Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-26 14:40:37 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/forensics/basic-forensic-methodology/malware-analysis.md

180 lines
9.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Uchambuzi wa Programu Hasidi
{% hint style="success" %}
Jifunze na zoea AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**Mafunzo ya HackTricks AWS Timu Nyekundu Mtaalam (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na zoea GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**Mafunzo ya HackTricks GCP Timu Nyekundu Mtaalam (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Angalia [**mpango wa michango**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## Vicharazio vya Uchunguzi
[https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/)
## Huduma za Mtandaoni
* [VirusTotal](https://www.virustotal.com/gui/home/upload)
* [HybridAnalysis](https://www.hybrid-analysis.com)
* [Koodous](https://koodous.com)
* [Intezer](https://analyze.intezer.com)
* [Any.Run](https://any.run/)
## Zana za Kugundua na Kupambana na Programu za Kupambana na Virus Bila Mtandao
### Yara
#### Sakinisha
```bash
sudo apt-get install -y yara
```
#### Jipange sheria
Tumia script hii kupakua na kuchanganya sheria zote za yara za zisizo kutoka kwa github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Unda directory ya _**sheria**_ na kuitekeleza. Hii itaunda faili iliyoitwa _**malware\_rules.yar**_ ambayo ina sheria zote za yara kwa ajili ya zisizo.
```bash
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
```
#### Kagua
```bash
yara -w malware_rules.yar image #Scan 1 file
yara -w malware_rules.yar folder #Scan the whole folder
```
#### YaraGen: Angalia kwa zisomaji wa programu hasidi na Unda sheria
Unaweza kutumia zana [**YaraGen**](https://github.com/Neo23x0/yarGen) kuzalisha sheria za yara kutoka kwa faili ya binary. Angalia mafunzo haya: [**Sehemu 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Sehemu 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Sehemu 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
```bash
python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m ../../mals/
```
### ClamAV
#### Sakinisha
```
sudo apt-get install -y clamav
```
#### Kuchunguza
```bash
sudo freshclam #Update rules
clamscan filepath #Scan 1 file
clamscan folderpath #Scan the whole folder
```
### [Capa](https://github.com/mandiant/capa)
**Capa** inagundua uwezo wa uwezekano wa kwa faili za kutekelezwa: PE, ELF, .NET. Kwa hivyo itapata vitu kama mbinu za Att\&ck, au uwezo wa shaka kama vile:
* angalia kosa la OutputDebugString
* tekeleza kama huduma
* unda mchakato
Pata katika [**repo ya Github**](https://github.com/mandiant/capa).
### IOCs
IOC inamaanisha Kiashiria cha Kukiuka. IOC ni seti ya **mazingira yanayotambua** programu fulani inayoweza kutokuwa ya kutaka au **malware** iliyothibitishwa. Timu za Bluu hutumia aina hii ya ufafanuzi kutafuta faili za aina hii ya uovu katika **mifumo** yao na **mitandao**.\
Kushiriki ufafanuzi huu ni muhimu sana kwani wakati malware inatambuliwa kwenye kompyuta na IOC kwa malware hiyo inaundwa, Timu zingine za Bluu wanaweza kutumia hiyo kuitambua malware haraka zaidi.
Zana ya kuunda au kuhariri IOCs ni [**Mhariri wa IOC**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
Unaweza kutumia zana kama [**Redline**](https://www.fireeye.com/services/freeware/redline.html) kutafuta IOCs zilizofafanuliwa kwenye kifaa.
