Add markdown wiki with 473 pages and zk browser

Generate interlinked wiki from master inventory: 397 tool pages, 15 workflow pages, 27 recipe pages, 33 category pages, plus index. All pages use [[wiki-links]] for cross-navigation between tools, workflows, recipes, and categories (1782 links total). Install zk for interactive browsing with fzf search, tag filtering, and backlink discovery. Add 'fhelp wiki' command and Makefile target. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 19:50:36 +01:00
parent b13db23a5e
commit e62a14dafc
478 changed files with 7683 additions and 5 deletions
@@ -0,0 +1,31 @@
+# 1768.py
+> Parse Cobalt Strike beacon configuration from shellcode or memory dumps
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Usage
+```bash
+1768.py shellcode.bin
+```
+
+## Recipes
+- [[recipes/cobalt-strike-beacon-parse|Parse Cobalt Strike Beacon Configuration]]
+
+## Workflows
+- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 6: Embedded Object Analysis
+- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 4: Framework Identification
+- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 2: Configuration Extraction
+
+## Related Tools
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons.
+
+## FOR610
+**Labs:** 3.4
+**Sections:** 3
+
+#cobalt-strike #beacon #c2-config #didier-stevens
@@ -0,0 +1,14 @@
+# 7-Zip
+> Compress and decompress files using a variety of algorithms.
+
+**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general)
+
+## Related Tools
+- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images
+- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files.
+- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu
+- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab
+- [[tools/disitool|disitool]] — Manipulate embedded digital signatures.
+
+#examine-static-properties-general
@@ -0,0 +1,4 @@
+# 7zip
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# aeskeyfind
+
+**Tier:** Basic
+
@@ -0,0 +1,11 @@
+# AESKeyFinder
+> Find 128-bit and 256-bit AES keys in a memory image.
+
+**Category:** [[categories/perform-memory-forensics|Perform Memory Forensics]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/perform+memory+forensics](https://docs.remnux.org/discover-the-tools/perform+memory+forensics)
+
+## Related Tools
+- [[tools/rsakeyfinder|RSAKeyFinder]] — Find BER-encoded RSA private keys in a memory image.
+- [[tools/volatility3|volatility3]] — Memory forensics framework — analyze RAM dumps to find malwa
+
+#perform-memory-forensics
@@ -0,0 +1,24 @@
+# androguard
+> Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code
+
+**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android)
+
+## Usage
+```bash
+androguard analyze <app.apk>
+androguard decompile -o output/ <app.apk>
+androgui.py <app.apk>
+```
+
+## Workflows
+- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 4: Static Analysis
+
+## Related Tools
+- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud
+- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect
+- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource
+- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android&#x27
+- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files.
+
+#android #apk #permissions #decompilation
@@ -0,0 +1,4 @@
+# android-project-creator
+
+**Tier:** Basic
+
@@ -0,0 +1,14 @@
+# AndroidProjectCreator
+> Convert an Android APK application file into an Android Studio project for easier analysis.
+
+**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android)
+
+## Related Tools
+- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities,
+- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect
+- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource
+- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android&#x27
+- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files.
+
+#statically-analyze-code-android
@@ -0,0 +1,14 @@
+# anomy
+> A wrapper around wget, ssh, sftp, ftp, and telnet to route these connections through Tor to anonymize your traffic.
+
+**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting)
+
+## Related Tools
+- [[tools/curl|curl]] — Transfer data to/from servers using various protocols
+- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client.
+- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t
+- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn
+- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites
+
+#explore-network-interactions-connecting
@@ -0,0 +1,20 @@
+# apkid
+> Identify compilers, packers, and obfuscators used to protect Android APK and DEX files.
+
+**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android)
+
+## Recipes
+- [[recipes/apk-quick-triage|Quick APK Triage]]
+
+## Workflows
+- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 1: APK Triage
+
+## Related Tools
+- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities,
+- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud
+- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource
+- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android&#x27
+- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files.
+
+#statically-analyze-code-android
@@ -0,0 +1,26 @@
+# apktool
+> Decompile and recompile Android APK files — extract resources, smali code, and manifest
+
+**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android)
+
+## Usage
+```bash
+apktool d <app.apk> -o output/
+apktool b output/ -o rebuilt.apk
+```
+
+## Recipes
+- [[recipes/apk-quick-triage|Quick APK Triage]]
+
+## Workflows
+- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 2: Manifest Analysis
+
+## Related Tools
+- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities,
+- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud
+- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect
+- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android&#x27
+- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files.
+
+#android #apk #decompilation #resources
@@ -0,0 +1,4 @@
+# apt-utils
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# archive-zip
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# autoconf
+
+**Tier:** Basic
+
@@ -0,0 +1,11 @@
+# autoit-ripper
+> Extract AutoIt scripts embedded in PE binaries.
+
+**Category:** [[categories/statically-analyze-code-scripts|Statically Analyze Code > Scripts]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts](https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts)
+
+## Related Tools
+- [[tools/decode-vbe|decode-vbe.py]] — Decode encoded VBS scripts (VBE).
