GitBook: [master] 508 pages modified

forensics/basic-forensic-methodology/malware-analysis.md

@@ -39,6 +39,10 @@ yara -w malware_rules.yar image  #Scan 1 file
 yara -w malware_rules.yar folder #Scan hole fodler
 ```
 
+#### YaraGen: Check for malware and Create rules
+
+You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generate yara rules from a binary. Checkout these tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
+
 ### ClamAV
 
 #### Install
@@ -55,6 +59,14 @@ clamscan filepath   #Scan 1 file
 clamscan folderpath #Scan the hole folder
 ```
 
+### IOCs
+
+IOC means Indicator Of Compromise. An IOC is a set of **conditions that identifies** some potentially unwanted software or a confirmed **malware**. Blue Teams use this kind of definitions to **search for this kind of malicious files** in their **systems** and **networks**.  
+To share these definitions is very useful as when a malware is identified in a computer and an IOC for that malware is created, other Blue Teams can use it to identify the malware faster.
+
+A tool to create or modify IOCs is ****[**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**  
+You can use tools such as ****[**Redline**](https://www.fireeye.com/services/freeware/redline.html) ****to search for IOCs in a device.
+
 ### rkhunter
 
 Tools like [**rkhunter**](http://rkhunter.sourceforge.net/) can be used to check the filesystem for possible **rootkits** and malware.