hacktricks/forensics/basic-forensic-methodology/malware-analysis.md

# Malware Analise

{% hint style="success" %}
Leer & oefen AWS Hack:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hack: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kontroleer die [**inskrywingsplanne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacktruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

## Forensiese Spiekbriefjies

[https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/)

## Aanlyn Dienste

* [VirusTotal](https://www.virustotal.com/gui/home/upload)
* [HybridAnalysis](https://www.hybrid-analysis.com)
* [Koodous](https://koodous.com)
* [Intezer](https://analyze.intezer.com)
* [Any.Run](https://any.run/)

## Aflyn Antivirus en Opmerking Gereedskap

### Yara

#### Installeer
```bash
sudo apt-get install -y yara
```
#### Maak reëls gereed

Gebruik hierdie skrip om al die yara-malware-reëls vanaf github af te laai en saam te voeg: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Skep die _**reëls**_ gids en voer dit uit. Dit sal 'n lêer genaamd _**malware\_rules.yar**_ skep wat al die yara-reëls vir malware bevat.
```bash
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
```
#### Deurskou
```bash
yara -w malware_rules.yar image  #Scan 1 file
yara -w malware_rules.yar folder #Scan the whole folder
```
#### YaraGen: Kontroleer vir malware en Skep reëls

Jy kan die instrument [**YaraGen**](https://github.com/Neo23x0/yarGen) gebruik om yara-reëls vanaf 'n binêre lêer te genereer. Kyk na hierdie tutoriale: [**Deel 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Deel 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Deel 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
```bash
python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m  ../../mals/
```
### ClamAV

#### Installeer
```
sudo apt-get install -y clamav
```
#### Deurskou
```bash
sudo freshclam      #Update rules
clamscan filepath   #Scan 1 file
clamscan folderpath #Scan the whole folder
```
### [Capa](https://github.com/mandiant/capa)

**Capa** ontdek potensieel skadelike **vermoëns** in uitvoerbare lêers: PE, ELF, .NET. Dit sal dinge soos Att\&ck-taktieke vind, of verdagte vermoëns soos:

- kontroleer vir OutputDebugString-fout
- hardloop as 'n diens
- skep proses

Kry dit in die [**Github-opberging**](https://github.com/mandiant/capa).

### IOCs

IOC beteken Indicator Of Compromise. 'N IOC is 'n stel **toestande wat** sommige potensieel ongewenste sagteware of bevestigde **malware identifiseer**. Blou-spanne gebruik hierdie soort definisie om **te soek na hierdie soort skadelike lêers** in hul **sisteme** en **netwerke**.\
Dit is baie nuttig om hierdie definisies te deel, want as malware geïdentifiseer word in 'n rekenaar en 'n IOC vir daardie malware geskep word, kan ander Blou-spanne dit gebruik om die malware vinniger te identifiseer.

'n Gereedskap om IOCs te skep of te wysig is [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
Jy kan gereedskappe soos [**Redline**](https://www.fireeye.com/services/freeware/redline.html) gebruik om **te soek na gedefinieerde IOCs in 'n toestel**.

### Loki

[**Loki**](https://github.com/Neo23x0/Loki) is 'n skandeerder vir Eenvoudige Indicators of Compromise.\
Deteksie is gebaseer op vier deteksie-metodes:
```
1. File Name IOC
Regex match on full file path/name

2. Yara Rule Check
Yara signature matches on file data and process memory

3. Hash Check
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files

4. C2 Back Connect Check
Compares process connection endpoints with C2 IOCs (new since version v.10)
```
### Linux Malware Detect

[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is 'n kwaadwillige skandeerder vir Linux wat vrygestel is onder die GNU GPLv2 lisensie, wat ontwerp is rondom die bedreigings wat in gedeelde gehuisvese omgewings ondervind word. Dit maak gebruik van bedreigingsdata van netwerk rand indringing deteksie stelsels om kwaadwillige sagteware te onttrek wat aktief gebruik word in aanvalle en handtekeninge vir opsporing genereer. Daarbenewens word bedreigingsdata ook afgelei van gebruiker inskrywings met die LMD kassiere funksie en kwaadwillige sagteware gemeenskapsbronne.

### rkhunter

Gereedskap soos [**rkhunter**](http://rkhunter.sourceforge.net) kan gebruik word om die lêersisteem vir moontlike **rootkits** en kwaadwillige sagteware te ondersoek.
```bash
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
```
### FLOSS

[**FLOSS**](https://github.com/mandiant/flare-floss) is 'n instrument wat sal probeer om versluierde strings binne uitvoerbare lêers te vind deur verskillende tegnieke te gebruik.