+- [[tools/js-beautify|js-beautify]] — Format and beautify obfuscated JavaScript code for readabili
+
+#statically-analyze-code-scripts
@@ -0,0 +1,4 @@
+# autologin
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# automake
+
+**Tier:** Basic
+
@@ -0,0 +1,14 @@
+# baksmali
+> Disassembler for the dex format used by Dalvik, Android&#x27;s Java VM implementation.
+
+**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android)
+
+## Related Tools
+- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities,
+- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud
+- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect
+- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource
+- [[tools/dex2jar|dex2jar]] — Examine Dalvik Executable (dex) files.
+
+#statically-analyze-code-android
@@ -0,0 +1,14 @@
+# balbuzard
+> Extract and deobfuscate patterns from suspicious files.
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons.
+
+#examine-static-properties-deobfuscation
@@ -0,0 +1,34 @@
+# base64dump.py
+> Extract and decode Base64-encoded strings from files
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Usage
+```bash
+base64dump.py file.txt
+base64dump.py file.ps1 -n 10
+base64dump.py file.ps1 -s 2 -d
+```
+
+## Recipes
+- [[recipes/extract-base64-ps-from-vba|Extract Base64 PowerShell from Office Macro]]
+- [[recipes/multi-stage-base64-gzip|Decode Base64 + Gzip Payload]]
+- [[recipes/base64-xor-shellcode|Decode Base64 + XOR Shellcode]]
+- [[recipes/office-full-decode-chain|Full Office Macro Decode Chain]]
+
+## Workflows
+- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 5: Payload Decoding
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons.
+
+## FOR610
+**Labs:** 3.4, 4.5
+**Sections:** 3, 4
+
+#base64 #decoding #didier-stevens
@@ -0,0 +1,4 @@
+# bash-history
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# bash-rc
+
+**Tier:** Basic
+
@@ -0,0 +1,21 @@
+# bbcrack
+> Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms
+
+**Category:** [[categories/string-deobfuscation|string-deobfuscation]] | **Tier:** Rich (FOR610)
+
+## Usage
+```bash
+bbcrack -l 1 specimen.dll
+```
+
+## Recipes
+- [[recipes/xor-key-brute-force|Brute-Force XOR Key]]
+
+## Workflows
+- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 2: Encoding Detection
+
+## FOR610
+**Labs:** 5.2
+**Sections:** 5
+
+#xor #rol #add #deobfuscation #balbuzard
@@ -0,0 +1,4 @@
+# bearparser
+
+**Tier:** Basic
+
@@ -0,0 +1,12 @@
+# binee (Binary Emulation Environment)
+> Analyze I/O operations of a suspicious PE file by emulating its execution.
+
+**Category:** [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files](https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files)
+
+## Related Tools
+- [[tools/capa|capa]] — Identify malware capabilities mapped to MITRE ATT&CK framewo
+- [[tools/mbcscan|mbcscan]] — Scan a PE file to list the associated Malware Behavior Catal
+- [[tools/speakeasy|speakeasy]] — Windows binary emulator — emulates API calls to analyze malw
+
+#statically-analyze-code-pe-files
@@ -0,0 +1,4 @@
+# binee
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# binutils
+
+**Tier:** Basic
+
@@ -0,0 +1,23 @@
+# binwalk
+> Analyze and extract embedded files and firmware images
+
+**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general)
+
+## Usage
+```bash
+binwalk firmware.bin
+binwalk -e firmware.bin
+```
+
+## Related Tools
+- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms.
+- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files.
+- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu
+- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab
+- [[tools/disitool|disitool]] — Manipulate embedded digital signatures.
+
+## FOR610
+**Sections:** 1
+
+#firmware #extraction #embedded-files
@@ -0,0 +1,24 @@
+# box-js
+> JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs
+
+**Category:** [[categories/dynamically-reverse-engineer-code-scripts|Dynamically Reverse-Engineer Code > Scripts]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts](https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts)
+
+## Usage
+```bash
+box-js --output-dir=/tmp suspicious.js
+```
+
+## Workflows
+- [[workflows/javascript-deobfuscation-workflow|JavaScript Deobfuscation]] — Step 5: Alternative Analysis
+
+## Related Tools
+- [[tools/jstillery|jstillery]] — Deobfuscate JavaScript scripts using AST and Partial Evaluat
+- [[tools/objects-js|objects.js]] — Emulate common browser and PDF viewer objects, methods, and 
+- [[tools/powershell|powershell]] — Run PowerShell scripts and commands.
+- [[tools/spidermonkey|SpiderMonkey]] — Mozilla JavaScript engine — execute and deobfuscate maliciou
+
+## FOR610
+**Sections:** 3
+
+#javascript #sandbox #emulation
@@ -0,0 +1,29 @@
+# brxor.py
+> Brute-force XOR key detection for single-byte XOR-encoded strings
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Usage
+```bash
+brxor.py specimen.dll
+```
+
+## Recipes
+- [[recipes/xor-key-brute-force|Brute-Force XOR Key]]
+
+## Workflows
+- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 3: Single-Byte XOR Recovery
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons.