### Loki
[**Loki**](https://github.com/Neo23x0/Loki) ni skana ya Viashiria Rahisi vya Kukiuka.\
Ugunduzi unategemea njia nne za ugunduzi:
```
1. File Name IOC
Regex match on full file path/name
2. Yara Rule Check
Yara signature matches on file data and process memory
3. Hash Check
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
4. C2 Back Connect Check
Compares process connection endpoints with C2 IOCs (new since version v.10)
```
### Uchunguzi wa Malware wa Linux
[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni skana ya malware kwa Linux iliyotolewa chini ya leseni ya GNU GPLv2, ambayo imeundwa kuzunguka vitisho vinavyokabiliwa katika mazingira ya kuhudumia pamoja. Inatumia data ya vitisho kutoka kwa mifumo ya uchunguzi wa kuvamia pembe ya mtandao ili kutoa malware ambayo inatumika kwa shughuli za mashambulizi na kuzalisha saini za uchunguzi. Aidha, data ya vitisho pia inatokana na michango ya watumiaji na kipengele cha ukaguzi wa LMD na rasilimali za jamii ya malware.
### rkhunter
Zana kama [**rkhunter**](http://rkhunter.sourceforge.net) inaweza kutumika kuchunguza mfumo wa faili kwa **rootkits** na malware.
```bash
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
```
### FLOSS
[**FLOSS**](https://github.com/mandiant/flare-floss) ni chombo ambacho kitajaribu kupata strings zilizofichwa ndani ya faili za utekelezaji kwa kutumia njia tofauti.
### PEpper
[PEpper](https://github.com/Th3Hurrican3/PEpper) huchunguza vitu vya msingi ndani ya faili ya utekelezaji (data ya binary, entropy, URLs na IPs, baadhi ya sheria za yara).
### PEstudio
[PEstudio](https://www.winitor.com/download) ni chombo kinachoruhusu kupata habari za faili za utekelezaji wa Windows kama vile uingizaji, utoaji, vichwa, lakini pia itachunguza virus total na kupata mbinu za shambulizi za uwezekano.
### Detect It Easy(DiE)
[**DiE**](https://github.com/horsicq/Detect-It-Easy/) ni chombo cha kugundua ikiwa faili ime **fichwa** na pia kupata **packers**.
### NeoPI
[**NeoPI**](https://github.com/CiscoCXSecurity/NeoPI) ni skripti ya Python inayotumia aina mbalimbali za **njia za takwimu** kugundua maudhui yaliyofichwa na yaliyofichwa ndani ya faili za maandishi/skripti. Lengo la NeoPI ni kusaidia katika **ugunduzi wa nambari iliyofichwa ya web shell**.
### **php-malware-finder**
[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) inafanya bidii yake kugundua **nambari iliyofichwa**/**nambari ya shaka** pamoja na faili zinazotumia kazi za **PHP** mara nyingi hutumiwa katika **malwares**/webshells.
### Saini za Binary za Apple
Unapochunguza sampuli fulani za **malware** unapaswa daima **kuangalia saini** ya binary kwani **mwendelezaji** aliyetia saini inaweza tayari kuwa **husiana** na **malware.**
```bash
#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
#Check if the apps contents have been modified
codesign --verify --verbose /Applications/Safari.app
#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app
```
## Mbinu za Kugundua
### Kufunga Faili
Ikiwa unajua kwamba folda fulani inayohifadhi **faili** za seva ya wavuti ilikuwa **imeboreshwa mwisho tarehe fulani**. **Angalia** tarehe ambayo **faili zote** kwenye **seva ya wavuti ziliumbwa na kuhaririwa** na ikiwa tarehe yoyote ni **ya shaka**, hakiki faili hiyo.
### Vipimo vya Msingi
Ikiwa faili za folda **hazipaswi kuhaririwa**, unaweza kuhesabu **hash** ya **faili za asili** za folda na **kuzilinganisha** na **za sasa**. Kitu chochote kilichohaririwa kitakuwa **cha shaka**.
### Uchambuzi wa Takwimu
Wakati habari inahifadhiwa kwenye magogo unaweza **kuchunguza takwimu kama mara ngapi kila faili ya seva ya wavuti ilipatikana kwani ganda la wavuti inaweza kuwa mojawapo ya**.
{% hint style="success" %}
Jifunze & jifunze AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**Mafunzo ya HackTricks AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & jifunze GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**Mafunzo ya HackTricks GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>unga mkono HackTricks</summary>
* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Reference in a new issue View git blame Copy permalink