/MalwareResearch

This directory contains random scripts from threat hunting or malware research

Primary LanguageC#GNU General Public License v3.0GPL-3.0

MalwareResearch

This directory contains random scripts from threat hunting or malware research

EnumerationStation

This script will enumerate common malware directories looking for related malicious files

MalwareCentral

This script will enumerate common malware directories looking for related malicious files

getAllLocalAdmins

This script finds all local admins on a windows system

ParseFilesForZeusDirectory.pl

This script will enumerate known zeus directories looking for related malicious files

scrape_pdf.py

This script scrapes PDF's for script inside of it

JREManagement

This script will allow for various types of JRE management on a windows system

JREuninstall

This script will uninstall JRE's from a windows system

genGUID

this script just generates GUIDs for usage

vtScript.py

this script checks hashes against the virustotal database. it isnt mine. i just use it.

Volatility

This folder contains all of the custom scripts and other volatility related work

  • volatility_passwordRecovery.py
  • This script will accept a raw memeory dump and run it through various volatility commands to output usernames with their hashed passwords that can be used for cracking. I've recently been using the downloadable database from https://crackstation.net/ to crack NTLM hashes. I've been pulling memory dumps from windows systems with Dumpit. Dumpit is a free tool written by Matthieu Suiche from MoonSols . Dumpit support both 64-bit and 32-bit Windows operating systems. http://www.moonsols.com/wp-content/plugins/download-monitor/download.php?id=7
  • volatility_pslistToDot.py
  • This script will accept a raw memeory dump and run it through various volatility commands to output a list of running processes that is used to generate a graphical process tree. requires the installation of graphviz from http://www.graphviz.org/. dot format - "hierarchical" or layered drawings of directed graphs. This is the default tool to use if edges have directionality.
  • pslist.dot
  • This is an example of the output of the volatility_pslistToDot.py script
  • volatility_ConsoleCommands.py
  • This script will accept a raw memeory dump and run it through various volatility commands to output a list of Console Commands
  • volatility_NetworkConnections.py
  • This script will accept a raw memeory dump and run it through various volatility commands to output a list of network connections
  • volatility_Psxview.py
  • This script will accept a raw memeory dump and run it through various volatility commands to enumerate processes using various techniques and is likely to detect processes hidden by rootkits as well.
  • volatility_Services.py
  • This script will accept a raw memeory dump and run it through various volatility commands to output a list of running services

Malware Lab setup

What would I put into an opensource/free Security stack?

  • virtualbox - virtual host

  • securityonion - IDS

  • Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools.

  • cuckoo - MAS

  • Free SIEM options

  • OSSIM -SIEM

  • MozDef - SIEM

  • Splunk - SIEM - free up to 500mb indexing per - http://www.splunk.com/en_us/products/splunk-enterprise/free-vs-enterprise.html

  • ELK - SIEM

  • (Elasticsearch, Logstash, Kibana)

  • LOGalyze -SIEM

  • more SIEM tools - http://baudlabs.com/top-free-and-open-source-log-management-software/

  • PFsense - firewall

  • Yara - signatures to look for stuff

  • brakeman - vuln scanner

  • FTK - forensic analysis

  • Autopsy - forensic analysis

  • sleuth kit - forensic analysis

  • SIFT - SANS Investigative Forensic Toolkit (SIFT)

  • volatility - memory forensics

  • nmap - network mapping tool

  • wireshark - network monitor

  • networkMiner - auto recompiles network packets from a loaded pcap

  • malzilla - Malware hunting tool

  • remnux - reverse enginering malware

  • https://remnux.org/docs/distro/tools/

  • online MAS tools

  • Anubis

  • EUREKA

  • Malwr

  • ThreatExpert

  • Attacker system tools

  • Kali - attacking platform

  • Metasploit - pentesting software

  • Victim system

  • Windows for free - http://pclosmag.com/html/issues/201309/page15.html

  • install vulnerable applications for application specific attacks