### PEpper

[PEpper](https://github.com/Th3Hurrican3/PEpper) kontroleer sommige basiese dinge binne die uitvoerbare lêer (binêre data, entropie, URL's en IP-adresse, sommige yara-reëls).

### PEstudio

[PEstudio](https://www.winitor.com/download) is 'n instrument wat toelaat om inligting van Windows-uitvoerbare lêers te kry soos invoer, uitvoer, koppe, maar sal ook virus totaal nagaan en potensiële Aanval-tegnieke vind.

### Detect It Easy(DiE)

[**DiE**](https://github.com/horsicq/Detect-It-Easy/) is 'n instrument om te bepaal of 'n lêer **versleutel** is en ook **pakkers** te vind.

### NeoPI

[**NeoPI**](https://github.com/CiscoCXSecurity/NeoPI) is 'n Python-skrip wat 'n verskeidenheid van **statistiese metodes** gebruik om **versluierde** en **versleutelde** inhoud binne teks/skripslêers op te spoor. Die bedoelde doel van NeoPI is om te help met die **opsporing van verskuilde webshell-kode**.

### **php-malware-finder**

[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) doen sy uiterste bes om **versluierde**/**dubbelsinnige kode** asook lêers wat **PHP**-funksies gebruik wat dikwels in **malware**/webshells gebruik word, op te spoor.

### Apple Binêre Handtekeninge

Wanneer jy 'n paar **malware monsters** nagaan, moet jy altyd die handtekening van die binêre lêer **nagaan**, aangesien die **ontwikkelaar** wat dit onderteken het, moontlik alreeds met **malware** verband hou.
```bash
#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"

#Check if the app’s contents have been modified
codesign --verify --verbose /Applications/Safari.app

#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app
```
## Opsoek Tegnieke

### Lêer Stapeling

As jy weet dat 'n sekere vouer wat die **lêers** van 'n webbediener bevat, **laas op 'n sekere datum opgedateer is**. **Kontroleer** die **datum** van alle **lêers** in die **webbediener wat geskep en gewysig is** en as enige datum **verdag voorkom**, kontroleer daardie lêer.

### Baseline

As die lêers van 'n vouer **nie behoort te wees gewysig nie**, kan jy die **hassie** van die **oorspronklike lêers** van die vouer bereken en hulle **vergelyk** met die **huidige** een. Enige iets wat gewysig is, sal **verdag wees**.

### Statistiese Analise

Wanneer die inligting in logboeke gestoor word, kan jy **statistieke soos hoeveel keer elke lêer van 'n webbediener benader is, nagaan aangesien 'n webskulp een van die mees** kan wees.

{% hint style="success" %}
Leer & oefen AWS Hack: <img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hack: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kontroleer die [**inskrywingsplanne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.

</details>
{% endhint %}
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								# Malware Analise
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								{% hint style="success" %}
 								Leer & oefen AWS Hack:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								Leer & oefen GCP Hack: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								<details>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								<summary>Ondersteun HackTricks</summary>
-												https://training.hacktricks.xyz/

											
										
										
											2023-12-30 10:12:47 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								* Kontroleer die [**inskrywingsplanne**](https://github.com/sponsors/carlospolop)!
 								* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **Deel hacktruuks deur PRs in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								{% endhint %}
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								## Forensiese Spiekbriefjies
-												GitBook: [#3165] No subject

											
										
										
											2022-05-01 16:32:23 +00:00
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
+								[https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								## Aanlyn Dienste
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
 								* [VirusTotal](https://www.virustotal.com/gui/home/upload)
 								* [HybridAnalysis](https://www.hybrid-analysis.com)
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								* [Koodous](https://koodous.com)
 								* [Intezer](https://analyze.intezer.com)
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
+								* [Any.Run](https://any.run/)
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								## Aflyn Antivirus en Opmerking Gereedskap
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
+								### Yara
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								#### Installeer
-												GitBook: [master] 2 pages modified
											
										
										
											2020-12-21 20:50:30 +00:00
+								```bash
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								sudo apt-get install -y yara
 								```
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								#### Maak reëls gereed
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								Gebruik hierdie skrip om al die yara-malware-reëls vanaf github af te laai en saam te voeg: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
 								Skep die _**reëls**_ gids en voer dit uit. Dit sal 'n lêer genaamd _**malware\_rules.yar**_ skep wat al die yara-reëls vir malware bevat.
-												GitBook: [master] 2 pages modified
											
										
										
											2020-12-21 20:50:30 +00:00
+								```bash
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
 								mkdir rules
 								python malware_yara_rules.py
 								```
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								#### Deurskou
-												GitBook: [master] 2 pages modified
											
										
										