+
+## FOR610
+**Labs:** 5.2
+**Sections:** 5
+
+#xor #brute-force #deobfuscation
@@ -0,0 +1,4 @@
+# build-essential
+
+**Tier:** Basic
+
@@ -0,0 +1,14 @@
+# bulk-extractor
+> Extract interesting strings from binary files.
+
+**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general)
+
+## Related Tools
+- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms.
+- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images
+- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu
+- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab
+- [[tools/disitool|disitool]] — Manipulate embedded digital signatures.
+
+#examine-static-properties-general
@@ -0,0 +1,4 @@
+# bundler
+
+**Tier:** Basic
+
@@ -0,0 +1,14 @@
+# Burp Suite Community Edition
+> Investigate website interactions using this web proxy.
+
+**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring)
+
+## Related Tools
+- [[tools/cs-parse-traffic|cs-parse-traffic.py]] — Decrypt and parse Cobalt Strike beacon network traffic using
+- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo
+- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files.
+- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets
+- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as 
+
+#explore-network-interactions-monitoring
@@ -0,0 +1,4 @@
+# burpsuite-community
+
+**Tier:** Basic
+
@@ -0,0 +1,18 @@
+# Bytehist
+> Generate byte-usage histograms to visually identify packed or encrypted sections in binaries
+
+**Category:** [[categories/statically-analyze-code-unpacking|Statically Analyze Code > Unpacking]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking](https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking)
+
+## Usage
+```bash
+bytehist specimen.exe
+```
+
+## Related Tools
+- [[tools/upx|UPX]] — Universal Packer for eXecutables — compress and decompress P
+
+## FOR610
+**Sections:** 1, 4
+
+#pe #entropy #packing-detection #histogram
@@ -0,0 +1,14 @@
+# cabextract
+> Extract Microsoft cabinet (cab) files.
+
+**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities)
+
+## Related Tools
+- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions.
+- [[tools/docker|docker]] — Run and manage containers.
+- [[tools/firefox|firefox]] — Web browser.
+- [[tools/gnome-calculator|GNOME Calculator]] — Calculator.
+- [[tools/ibus|ibus]] — Adjust input methods for the GUI.
+
+#general-utilities
@@ -0,0 +1,34 @@
+# capa
+> Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog
+
+**Category:** [[categories/statically-analyze-code-pe-files|Statically Analyze Code > PE Files]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files](https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files)
+
+## Usage
+```bash
+capa specimen.exe
+capa -vv specimen.exe
+capa -vv specimen.exe | grep -A7 'Suspended Process'
+```
+
+## Recipes
+- [[recipes/capa-capability-filter|Filter Capabilities by Technique]]
+
+## Workflows
+- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 5: Capability Detection
+- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 4: Emulation (Safe Alternative)
+- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 8: Verification
+- [[workflows/code-injection-workflow|Code Injection Analysis]] — Step 1: Capability Detection
+- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 1: Shellcode Detection
+- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 1: Beacon Detection
+
+## Related Tools
+- [[tools/binee-binary-emulation-environment|binee (Binary Emulation Environment)]] — Analyze I/O operations of a suspicious PE file by emulating 
+- [[tools/mbcscan|mbcscan]] — Scan a PE file to list the associated Malware Behavior Catal
+- [[tools/speakeasy|speakeasy]] — Windows binary emulator — emulates API calls to analyze malw
+
+## FOR610
+**Labs:** 1.4, 5.4
+**Sections:** 1, 5
+
+#capabilities #mitre-attack #automated-analysis
@@ -0,0 +1,14 @@
+# cast
+> Install and manage SaltStack-based Linux distributions.
+
+**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities)
+
+## Related Tools
+- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files.
+- [[tools/docker|docker]] — Run and manage containers.
+- [[tools/firefox|firefox]] — Web browser.
+- [[tools/gnome-calculator|GNOME Calculator]] — Calculator.
+- [[tools/ibus|ibus]] — Adjust input methods for the GUI.
+
+#general-utilities
@@ -0,0 +1,4 @@
+# cffi
+
+**Tier:** Basic
+
@@ -0,0 +1,22 @@
+# cfr
+> Modern Java decompiler — handles Java 8+ features including lambdas and try-with-resources
+
+**Category:** [[categories/statically-analyze-code-java|Statically Analyze Code > Java]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/java](https://docs.remnux.org/discover-the-tools/statically+analyze+code/java)
+
+## Usage
+```bash
+cfr <file.jar> --outputdir output/
+cfr <file.class>
+```
+
+## Workflows
+- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 2: Decompilation
+
+## Related Tools
+- [[tools/java-idx-parser|java-idx-parser]] — Analyze Java IDX files.
+- [[tools/javassist|Javassist]] — Java bytecode engineering toolkit/library.
+- [[tools/jd-gui-java-decompiler|JD-GUI Java Decompiler]] — Java decompiler with GUI.
+- [[tools/procyon|Procyon]] — Java decompiler.
+
+#java #decompilation #jar
@@ -0,0 +1,14 @@
+# chepy
+> Decode and otherwise analyze data using this command-line tool and Python library.
