<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong><ahref="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
* Ikiwa unataka kuona **kampuni yako inayotangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
Tumia skripti hii kupakua na kuunganisha sheria zote za yara za programu hasidi kutoka kwenye github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Tengeneza saraka ya _**sheria**_ na itekeleze. Hii itaunda faili inayoitwa _**malware\_rules.yar**_ ambayo ina sheria zote za yara kwa ajili ya programu hasidi.
Malware analysis begins with scanning the suspicious file or system for any signs of malicious activity. This involves using antivirus software, network monitoring tools, and other scanning techniques to identify any indicators of compromise (IOCs) or suspicious behavior. The goal is to detect and isolate any potential malware present in the system.
##### Antivirus Scanning
Antivirus scanning is a common method used to detect and remove malware. It involves using antivirus software to scan files, directories, and the entire system for known malware signatures. The antivirus software compares the scanned files against a database of known malware signatures and alerts the user if any matches are found.
##### Network Monitoring
Network monitoring tools can be used to analyze network traffic and identify any suspicious or malicious activity. These tools monitor network packets and analyze their content to detect any signs of malware communication or unauthorized access attempts. Network monitoring can help identify malware that may be attempting to communicate with command and control (C2) servers or exfiltrate data from the system.
##### File Analysis
File analysis involves examining the suspicious file in detail to identify any malicious behavior or hidden functionality. This can be done using various tools and techniques, such as static analysis and dynamic analysis.
- Static Analysis: Static analysis involves examining the file without executing it. This can include analyzing the file's metadata, examining its structure, and looking for any suspicious or obfuscated code. Static analysis can help identify known malware patterns or indicators of malicious behavior.
- Dynamic Analysis: Dynamic analysis involves executing the file in a controlled environment, such as a virtual machine or sandbox, to observe its behavior. This can include monitoring system calls, network activity, and file modifications. Dynamic analysis can help identify any malicious behavior that may not be evident during static analysis.
Memory analysis involves examining the system's memory for any signs of malicious activity. This can include analyzing running processes, loaded modules, and network connections. Memory analysis can help identify malware that may be running in memory or any malicious code injected into legitimate processes.
##### Registry Analysis
Registry analysis involves examining the system's registry for any signs of malicious activity. The registry is a database that stores configuration settings and other information about the system and its applications. Malware often modifies the registry to achieve persistence or to execute at system startup. Registry analysis can help identify any suspicious or malicious registry entries.
##### Log Analysis
Log analysis involves examining system logs, such as event logs and application logs, for any signs of malicious activity. Logs can contain valuable information about system events, user activity, and network connections. Analyzing logs can help identify any abnormal or suspicious behavior that may indicate the presence of malware.
##### Behavioral Analysis
Behavioral analysis involves observing the behavior of the suspicious file or system to identify any malicious activity. This can include monitoring system processes, network connections, file modifications, and other system events. Behavioral analysis can help identify any abnormal or malicious behavior that may not be detected through other analysis techniques.
By performing a thorough scan using these techniques, analysts can gather valuable information about the suspicious file or system and identify any potential malware present. This information can then be used for further analysis and investigation.
Unaweza kutumia zana [**YaraGen**](https://github.com/Neo23x0/yarGen) kuunda sheria za yara kutoka kwa faili ya binary. Angalia mafunzo haya: [**Sehemu 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Sehemu 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Sehemu 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
Malware analysis begins with scanning the suspicious file or system for any signs of malicious activity. This involves using antivirus software, network monitoring tools, and other scanning techniques to identify any indicators of compromise (IOCs) or suspicious behavior. The goal is to detect and isolate any potential malware present in the system.
Antivirus scanning is a common method used to detect and remove malware. It involves using antivirus software to scan files, directories, and the entire system for known malware signatures. The antivirus software compares the scanned files against a database of known malware signatures and alerts the user if any matches are found.
##### Network Monitoring
Network monitoring tools can be used to analyze network traffic and identify any suspicious or malicious activity. These tools monitor network packets and analyze their content to detect any signs of malware communication or unauthorized access attempts. Network monitoring can help identify malware that may be attempting to communicate with command and control (C2) servers or exfiltrate data from the system.
##### File Analysis
File analysis involves examining the suspicious file in detail to identify any malicious behavior or hidden functionality. This can be done using various tools and techniques, such as static analysis and dynamic analysis.
- Static Analysis: Static analysis involves examining the file without executing it. This can include analyzing the file's metadata, examining its structure, and looking for any suspicious or obfuscated code. Static analysis can help identify known malware patterns or indicators of malicious behavior.
- Dynamic Analysis: Dynamic analysis involves executing the file in a controlled environment, such as a virtual machine or sandbox, to observe its behavior. This can include monitoring system calls, network activity, and file modifications. Dynamic analysis can help identify any malicious behavior that may not be evident during static analysis.
