mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 17:28:13 +00:00
2.2 KiB
2.2 KiB
Malware Analysis
Forensics CheatSheets
https://www.jaiminton.com/cheatsheet/DFIR/#
Online Services
Offline antivirus
Yara
Install
sudo apt-get install -y yara
Prepare rules
Use this script to download and merge all the yara malware rules from github: https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9
Create the rules directory and execute it. This will create a file called malware_rules.yar which contains all the yara rules for malware.
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
Scan
yara -w malware_rules.yar image #Scan 1 file
yara -w malware_rules.yar folder #Scan hole fodler
ClamAV
Install
sudo apt-get install -y clamav
Scan
sudo freshclam #Update rules
clamscan filepath #Scan 1 file
clamscan folderpath #Scan the hole folder
rkhunter
Tools like rkhunter can be used to check the filesystem for possible rootkits and malware.
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
PEpper
PEpper checks some basic stuff inside the executable binary data, entropy, URLs and IPs, some yara rules
.
Apple Binary Signatures
When checking some malware sample you should always check the signature of the binary as the developer that signed it may be already related with malware.
#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
#Check if the app’s contents have been modified
codesign --verify --verbose /Applications/Safari.app
#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app