From 067f37a85b64ff5d94d10d5d95420f3fe4c44c4a Mon Sep 17 00:00:00 2001 From: CPol Date: Mon, 16 Aug 2021 23:29:43 +0000 Subject: [PATCH] GitBook: [master] 508 pages modified --- .../basic-forensic-methodology/malware-analysis.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/forensics/basic-forensic-methodology/malware-analysis.md b/forensics/basic-forensic-methodology/malware-analysis.md index 22bd830a..a6e8b0fa 100644 --- a/forensics/basic-forensic-methodology/malware-analysis.md +++ b/forensics/basic-forensic-methodology/malware-analysis.md @@ -39,6 +39,10 @@ yara -w malware_rules.yar image #Scan 1 file yara -w malware_rules.yar folder #Scan hole fodler ``` +#### YaraGen: Check for malware and Create rules + +You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generate yara rules from a binary. Checkout these tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/) + ### ClamAV #### Install @@ -55,6 +59,14 @@ clamscan filepath #Scan 1 file clamscan folderpath #Scan the hole folder ``` +### IOCs + +IOC means Indicator Of Compromise. An IOC is a set of **conditions that identifies** some potentially unwanted software or a confirmed **malware**. Blue Teams use this kind of definitions to **search for this kind of malicious files** in their **systems** and **networks**. +To share these definitions is very useful as when a malware is identified in a computer and an IOC for that malware is created, other Blue Teams can use it to identify the malware faster. + +A tool to create or modify IOCs is ****[**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.** +You can use tools such as ****[**Redline**](https://www.fireeye.com/services/freeware/redline.html) ****to search for IOCs in a device. + ### rkhunter Tools like [**rkhunter**](http://rkhunter.sourceforge.net/) can be used to check the filesystem for possible **rootkits** and malware.