Skip to content

toolset.md

Latest commit

 

History

History
139 lines (105 loc) · 7.62 KB

toolset.md

File metadata and controls

139 lines (105 loc) · 7.62 KB

🧰 Toolset & Environments

A concise reference of tools, common commands, and recommended lab environments
for static, dynamic, and memory forensic malware analysis. And yes, I used AI to import all these emojis :).

🗂️ Table of Contents

🧱 Lab Environments

  • Snapshots & Isolation

    • Use VM snapshots and restore for reproducible runs (VMware, VirtualBox, Hyper-V).
    • Keep analysis VMs air-gapped or behind controlled emulation (e.g., FakeNet-NG / INetSim).

  • Recommended Distributions

    • 🧊 REMnux — Linux distro for malware analysis (network, unpacking). This is what I use!
    • 💻 FLARE VM — Windows analysis tooling image (reversing, debuggers).

  • Lightweight Environments

    • For lightweight VMs, I'd just recommend installing the base Windows ISO and installing the tools you need. VMs (especially Windows) can get huge and take up a lot of disk space.
    • For Windows, go download the official Windows ISO from here, and follow a setup video like this one. I recommend downloading the media creation tool and generating an ISO.
    • For Linux, REMnux should be lightweight enough.

🔍 Static Analysis

Primary goals: identify packing, strings, imports, sections, and high-level behavior.

  • GUI Tools

    • 🧩 Ghidra — full-featured decompiler and analysis suite. What I tend to use for most binaries.
    • 🪄 Cutter — great assembly flow graph; excellent for visualizing loops, encryption, and anti-analysis logic.
    • 🧱 dnSpy / ILSpy — for disassembling .NET binaries.
    • 💰 IDA Pro / Hex-Rays — industry-standard disassembler (if you have $$$).
    • 💎 Binary Ninja — great RE tool with a solid free version.

  • CLI / Small Helpers

    • 🐍 pefile — parse PE headers and sections.
    • ⚙️ lief — modify/inspect PE, ELF, and Mach-O binaries.
    • 🔡 strings — extract ASCII/Unicode literals.
    • 🧾 DIE (Detect It Easy) / PEStudio — static indicators summary.

  • 💡 Keep in Mind

    • Entropy checks → detect packing/compression.
    • Import table & load command inspection → suspicious API usage.
    • Certificate & timestamp validation → detect tampering or spoofed signing.

🧪 Dynamic Analysis / Sandboxing

Primary goals: observe runtime behavior, persistence, and network activity.

  • Interactive Debuggers

    • 🐧 GDB — go-to debugger for ELF binaries.
    • 🍏 LLDB — debugger for Mach-O binaries.
    • 🪟 x64dbg — user-land debugger for Windows binaries.

  • Behavior Monitoring

    • 🔎 Velociraptor — endpoint collection and analysis (mini-SIEM on your VM).
    • 🧰 Procmon — file/registry process I/O tracing.
    • 🧬 Process Explorer — process tree inspection and handles.
    • 🪞 Regshot — snapshot registry/file changes.

  • Sandbox Platforms

  • Controlled Network Emulation

    • 🕸️ FakeNet-NG / INetSim — capture callbacks safely without real internet exposure.

🧠 Memory Forensics & Live Response

I don't really do a lot of in-memory forensics unless I have to, but here are a few good tools:

  • Tools & Frameworks

    • 🧩 Volatility 3 — memory extraction & plugin-based analysis.
    • 🧬 LiME — Linux memory acquisition.
    • 🪟 DumpIt / WinPmem — Windows memory acquisition tools.

  • Common Use Cases

    • Extract process memory, injected code, network sockets, DLLs, and command lines.
    • Hunt for hidden processes, kernel modules, and loaded drivers.

  • Persistence & Credential Artifacts

    • Search for plaintext configs, credentials, or embedded keys in memory dumps.

🌐 Network Analysis

  • Packet Capture & Inspection

    • 🧮 Wireshark — go-to packet-level inspection.
    • 🔍 NetworkMiner — GUI network traffic analysis and extraction.
    • 📡 tcpdump — CLI packet capture.

  • Traffic Analysis & Enrichment

    • Extract domains, IPs, HTTP user agents, TLS fingerprints.
    • Identify C2 domains and analyze network behaviors.

  • Threat Intel Enrichment

🎯 Detection & Hunting Tools

  • 🧬 YARA — signature-based pattern matching for binaries and memory.
  • 🧾 Sigma — SIEM/EDR detection rule framework.

(Planned additions: Capa, MISP, and Elastic Stack integrations.)

💻 Scripting & Automation

  • Languages

    • 🐍 Python — for parsing, automating flows (pefile, lief, capstone). Also used by Ghidra (Jython).
    • PowerShell — powerful for Windows triage and reversing loaders.
    • 🐚 Bash — handy for automation on Linux, though less common in my workflow.

  • Useful Libraries

  • Practices

    • Keep helper scripts under /utils/scripts/ (to be populated).
    • Likely will include C2 extraction scripts and parser utilities.

📦 Packaging, Storage & Safety Tips

  • 🚫 Never commit raw, unencrypted malware binaries to public repos.
  • 📁 Archiving
    • ALL ARTEFACT ARCHIVES HAVE PASSWORD infected!