# Uchambuzi wa Programu Hasidi
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inayotangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
## Viongozi vya Uchunguzi
[https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/)
## Huduma za Mtandaoni
* [VirusTotal](https://www.virustotal.com/gui/home/upload)
* [HybridAnalysis](https://www.hybrid-analysis.com)
* [Koodous](https://koodous.com)
* [Intezer](https://analyze.intezer.com)
* [Any.Run](https://any.run/)
## Zana za Kupambana na Virus na Ugunduzi Nje ya Mtandao
### Yara
#### Sakinisha
```bash
sudo apt-get install -y yara
```
#### Andaa sheria
Tumia skripti hii kupakua na kuunganisha sheria zote za yara za programu hasidi kutoka kwenye github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Tengeneza saraka ya _**sheria**_ na itekeleze. Hii itaunda faili inayoitwa _**malware\_rules.yar**_ ambayo ina sheria zote za yara kwa ajili ya programu hasidi.
```bash
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
```
#### Kagua
Malware analysis begins with scanning the suspicious file or system for any signs of malicious activity. This involves using antivirus software, network monitoring tools, and other scanning techniques to identify any indicators of compromise (IOCs) or suspicious behavior. The goal is to detect and isolate any potential malware present in the system.
##### Antivirus Scanning
Antivirus scanning is a common method used to detect and remove malware. It involves using antivirus software to scan files, directories, and the entire system for known malware signatures. The antivirus software compares the scanned files against a database of known malware signatures and alerts the user if any matches are found.
##### Network Monitoring
Network monitoring tools can be used to analyze network traffic and identify any suspicious or malicious activity. These tools monitor network packets and analyze their content to detect any signs of malware communication or unauthorized access attempts. Network monitoring can help identify malware that may be attempting to communicate with command and control (C2) servers or exfiltrate data from the system.
##### File Analysis
File analysis involves examining the suspicious file in detail to identify any malicious behavior or hidden functionality. This can be done using various tools and techniques, such as static analysis and dynamic analysis.
- Static Analysis: Static analysis involves examining the file without executing it. This can include analyzing the file's metadata, examining its structure, and looking for any suspicious or obfuscated code. Static analysis can help identify known malware patterns or indicators of malicious behavior.
- Dynamic Analysis: Dynamic analysis involves executing the file in a controlled environment, such as a virtual machine or sandbox, to observe its behavior. This can include monitoring system calls, network activity, and file modifications. Dynamic analysis can help identify any malicious behavior that may not be evident during static analysis.
##### Memory Analysis
Memory analysis involves examining the system's memory for any signs of malicious activity. This can include analyzing running processes, loaded modules, and network connections. Memory analysis can help identify malware that may be running in memory or any malicious code injected into legitimate processes.
##### Registry Analysis
Registry analysis involves examining the system's registry for any signs of malicious activity. The registry is a database that stores configuration settings and other information about the system and its applications. Malware often modifies the registry to achieve persistence or to execute at system startup. Registry analysis can help identify any suspicious or malicious registry entries.
##### Log Analysis
Log analysis involves examining system logs, such as event logs and application logs, for any signs of malicious activity. Logs can contain valuable information about system events, user activity, and network connections. Analyzing logs can help identify any abnormal or suspicious behavior that may indicate the presence of malware.
##### Behavioral Analysis
Behavioral analysis involves observing the behavior of the suspicious file or system to identify any malicious activity. This can include monitoring system processes, network connections, file modifications, and other system events. Behavioral analysis can help identify any abnormal or malicious behavior that may not be detected through other analysis techniques.
By performing a thorough scan using these techniques, analysts can gather valuable information about the suspicious file or system and identify any potential malware present. This information can then be used for further analysis and investigation.
```bash
yara -w malware_rules.yar image #Scan 1 file
yara -w malware_rules.yar folder #Scan the whole folder
```
#### YaraGen: Angalia kwa zisizo na programu hasidi na Unda sheria
Unaweza kutumia zana [**YaraGen**](https://github.com/Neo23x0/yarGen) kuunda sheria za yara kutoka kwa faili ya binary. Angalia mafunzo haya: [**Sehemu 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Sehemu 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Sehemu 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
```bash
python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m ../../mals/
```
### ClamAV
#### Sakinisha
```
sudo apt-get install -y clamav
```
#### Kagua
Malware analysis begins with scanning the suspicious file or system for any signs of malicious activity. This involves using antivirus software, network monitoring tools, and other scanning techniques to identify any indicators of compromise (IOCs) or suspicious behavior. The goal is to detect and isolate any potential malware present in the system.