											2020-12-21 20:50:30 +00:00
+								```bash
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								yara -w malware_rules.yar image  #Scan 1 file
-												Update malware-analysis.md
											
										
										
											2022-09-08 08:47:03 +00:00
+								yara -w malware_rules.yar folder #Scan the whole folder
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								#### YaraGen: Kontroleer vir malware en Skep reëls
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								Jy kan die instrument [**YaraGen**](https://github.com/Neo23x0/yarGen) gebruik om yara-reëls vanaf 'n binêre lêer te genereer. Kyk na hierdie tutoriale: [**Deel 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Deel 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Deel 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								```bash
 								python3 yarGen.py --update
 								python3.exe yarGen.py --excludegood -m  ../../mals/
 								```
 								### ClamAV
-												GitBook: [master] 508 pages modified
											
										
										
											2021-08-16 23:29:43 +00:00
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								#### Installeer
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								```
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								sudo apt-get install -y clamav
 								```
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								#### Deurskou
-												GitBook: [master] 2 pages modified
											
										
										
											2020-12-21 20:50:30 +00:00
+								```bash
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								sudo freshclam      #Update rules
 								clamscan filepath   #Scan 1 file
-												Update malware-analysis.md
											
										
										
											2022-09-08 08:47:03 +00:00
+								clamscan folderpath #Scan the whole folder
-												GitBook: [master] 351 pages and 442 assets modified
											
										
										
											2020-07-15 15:43:14 +00:00
+								```
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
+								### [Capa](https://github.com/mandiant/capa)
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								**Capa** ontdek potensieel skadelike **vermoëns** in uitvoerbare lêers: PE, ELF, .NET. Dit sal dinge soos Att\&ck-taktieke vind, of verdagte vermoëns soos:
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								- kontroleer vir OutputDebugString-fout
 								- hardloop as 'n diens
 								- skep proses
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								Kry dit in die [**Github-opberging**](https://github.com/mandiant/capa).
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
 								### IOCs
-												GitBook: [master] 508 pages modified
											
										
										
											2021-08-16 23:29:43 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								IOC beteken Indicator Of Compromise. 'N IOC is 'n stel **toestande wat** sommige potensieel ongewenste sagteware of bevestigde **malware identifiseer**. Blou-spanne gebruik hierdie soort definisie om **te soek na hierdie soort skadelike lêers** in hul **sisteme** en **netwerke**.\
 								Dit is baie nuttig om hierdie definisies te deel, want as malware geïdentifiseer word in 'n rekenaar en 'n IOC vir daardie malware geskep word, kan ander Blou-spanne dit gebruik om die malware vinniger te identifiseer.
-												GitBook: [master] 508 pages modified
											
										
										
											2021-08-16 23:29:43 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								'n Gereedskap om IOCs te skep of te wysig is [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
 								Jy kan gereedskappe soos [**Redline**](https://www.fireeye.com/services/freeware/redline.html) gebruik om **te soek na gedefinieerde IOCs in 'n toestel**.
-												GitBook: [master] 508 pages modified
											
										
										
											2021-08-16 23:29:43 +00:00
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
+								### Loki
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								[**Loki**](https://github.com/Neo23x0/Loki) is 'n skandeerder vir Eenvoudige Indicators of Compromise.\
 								Deteksie is gebaseer op vier deteksie-metodes:
-												GitBook: [#2777] gitbookissooooo slow I cannot write

											
										
										
											2021-10-18 11:21:18 +00:00
+								```
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
+. File Name IOC
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								Regex match on full file path/name
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
 . Yara Rule Check
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								Yara signature matches on file data and process memory
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
 . Hash Check
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
+. C2 Back Connect Check
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								Compares process connection endpoints with C2 IOCs (new since version v.10)
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
+								```
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
+								### Linux Malware Detect
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) is 'n kwaadwillige skandeerder vir Linux wat vrygestel is onder die GNU GPLv2 lisensie, wat ontwerp is rondom die bedreigings wat in gedeelde gehuisvese omgewings ondervind word. Dit maak gebruik van bedreigingsdata van netwerk rand indringing deteksie stelsels om kwaadwillige sagteware te onttrek wat aktief gebruik word in aanvalle en handtekeninge vir opsporing genereer. Daarbenewens word bedreigingsdata ook afgelei van gebruiker inskrywings met die LMD kassiere funksie en kwaadwillige sagteware gemeenskapsbronne.
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
+								### rkhunter
-												GitBook: [master] 3 pages modified
											
										
										
											2020-12-23 19:52:25 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								Gereedskap soos [**rkhunter**](http://rkhunter.sourceforge.net) kan gebruik word om die lêersisteem vir moontlike **rootkits** en kwaadwillige sagteware te ondersoek.
-												GitBook: [master] 3 pages modified
											
										
										
											2020-12-23 19:52:25 +00:00
+								```bash
 								sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
 								```
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
+								### FLOSS
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								[**FLOSS**](https://github.com/mandiant/flare-floss) is 'n instrument wat sal probeer om versluierde strings binne uitvoerbare lêers te vind deur verskillende tegnieke te gebruik.
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
 								### PEpper
-												GitBook: [master] 3 pages modified
											
