techniques if you are a redteamer
Atomic Red Team allows every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries
-
21.3. Threat Hunitng Videos:
Name
Description
Fix Me19 Intrusion Hunting for the Masses A Practical Guide David Sharpe.
Threat Hunting in Security Operation - SANS Threat Hunting Summit 2017.
Threat Hunting Web Shells With Splunk.
How to Build Threat Hunting into Your Security Operations.
-
21.4 Threat Hunting Tools:
Name
Version
Description
Free
A platform which help to create usecasses for threat huntng and hypothesis.
Free
The HELK is one of the first open source hunt platforms with advanced analytics capabilities such as SQL declarative language, graphing, structured streaming, and even machine learning via Jupyter notebooks and Apache Spark over an ELK stack. This project was developed primarily for research, but due to its flexible design and core components, it can be deployed in larger environments with the right configurations and scalable infrastructure.
Free
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
Free
Performant endpoint visibility, Supoort all OS platform.
Free
ThreatPursuit Virtual Machine (VM) is a fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly. The threat intelligence analyst role is a subset and specialized member of the blue team. Individuals in this role generally have a strong impetus for knowing the threat environment. Often their traits, skills and experiences will vary depending on training and subject matter expertise.
-
21.5 Threat Hunting Course:
Name
Version
Paid
Paid
Paid
-
21.6 Threat Hunting Blogposts:
Name
Description
Give's new techinque for Red Team and Threat Huning TTPs
Give's new techinque for Red Team and Threat Huning TTPs
Give's new techinque for Red Team and Threat Huning TTPs
Case Studies
22. Threat Intelligence:
Source Name |
Subscription |
Status |
---|---|---|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
|
Free |
Online |
22. Twitter Handle to follow:
Twitter Handle Author |
---|
23. Virtual Machines (VMs):
Name |
Version |
Paltform |
Description |
---|---|---|---|
Free |
Windows |
Microsoft Edge Legacy using free Windows 10 virtual machines you download and manage locally.The password to your VM is 'Passw0rd!' |
|
Free |
Linux |
OsBoxes offer open-source (Linux/Unix) virtual machines (VDIs) for VirtualBox, we install and make them ready-to-use VirtualBox images for user.username is 'osboxes.org' and the password is 'osboxes.org'. |
|
Free |
Windows |
FLARE VM - a fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, It is having all required tools related to Malware analysis. |
|
Free |
Windows |
This tutorial provide instructions for the installation and configuration of a free Windows 7 VM with the OAlabs-VM installer. |
|
Free |
Linux |
Linux Toolkit for Reverse-Engineering and Analyzing Malware |
|
Free |
Windows |
Detection Lab is a collection of Packer and Vagrant scripts that allow you to quickly bring a Windows Active Directory online, complete with a collection of endpoint security tooling and logging best practices. |
24. Yara Tools:
Name |
---|
25. YouTube Channel for Malware Analysis:
YouTube Channge Name |
---|
26. Other Tools:
Name |
Version |
Description |
---|---|---|
Free, Paid |
Fireye applications |
|
Free |
Turns Procmon output & Pcap into behavioral picture |
|
Free |
Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell. |
|
Free |
Kahu Security is a personal blog website used to document and share research and knowledge related to security, digital forensics, reverse engineering, and malware analysis. It consists of various malware analysis tools. |
|
Free |
Utility that allows you to calculate the MD5 and SHA1 hashes of one or more files in your system. |
|
Free |
Advanced text editor. |
|
Free |
PInvoke.net is primarily a wiki, allowing developers to find, edit and add PInvoke* signatures, user-defined types, and any other information related to calling Win32 and other unmanaged APIs from managed code (written in languages such as C# or VB.NET). |