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/cobalt-strike-configuration-extractor-csce-and-parser|Cobalt Strike Configuration Extractor (CSCE) and Parser]] — Analyze Cobalt Strike beacons.
+
+#examine-static-properties-deobfuscation
@@ -0,0 +1,4 @@
+# clamav-daemon
+
+**Tier:** Basic
+
@@ -0,0 +1,21 @@
+# ClamAV
+> Open-source antivirus — scan files for known malware signatures
+
+**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general)
+
+## Usage
+```bash
+clamscan <sample>
+clamscan -r <directory>/
+freshclam
+```
+
+## Related Tools
+- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms.
+- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images
+- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files.
+- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab
+- [[tools/disitool|disitool]] — Manipulate embedded digital signatures.
+
+#antivirus #scanning #signatures
@@ -0,0 +1,14 @@
+# Cobalt Strike Configuration Extractor (CSCE) and Parser
+> Analyze Cobalt Strike beacons.
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+
+#examine-static-properties-deobfuscation
@@ -0,0 +1,4 @@
+# compatibility
+
+**Tier:** Basic
+
@@ -0,0 +1,22 @@
+# cs-analyze-processdump.py
+> Analyze Cobalt Strike beacon process dumps for sleep mask encoding
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Usage
+```bash
+cs-analyze-processdump.py <process_dump>
+```
+
+## Workflows
+- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 6: Sleep Mask Analysis
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+
+#cobalt-strike #sleep-mask #memory
@@ -0,0 +1,22 @@
+# cs-decrypt-metadata.py
+> Decrypt Cobalt Strike beacon metadata from network captures
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Usage
+```bash
+cs-decrypt-metadata.py <metadata_hex>
+```
+
+## Workflows
+- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 3: Metadata Decryption
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+
+#cobalt-strike #decryption #metadata
@@ -0,0 +1,22 @@
+# cs-extract-key.py
+> Extract AES and HMAC encryption keys from Cobalt Strike beacon process memory dumps
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Usage
+```bash
+cs-extract-key.py -f <process_dump>
+```
+
+## Workflows
+- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 4: Key Extraction
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+
+#cobalt-strike #encryption #key-extraction
@@ -0,0 +1,22 @@
+# cs-parse-traffic.py
+> Decrypt and parse Cobalt Strike beacon network traffic using extracted keys
+
+**Category:** [[categories/explore-network-interactions-monitoring|Explore Network Interactions > Monitoring]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring](https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring)
+
+## Usage
+```bash
+cs-parse-traffic.py -f <capture.pcap> -k <keys_file>
+```
+
+## Workflows
+- [[workflows/cobalt-strike-workflow|Cobalt Strike Analysis]] — Step 5: Traffic Decryption
+
+## Related Tools
+- [[tools/burp-suite-community-edition|Burp Suite Community Edition]] — Investigate website interactions using this web proxy.
+- [[tools/mitmproxy|mitmproxy]] — Interactive HTTPS proxy for intercepting, inspecting, and mo
+- [[tools/network-miner-free-edition|Network Miner Free Edition]] — Examine network traffic and carve PCAP capture files.
+- [[tools/ngrep|ngrep]] — Search network traffic for patterns — like grep for packets
+- [[tools/polarproxy|polarproxy]] — Transparent TLS proxy that decrypts traffic and saves it as 
+
+#cobalt-strike #traffic #decryption
@@ -0,0 +1,23 @@
+# curl
+> Transfer data to/from servers using various protocols
+
+**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting)
+
+## Usage
+```bash
+curl -L http://example.com
+curl -o output.bin http://example.com/file
+```
+
+## Related Tools
+- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t
+- [[tools/epic-irc-client|EPIC IRC Client]] — Examine IRC activities with this IRC client.
+- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t
+- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn
+- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites
+
+## FOR610
+**Sections:** 1
+
+#download #http #transfer
@@ -0,0 +1,14 @@
+# cut-bytes.py
+> Cut out a part of a data stream.
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+
+#examine-static-properties-deobfuscation
@@ -0,0 +1,25 @@
+# Cutter
+> Open-source reverse engineering platform — Qt-based GUI for radare2
+
+**Category:** [[categories/statically-analyze-code-general|Statically Analyze Code > General]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/general](https://docs.remnux.org/discover-the-tools/statically+analyze+code/general)
+
+## Usage
+```bash
+cutter specimen.exe
+```
+
+## Workflows
+- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 7: Disassembly (if needed)
+- [[workflows/code-injection-workflow|Code Injection Analysis]] — Step 2: Injection Type Classification
+
+## Related Tools
+- [[tools/ghidra|Ghidra]] — Open-source disassembler and decompiler from NSA with script
+- [[tools/objdump|objdump]] — Disassemble binary files.