##### Antivirus Scanning
Antivirus scanning is a common method used to detect and remove malware. It involves using antivirus software to scan files, directories, and the entire system for known malware signatures. The antivirus software compares the scanned files against a database of known malware signatures and alerts the user if any matches are found.
##### Network Monitoring
Network monitoring tools can be used to analyze network traffic and identify any suspicious or malicious activity. These tools monitor network packets and analyze their content to detect any signs of malware communication or unauthorized access attempts. Network monitoring can help identify malware that may be attempting to communicate with command and control (C2) servers or exfiltrate data from the system.
##### File Analysis
File analysis involves examining the suspicious file in detail to identify any malicious behavior or hidden functionality. This can be done using various tools and techniques, such as static analysis and dynamic analysis.
- Static Analysis: Static analysis involves examining the file without executing it. This can include analyzing the file's metadata, examining its structure, and looking for any suspicious or obfuscated code. Static analysis can help identify known malware patterns or indicators of malicious behavior.
- Dynamic Analysis: Dynamic analysis involves executing the file in a controlled environment, such as a virtual machine or sandbox, to observe its behavior. This can include monitoring system calls, network activity, and file modifications. Dynamic analysis can help identify any malicious behavior that may not be evident during static analysis.
##### Memory Analysis
Memory analysis involves examining the system's memory for any signs of malicious activity. This can include analyzing running processes, loaded modules, and network connections. Memory analysis can help identify malware that may be running in memory or any malicious code injected into legitimate processes.
##### Registry Analysis
Registry analysis involves examining the system's registry for any signs of malicious activity. The registry is a database that stores configuration settings and other information about the system and its applications. Malware often modifies the registry to achieve persistence or to execute at system startup. Registry analysis can help identify any suspicious or malicious registry entries.
##### Log Analysis
Log analysis involves examining system logs, such as event logs and application logs, for any signs of malicious activity. Logs can contain valuable information about system events, user activity, and network connections. Analyzing logs can help identify any abnormal or suspicious behavior that may indicate the presence of malware.
##### Behavioral Analysis
Behavioral analysis involves observing the behavior of the suspicious file or system to identify any malicious activity. This can include monitoring system processes, network connections, file modifications, and other system events. Behavioral analysis can help identify any abnormal or malicious behavior that may not be detected through other analysis techniques.
By performing a thorough scan using these techniques, analysts can gather valuable information about the suspicious file or system and identify any potential malware present. This information can then be used for further analysis and investigation.
```bash
sudo freshclam #Update rules
clamscan filepath #Scan 1 file
clamscan folderpath #Scan the whole folder
```
### [Capa](https://github.com/mandiant/capa)
**Capa** inagundua uwezo unaoweza kuwa na nia mbaya katika faili za kutekelezwa: PE, ELF, .NET. Kwa hivyo itapata mambo kama mbinu za Att\&ck, au uwezo wenye shaka kama vile:
* angalia kosa la OutputDebugString
* tekeleza kama huduma
* anzisha mchakato
Pata katika [**repo ya Github**](https://github.com/mandiant/capa).
### IOC
IOC inamaanisha Indicator Of Compromise. IOC ni seti ya hali ambazo zinatambua programu isiyo hitajika au programu hasidi iliyothibitishwa. Timu za Blue hutumia aina hii ya ufafanuzi kutafuta faili za aina hii katika mifumo yao na mitandao yao.\
Kushiriki ufafanuzi huu ni muhimu sana kwani wakati programu hasidi inatambuliwa kwenye kompyuta na IOC kwa programu hasidi hiyo inaundwa, timu nyingine za Blue zinaweza kuitumia kutambua programu hasidi haraka zaidi.
Zana ya kuunda au kuhariri IOCs ni [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
Unaweza kutumia zana kama [**Redline**](https://www.fireeye.com/services/freeware/redline.html) kutafuta IOCs zilizofafanuliwa kwenye kifaa.