##### Memory Analysis
Memory analysis involves examining the system's memory for any signs of malicious activity. This can include analyzing running processes, loaded modules, and network connections. Memory analysis can help identify malware that may be running in memory or any malicious code injected into legitimate processes.
##### Registry Analysis
Registry analysis involves examining the system's registry for any signs of malicious activity. The registry is a database that stores configuration settings and other information about the system and its applications. Malware often modifies the registry to achieve persistence or to execute at system startup. Registry analysis can help identify any suspicious or malicious registry entries.
##### Log Analysis
Log analysis involves examining system logs, such as event logs and application logs, for any signs of malicious activity. Logs can contain valuable information about system events, user activity, and network connections. Analyzing logs can help identify any abnormal or suspicious behavior that may indicate the presence of malware.
##### Behavioral Analysis
Behavioral analysis involves observing the behavior of the suspicious file or system to identify any malicious activity. This can include monitoring system processes, network connections, file modifications, and other system events. Behavioral analysis can help identify any abnormal or malicious behavior that may not be detected through other analysis techniques.
By performing a thorough scan using these techniques, analysts can gather valuable information about the suspicious file or system and identify any potential malware present. This information can then be used for further analysis and investigation.
**Capa** inagundua uwezo unaoweza kuwa na nia mbaya katika faili za kutekelezwa: PE, ELF, .NET. Kwa hivyo itapata mambo kama mbinu za Att\&ck, au uwezo wenye shaka kama vile:
IOC inamaanisha Indicator Of Compromise. IOC ni seti ya hali ambazo zinatambua programu isiyo hitajika au programu hasidi iliyothibitishwa. Timu za Blue hutumia aina hii ya ufafanuzi kutafuta faili za aina hii katika mifumo yao na mitandao yao.\
Kushiriki ufafanuzi huu ni muhimu sana kwani wakati programu hasidi inatambuliwa kwenye kompyuta na IOC kwa programu hasidi hiyo inaundwa, timu nyingine za Blue zinaweza kuitumia kutambua programu hasidi haraka zaidi.
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni skanari wa programu hasidi kwa ajili ya Linux iliyotolewa chini ya leseni ya GNU GPLv2, ambayo imeundwa kuzingatia vitisho vinavyokabiliwa katika mazingira ya kuhudhuria pamoja. Inatumia data ya vitisho kutoka kwa mifumo ya udukuzi wa pembe ya mtandao ili kuchunguza programu hasidi ambayo inatumika kwa shambulio na kuzalisha saini za kugundua. Aidha, data ya vitisho pia hutokana na michango ya watumiaji na rasilimali za jamii ya programu hasidi.
[**FLOSS**](https://github.com/mandiant/flare-floss) ni zana ambayo itajaribu kupata herufi zilizofichwa ndani ya faili za kutekelezwa kwa kutumia njia tofauti.
[PEpper](https://github.com/Th3Hurrican3/PEpper) inachunguza mambo ya msingi ndani ya faili ya kutekelezwa (data ya binary, entropy, URLs na IPs, baadhi ya sheria za yara).
[PEstudio](https://www.winitor.com/download) ni zana ambayo inaruhusu kupata habari za faili za kutekelezwa za Windows kama vile uingizaji, utoaji, vichwa, lakini pia itachunguza virusi vya jumla na kupata mbinu za udukuzi zinazowezekana.
[**NeoPI**](https://github.com/CiscoCXSecurity/NeoPI) ni skripti ya Python ambayo hutumia njia mbalimbali za takwimu kugundua maudhui yaliyofichwa na yaliyofichwa ndani ya faili za maandishi/skripti. Lengo la NeoPI ni kusaidia katika ugunduzi wa nambari ya kabati ya wavuti iliyofichwa.
[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) inafanya kazi yake vizuri kabisa kugundua nambari iliyofichwa/isiyoaminika pamoja na faili zinazotumia kazi za PHP mara nyingi hutumiwa katika programu hasi/nyavu za wavuti.
Unapochunguza sampuli fulani ya **malware** unapaswa daima **kagua saini** ya faili ya binary kwani **mwandishi** aliyetia saini tayari anaweza kuwa **husiana** na **malware**.
Ikiwa unajua kwamba folda fulani inayohifadhi **faili** za seva ya wavuti ilisasishwa mwisho tarehe fulani. **Angalia** tarehe ambayo **faili zote** katika **seva ya wavuti ziliumbwa na kuhaririwa** na ikiwa tarehe yoyote ni **ya kushuku**, angalia faili hiyo.
Ikiwa faili za folda **hazipaswi kuhaririwa**, unaweza kuhesabu **hash** ya **faili za asili** za folda na **kulinganisha** na zile **za sasa**. Kitu chochote kilichohaririwa kitakuwa **cha kushuku**.
Wakati habari inahifadhiwa kwenye magogo, unaweza **angalia takwimu kama mara ngapi kila faili ya seva ya wavuti ilipatikana kwa sababu web shell inaweza kuwa moja ya mara nyingi**.
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong><ahref="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