+- [[tools/qiling|qiling]] — Multi-platform binary emulation framework — emulate PE, ELF,
+- [[tools/vivisect|Vivisect]] — Binary analysis and emulation framework — static analysis wi
+
+## FOR610
+**Sections:** 2
+
+#disassembly #radare2 #open-source
@@ -0,0 +1,31 @@
+# CyberChef
+> Web-based data transformation tool — decode Base64, XOR, hex, decompress, and chain operations
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Usage
+```bash
+cyberchef
+```
+
+## Recipes
+- [[recipes/cyberchef-xor-decode|Visual XOR/Base64 Decode with CyberChef]]
+
+## Workflows
+- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 5: Payload Decoding
+- [[workflows/shellcode-analysis-workflow|Shellcode Analysis]] — Step 6: String & IOC Extraction
+- [[workflows/string-deobfuscation-workflow|String & Data Deobfuscation]] — Step 4: Multi-Byte / Custom Decoding
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+
+## FOR610
+**Labs:** 1.5, 3.8, 3.12
+**Sections:** 1, 3
+
+#decoding #encoding #transformation #web-based
@@ -0,0 +1,20 @@
+# dc3-mwcp
+> DC3 Malware Configuration Parser — extract C2 configs from known malware families
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Usage
+```bash
+mwcp parse <sample>
+mwcp parse -p Emotet <sample>
+```
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+
+#malware #config-extraction #c2
@@ -0,0 +1,26 @@
+# de4dot
+> .NET deobfuscator — remove obfuscation from .NET assemblies
+
+**Category:** [[categories/statically-analyze-code-net|Statically Analyze Code > .NET]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net](https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net)
+
+## Usage
+```bash
+de4dot obfuscated.exe
+```
+
+## Recipes
+- [[recipes/dotnet-decompile-cli|Decompile .NET on Command Line]]
+
+## Workflows
+- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 2: Automated Unpacking
+- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 2: Obfuscator Detection
+
+## Related Tools
+- [[tools/ilspy|ILSpy]] — .NET assembly decompiler — view C#/VB.NET source from compil
+
+## FOR610
+**Labs:** 4.8
+**Sections:** 4
+
+#dotnet #deobfuscation
@@ -0,0 +1,11 @@
+# decode-vbe.py
+> Decode encoded VBS scripts (VBE).
+
+**Category:** [[categories/statically-analyze-code-scripts|Statically Analyze Code > Scripts]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts](https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts)
+
+## Related Tools
+- [[tools/autoit-ripper|autoit-ripper]] — Extract AutoIt scripts embedded in PE binaries.
+- [[tools/js-beautify|js-beautify]] — Format and beautify obfuscated JavaScript code for readabili
+
+#statically-analyze-code-scripts
@@ -0,0 +1,12 @@
+# Decompyle++
+> Python bytecode disassembler and decompiler.
+
+**Category:** [[categories/statically-analyze-code-python|Statically Analyze Code > Python]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/python](https://docs.remnux.org/discover-the-tools/statically+analyze+code/python)
+
+## Related Tools
+- [[tools/pyinstaller-extractor|pyinstaller-extractor]] — Extract contents of a PyInstaller-generated PE files.
+- [[tools/pyinstxtractor-ng|pyinstxtractor-ng]] — Extract contents of PyInstaller-generated executables withou
+- [[tools/uncompyle6|uncompyle6]] — Decompile Python bytecode (.pyc) back to source — supports P
+
+#statically-analyze-code-python
@@ -0,0 +1,4 @@
+# default-jdk
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# default-jre
+
+**Tier:** Basic
+
@@ -0,0 +1,14 @@
+# dex2jar
+> Examine Dalvik Executable (dex) files.
+
+**Category:** [[categories/statically-analyze-code-android|Statically Analyze Code > Android]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/statically+analyze+code/android](https://docs.remnux.org/discover-the-tools/statically+analyze+code/android)
+
+## Related Tools
+- [[tools/androguard|androguard]] — Analyze Android APK files — extract permissions, activities,
+- [[tools/androidprojectcreator|AndroidProjectCreator]] — Convert an Android APK application file into an Android Stud
+- [[tools/apkid|apkid]] — Identify compilers, packers, and obfuscators used to protect
+- [[tools/apktool|apktool]] — Decompile and recompile Android APK files — extract resource
+- [[tools/baksmali|baksmali]] — Disassembler for the dex format used by Dalvik, Android&#x27
+
+#statically-analyze-code-android
@@ -0,0 +1,14 @@
+# dexray
+> Extract and decode data from antivirus quarantine files.
+
+**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data)
+
+## Related Tools
+- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u
+- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets.
+- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and
+- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses.
+- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal
+
+#gather-and-analyze-data
@@ -0,0 +1,4 @@
+# dialog
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# didier-stevens-scripts
+
+**Tier:** Basic
+
@@ -0,0 +1,28 @@
+# diec
+> Detect packers, compilers, and tools used to create executables
+
+**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general)
+
+## Usage
+```bash
+diec specimen.exe
+```
+
+## Workflows
+- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 3: Packing & Entropy Check
+- [[workflows/unpacking-workflow|Unpacking Packed Executables]] — Step 1: Packing Identification
+- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 1: Identification & Metadata
+
+## Related Tools
+- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms.
+- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images
+- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files.
+- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu
+- [[tools/disitool|disitool]] — Manipulate embedded digital signatures.