										
										
											2020-12-23 19:52:25 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								[PEpper](https://github.com/Th3Hurrican3/PEpper) kontroleer sommige basiese dinge binne die uitvoerbare lêer (binêre data, entropie, URL's en IP-adresse, sommige yara-reëls).
-												GitBook: [master] 3 pages modified
											
										
										
											2020-12-23 19:52:25 +00:00
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
+								### PEstudio
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								[PEstudio](https://www.winitor.com/download) is 'n instrument wat toelaat om inligting van Windows-uitvoerbare lêers te kry soos invoer, uitvoer, koppe, maar sal ook virus totaal nagaan en potensiële Aanval-tegnieke vind.
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
 								### Detect It Easy(DiE)
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								[**DiE**](https://github.com/horsicq/Detect-It-Easy/) is 'n instrument om te bepaal of 'n lêer **versleutel** is en ook **pakkers** te vind.
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
 								### NeoPI
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								[**NeoPI**](https://github.com/CiscoCXSecurity/NeoPI) is 'n Python-skrip wat 'n verskeidenheid van **statistiese metodes** gebruik om **versluierde** en **versleutelde** inhoud binne teks/skripslêers op te spoor. Die bedoelde doel van NeoPI is om te help met die **opsporing van verskuilde webshell-kode**.
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
-												GITBOOK-3999: change request with no subject merged in GitBook

											
										
										
											2023-07-04 15:58:34 +00:00
+								### **php-malware-finder**
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) doen sy uiterste bes om **versluierde**/**dubbelsinnige kode** asook lêers wat **PHP**-funksies gebruik wat dikwels in **malware**/webshells gebruik word, op te spoor.
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
-												Translated to Afrikaans

											
										
										
											2024-02-11 02:07:06 +00:00
+								### Apple Binêre Handtekeninge
-												GitBook: [master] 504 pages and 3 assets modified
											
										
										
											2021-08-03 16:29:03 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								Wanneer jy 'n paar **malware monsters** nagaan, moet jy altyd die handtekening van die binêre lêer **nagaan**, aangesien die **ontwikkelaar** wat dit onderteken het, moontlik alreeds met **malware** verband hou.
-												GitBook: [master] 504 pages and 3 assets modified
											
										
										
											2021-08-03 16:29:03 +00:00
+								```bash
 								#Get signer
 								codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
 								#Check if the app’s contents have been modified
 								codesign --verify --verbose /Applications/Safari.app
 								#Check if the signature is valid
 								spctl --assess --verbose /Applications/Safari.app
 								```
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								## Opsoek Tegnieke
-												GitBook: [master] 504 pages and 3 assets modified
											
										
										
											2021-08-03 16:29:03 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								### Lêer Stapeling
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								As jy weet dat 'n sekere vouer wat die **lêers** van 'n webbediener bevat, **laas op 'n sekere datum opgedateer is**. **Kontroleer** die **datum** van alle **lêers** in die **webbediener wat geskep en gewysig is** en as enige datum **verdag voorkom**, kontroleer daardie lêer.
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								### Baseline
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								As die lêers van 'n vouer **nie behoort te wees gewysig nie**, kan jy die **hassie** van die **oorspronklike lêers** van die vouer bereken en hulle **vergelyk** met die **huidige** een. Enige iets wat gewysig is, sal **verdag wees**.
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								### Statistiese Analise
-												GitBook: [master] 4 pages and 2 assets modified
											
										
										
											2021-08-19 22:50:46 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								Wanneer die inligting in logboeke gestoor word, kan jy **statistieke soos hoeveel keer elke lêer van 'n webbediener benader is, nagaan aangesien 'n webskulp een van die mees** kan wees.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								{% hint style="success" %}
 								Leer & oefen AWS Hack: <img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
 								Leer & oefen GCP Hack: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								<details>
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								<summary>Ondersteun HackTricks</summary>
-												https://training.hacktricks.xyz/

											
										
										
											2023-12-30 10:12:47 +00:00
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								* Kontroleer die [**inskrywingsplanne**](https://github.com/sponsors/carlospolop)!
 								* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
 								* **Deel hacktruuks deur PR's in te dien by die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github-opslag.
-												Ad hacktricks sponsoring

											
										
										
											2022-04-28 16:01:33 +00:00
 								</details>
-												Translated ['1911-pentesting-fox.md', '6881-udp-pentesting-bittorrent.md

											
										
										
											2024-07-18 18:31:10 +00:00
+								{% endhint %}