mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 01:17:36 +00:00
1.7 KiB
1.7 KiB
Malware Analysis
Forensics CheatSheets
https://www.jaiminton.com/cheatsheet/DFIR/#
Online Services
Offline antivirus
Yara
Install
sudo apt-get install -y yara
Prepare rules
Use this script to download and merge all the yara malware rules from github: https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9
Create the rules directory and execute it. This will create a file called malware_rules.yar which contains all the yara rules for malware.
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
Scan
yara -w malware_rules.yar image #Scan 1 file
yara -w malware_rules.yar folder #Scan hole fodler
ClamAV
Install
sudo apt-get install -y clamav
Scan
sudo freshclam #Update rules
clamscan filepath #Scan 1 file
clamscan folderpath #Scan the hole folder
rkhunter
Tools like rkhunter can be used to check the filesystem for possible rootkits and malware.
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
PEpper
PEpper checks some basic stuff inside the executable binary data, entropy, URLs and IPs, some yara rules
.