### Loki
[**Loki**](https://github.com/Neo23x0/Loki) ni skana ya Viashiria Rahisi vya Uvamizi.\
Ugunduzi unategemea njia nne za ugunduzi:
```
1. File Name IOC
Regex match on full file path/name
2. Yara Rule Check
Yara signature matches on file data and process memory
3. Hash Check
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
4. C2 Back Connect Check
Compares process connection endpoints with C2 IOCs (new since version v.10)
```
### Linux Malware Detect
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni skanari wa programu hasidi kwa ajili ya Linux iliyotolewa chini ya leseni ya GNU GPLv2, ambayo imeundwa kuzingatia vitisho vinavyokabiliwa katika mazingira ya kuhudhuria pamoja. Inatumia data ya vitisho kutoka kwa mifumo ya udukuzi wa pembe ya mtandao ili kuchunguza programu hasidi ambayo inatumika kwa shambulio na kuzalisha saini za kugundua. Aidha, data ya vitisho pia hutokana na michango ya watumiaji na rasilimali za jamii ya programu hasidi.
### rkhunter
Zana kama [**rkhunter**](http://rkhunter.sourceforge.net) inaweza kutumika kuangalia mfumo wa faili kwa uwezekano wa **rootkits** na programu hasidi.
```bash
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
```
### FLOSS
[**FLOSS**](https://github.com/mandiant/flare-floss) ni zana ambayo itajaribu kupata herufi zilizofichwa ndani ya faili za kutekelezwa kwa kutumia njia tofauti.
### PEpper
[PEpper](https://github.com/Th3Hurrican3/PEpper) inachunguza mambo ya msingi ndani ya faili ya kutekelezwa (data ya binary, entropy, URLs na IPs, baadhi ya sheria za yara).
### PEstudio
[PEstudio](https://www.winitor.com/download) ni zana ambayo inaruhusu kupata habari za faili za kutekelezwa za Windows kama vile uingizaji, utoaji, vichwa, lakini pia itachunguza virusi vya jumla na kupata mbinu za udukuzi zinazowezekana.
### Detect It Easy(DiE)
[**DiE**](https://github.com/horsicq/Detect-It-Easy/) ni zana ya kugundua ikiwa faili imefichwa na pia kupata wafungaji.
### NeoPI
[**NeoPI**](https://github.com/CiscoCXSecurity/NeoPI) ni skripti ya Python ambayo hutumia njia mbalimbali za takwimu kugundua maudhui yaliyofichwa na yaliyofichwa ndani ya faili za maandishi/skripti. Lengo la NeoPI ni kusaidia katika ugunduzi wa nambari ya kabati ya wavuti iliyofichwa.
### **php-malware-finder**
[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) inafanya kazi yake vizuri kabisa kugundua nambari iliyofichwa/isiyoaminika pamoja na faili zinazotumia kazi za PHP mara nyingi hutumiwa katika programu hasi/nyavu za wavuti.
### Apple Binary Signatures
Unapochunguza sampuli fulani ya **malware** unapaswa daima **kagua saini** ya faili ya binary kwani **mwandishi** aliyetia saini tayari anaweza kuwa **husiana** na **malware**.
```bash
#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
#Check if the app’s contents have been modified
codesign --verify --verbose /Applications/Safari.app
#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app
```
## Mbinu za Uchunguzi
### Kupangilia Faili
Ikiwa unajua kwamba folda fulani inayohifadhi **faili** za seva ya wavuti ilisasishwa mwisho tarehe fulani. **Angalia** tarehe ambayo **faili zote** katika **seva ya wavuti ziliumbwa na kuhaririwa** na ikiwa tarehe yoyote ni **ya kushuku**, angalia faili hiyo.
### Viwango vya Msingi
Ikiwa faili za folda **hazipaswi kuhaririwa**, unaweza kuhesabu **hash** ya **faili za asili** za folda na **kulinganisha** na zile **za sasa**. Kitu chochote kilichohaririwa kitakuwa **cha kushuku**.
### Uchambuzi wa Takwimu
Wakati habari inahifadhiwa kwenye magogo, unaweza **angalia takwimu kama mara ngapi kila faili ya seva ya wavuti ilipatikana kwa sababu web shell inaweza kuwa moja ya mara nyingi**.
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!
Njia nyingine za kusaidia HackTricks:
* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.