+
+## FOR610
+**Labs:** 4.1
+**Sections:** 1, 4
+
+#pe #packer-detection #compiler-detection
@@ -0,0 +1,14 @@
+# disitool
+> Manipulate embedded digital signatures.
+
+**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general)
+
+## Related Tools
+- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms.
+- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images
+- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files.
+- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu
+- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab
+
+#examine-static-properties-general
@@ -0,0 +1,4 @@
+# display
+
+**Tier:** Basic
+
@@ -0,0 +1,14 @@
+# dissect
+> Perform a variety of forensics and incident response tasks using this DFIR framework and toolset.
+
+**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data)
+
+## Related Tools
+- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files.
+- [[tools/dnslib|dnslib]] — Python library to encode/decode DNS wire-format packets.
+- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and
+- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses.
+- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal
+
+#gather-and-analyze-data
@@ -0,0 +1,4 @@
+# distro-info
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# dllcharacteristics
+
+**Tier:** Basic
+
@@ -0,0 +1,14 @@
+# dnfile
+> Analyze static properties of.
+
+**Category:** [[categories/examine-static-properties-net|Examine Static Properties > .NET]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/.net](https://docs.remnux.org/discover-the-tools/examine+static+properties/.net)
+
+## Workflows
+- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 1: Identification & Metadata
+
+## Related Tools
+- [[tools/dotnetfile|dotnetfile]] — Analyze static properties of.
+- [[tools/monodis|monodis]] — Disassemble and extract resources from.
+
+#examine-static-properties-net
@@ -0,0 +1,14 @@
+# dnslib
+> Python library to encode/decode DNS wire-format packets.
+
+**Category:** [[categories/gather-and-analyze-data|Gather and Analyze Data]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/gather+and+analyze+data](https://docs.remnux.org/discover-the-tools/gather+and+analyze+data)
+
+## Related Tools
+- [[tools/dexray|dexray]] — Extract and decode data from antivirus quarantine files.
+- [[tools/dissect|dissect]] — Perform a variety of forensics and incident response tasks u
+- [[tools/ioc-parser|ioc-parser]] — Extract indicators of compromise (IOCs) from PDF reports and
+- [[tools/ipwhois|ipwhois]] — Retrieve and parse whois data for IP addresses.
+- [[tools/malwoverview|malwoverview]] — Query VirusTotal, Hybrid Analysis, and MalwareBazaar for mal
+
+#gather-and-analyze-data
@@ -0,0 +1,14 @@
+# dnsresolver.py
+> DNS resolver tool for dynamic analysis with wildcard and tracking support.
+
+**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services)
+
+## Related Tools
+- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP 
+- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT
+- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept
+- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers
+- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for 
+
+#explore-network-interactions-services
@@ -0,0 +1,14 @@
+# docker
+> Run and manage containers.
+
+**Category:** [[categories/general-utilities|General Utilities]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/general+utilities](https://docs.remnux.org/discover-the-tools/general+utilities)
+
+## Related Tools
+- [[tools/cabextract|cabextract]] — Extract Microsoft cabinet (cab) files.
+- [[tools/cast|cast]] — Install and manage SaltStack-based Linux distributions.
+- [[tools/firefox|firefox]] — Web browser.
+- [[tools/gnome-calculator|GNOME Calculator]] — Calculator.
+- [[tools/ibus|ibus]] — Adjust input methods for the GUI.
+
+#general-utilities
@@ -0,0 +1,4 @@
+# dog
+
+**Tier:** Basic
+
@@ -0,0 +1,14 @@
+# dos2unix
+> Convert text files with Windows or macOS line breaks to Unix line breaks and vice versa.
+
+**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files)
+
+## Related Tools
+- [[tools/evince|evince]] — View documents in a variety of formats, including PDF.
+- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d
+- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files.
+- [[tools/scite|scite]] — Edit text files.
+- [[tools/vbindiff|vbindiff]] — Compare binary files.
+
+#view-or-edit-files
@@ -0,0 +1,4 @@
+# dot-cache
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# dot-config
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# dot-cpan
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# dot-dbus
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# dot-local
+
+**Tier:** Basic
+
@@ -0,0 +1,4 @@
+# dotnet-runtime-3-1
+
+**Tier:** Basic
+
@@ -0,0 +1,14 @@
+# dotnetfile
+> Analyze static properties of.
+
+**Category:** [[categories/examine-static-properties-net|Examine Static Properties > .NET]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/.net](https://docs.remnux.org/discover-the-tools/examine+static+properties/.net)
+
+## Workflows
+- [[workflows/dotnet-analysis-workflow|.NET Malware Analysis]] — Step 1: Identification & Metadata
+
+## Related Tools
+- [[tools/dnfile|dnfile]] — Analyze static properties of.
+- [[tools/monodis|monodis]] — Disassemble and extract resources from.
+
+#examine-static-properties-net
@@ -0,0 +1,17 @@
+# droidlysis
+> Perform static analysis of Android applications.
+
+**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general)
+
+## Workflows
+- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 4: Static Analysis
+
+## Related Tools
+- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms.
+- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images
+- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files.
+- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu
+- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab
+
+#examine-static-properties-general
@@ -0,0 +1,4 @@
+# edb-debugger
+
+**Tier:** Basic
+
@@ -0,0 +1,26 @@
+# emldump.py
+> Parse and analyze EML email message files
+
+**Category:** [[categories/analyze-documents-email-messages|Analyze Documents > Email Messages]] | **Tier:** Rich (FOR610) | **Author:** Didier Stevens
+**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages](https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages)
+
+## Usage
+```bash
+emldump.py message.eml
+```
+
+## Recipes
+- [[recipes/email-attachment-extraction|Extract and Triage Email Attachments]]
+
+## Workflows
+- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 1: Header Analysis
+
+## Related Tools
+- [[tools/mail-parser|mail-parser]] — Parse raw SMTP email messages and extract headers, body, and
+- [[tools/msg-extractor|msg-extractor]] — Extract emails and attachments from Microsoft Outlook MSG fi
+- [[tools/msgconvert|msgconvert]] — Convert MSG files to MBOX files.
+
+## FOR610
+**Sections:** 3
+
+#email #eml #didier-stevens
@@ -0,0 +1,4 @@
+# enchant
+
+**Tier:** Basic
+
@@ -0,0 +1,14 @@
+# EPIC IRC Client
+> Examine IRC activities with this IRC client.
+
+**Category:** [[categories/explore-network-interactions-connecting|Explore Network Interactions > Connecting]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting](https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting)
+
+## Related Tools
+- [[tools/anomy|anomy]] — A wrapper around wget, ssh, sftp, ftp, and telnet to route t
+- [[tools/curl|curl]] — Transfer data to/from servers using various protocols
+- [[tools/gnu-wget|GNU Wget]] — Interact with servers via HTTP, HTTPS, FTP, and FTPS using t
+- [[tools/nc|nc]] — Network utility for reading/writing data across TCP/UDP conn
+- [[tools/thug|Thug]] — Low-interaction honeyclient for analyzing malicious websites
+
+#explore-network-interactions-connecting
@@ -0,0 +1,4 @@
+# epic5
+
+**Tier:** Basic
+
@@ -0,0 +1,22 @@
+# evilclippy
+> Remove VBA project password protection and manipulate Office macro settings
+
+**Category:** [[categories/analyze-documents-microsoft-office|Analyze Documents > Microsoft Office]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office](https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office)
+
+## Usage
+```bash
+evilclippy -uu document.docm
+```
+
+## Related Tools
+- [[tools/libolecf|libolecf]] — Microsoft Office OLE2 compound documents.
+- [[tools/msoffcrypto-crack|msoffcrypto-crack.py]] — Recover the password of an encrypted Microsoft Office docume
+- [[tools/msoffcrypto-tool|msoffcrypto-tool]] — Decrypt password-protected Microsoft Office documents (OLE a
+- [[tools/msoffice-crypt|msoffice-crypt]] — Encrypt and decrypt OOXML Microsoft Office documents.
+- [[tools/oledump|oledump.py]] — Analyze OLE2 files (Office documents), extract streams and V
+
+## FOR610
+**Sections:** 3
+
+#office #vba #password-removal
@@ -0,0 +1,14 @@
+# evince
+> View documents in a variety of formats, including PDF.
+
+**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files)
+
+## Related Tools
+- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix
+- [[tools/feh|feh]] — Lightweight image viewer for viewing extracted images from d
+- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files.
+- [[tools/scite|scite]] — Edit text files.
+- [[tools/vbindiff|vbindiff]] — Compare binary files.
+
+#view-or-edit-files
@@ -0,0 +1,14 @@
+# ex-pe-xor
+> Search an XOR&#x27;ed file for indications of executable binaries.
+
+**Category:** [[categories/examine-static-properties-deobfuscation|Examine Static Properties > Deobfuscation]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation](https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation)
+
+## Related Tools
+- [[tools/1768|1768.py]] — Parse Cobalt Strike beacon configuration from shellcode or m
+- [[tools/balbuzard|balbuzard]] — Extract and deobfuscate patterns from suspicious files.
+- [[tools/base64dump|base64dump.py]] — Extract and decode Base64-encoded strings from files
+- [[tools/brxor|brxor.py]] — Brute-force XOR key detection for single-byte XOR-encoded st
+- [[tools/chepy|chepy]] — Decode and otherwise analyze data using this command-line to
+
+#examine-static-properties-deobfuscation
@@ -0,0 +1,4 @@
+# exfat-utils
+
+**Tier:** Basic
+
@@ -0,0 +1,26 @@
+# exiftool
+> Extract metadata from files (PDF, images, documents, executables)
+
+**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general)
+
+## Usage
+```bash
+exiftool document.pdf
+exiftool specimen.exe
+```
+
+## Workflows
+- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 1: File Identification & Hashing
+
+## Related Tools
+- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms.
+- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images
+- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files.
+- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu
+- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab
+
+## FOR610
+**Sections:** 1
+
+#metadata #triage
@@ -0,0 +1,30 @@
+# fakedns
+> Fake DNS server that resolves all queries to a specified IP for traffic interception
+
+**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services)
+
+## Usage
+```bash
+fakedns
+```
+
+## Recipes
+- [[recipes/dns-interception-setup|Set Up DNS + HTTP Interception]]
+
+## Workflows
+- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 2: Network Interception Setup
+- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 1: DNS Interception
+
+## Related Tools
+- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra
+- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT
+- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept
+- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers
+- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for 
+
+## FOR610
+**Labs:** 1.3, 1.6, 1.7, 1.8
+**Sections:** 1
+
+#dns #spoofing #interception #lab-setup
@@ -0,0 +1,14 @@
+# fakemail
+> Intercept and examine SMTP email activity with this fake SMTP server.
+
+**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services)
+
+## Related Tools
+- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra
+- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP 
+- [[tools/fakenet-ng|fakenet-ng]] — Emulate network services (HTTP, DNS, SMTP, FTP) to intercept
+- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers
+- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for 
+
+#explore-network-interactions-services
@@ -0,0 +1,24 @@
+# fakenet-ng
+> Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and analyze malware traffic dynamically
+
+**Category:** [[categories/explore-network-interactions-services|Explore Network Interactions > Services]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/explore+network+interactions/services](https://docs.remnux.org/discover-the-tools/explore+network+interactions/services)
+
+## Usage
+```bash
+fakenet
+fakenet -c custom_config.ini
+```
+
+## Workflows
+- [[workflows/behavioral-analysis-workflow|Behavioral Analysis]] — Step 2: Network Interception Setup
+- [[workflows/network-interception-workflow|Network Traffic Interception]] — Step 2: Service Emulation
+
+## Related Tools
+- [[tools/dnsresolver|dnsresolver.py]] — DNS resolver tool for dynamic analysis with wildcard and tra
+- [[tools/fakedns|fakedns]] — Fake DNS server that resolves all queries to a specified IP 
+- [[tools/fakemail|fakemail]] — Intercept and examine SMTP email activity with this fake SMT
+- [[tools/httpd|httpd]] — Simple HTTP server on REMnux for simulating C2 web servers
+- [[tools/inetsim|INetSim]] — Emulate internet services (HTTP, HTTPS, DNS, FTP, SMTP) for 
+
+#network #emulation #dynamic-analysis #c2
@@ -0,0 +1,26 @@
+# feh
+> Lightweight image viewer for viewing extracted images from documents
+
+**Category:** [[categories/view-or-edit-files|View or Edit Files]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/view+or+edit+files](https://docs.remnux.org/discover-the-tools/view+or+edit+files)
+
+## Usage
+```bash
+feh extracted_image.jpg
+```
+
+## Recipes
+- [[recipes/pdf-object-extraction|Extract Embedded Object from PDF]]
+
+## Related Tools
+- [[tools/dos2unix|dos2unix]] — Convert text files with Windows or macOS line breaks to Unix
+- [[tools/evince|evince]] — View documents in a variety of formats, including PDF.
+- [[tools/imagemagick|imagemagick]] — View and manipulate image and related files.
+- [[tools/scite|scite]] — Edit text files.
+- [[tools/vbindiff|vbindiff]] — Compare binary files.
+
+## FOR610
+**Labs:** 3.1
+**Sections:** 3
+
+#image-viewer
@@ -0,0 +1,14 @@
+# file-magic.py
+> Identify file types using the Python magic module.
+
+**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Standard (docs)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general)
+
+## Related Tools
+- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms.
+- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images
+- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files.
+- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu
+- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab
+
+#examine-static-properties-general
@@ -0,0 +1,34 @@
+# file
+> Determine file type and MIME type using magic bytes
+
+**Category:** [[categories/examine-static-properties-general|Examine Static Properties > General]] | **Tier:** Rich (FOR610)
+**Docs:** [https://docs.remnux.org/discover-the-tools/examine+static+properties/general](https://docs.remnux.org/discover-the-tools/examine+static+properties/general)
+
+## Usage
+```bash
+file specimen.exe
+file document.doc
+```
+
+## Recipes
+- [[recipes/email-attachment-extraction|Extract and Triage Email Attachments]]
+
+## Workflows
+- [[workflows/static-analysis-workflow|Static Properties Analysis]] — Step 1: File Identification & Hashing
+- [[workflows/document-analysis-workflow|Malicious Document Analysis]] — Step 1: Format Identification
+- [[workflows/android-analysis-workflow|Android Malware Analysis]] — Step 1: APK Triage
+- [[workflows/java-analysis-workflow|Java Malware Analysis]] — Step 1: Archive Inspection
+- [[workflows/email-analysis-workflow|Email & Phishing Analysis]] — Step 3: Attachment Triage
+
+## Related Tools
+- [[tools/7-zip|7-Zip]] — Compress and decompress files using a variety of algorithms.
+- [[tools/binwalk|binwalk]] — Analyze and extract embedded files and firmware images
+- [[tools/bulk-extractor|bulk-extractor]] — Extract interesting strings from binary files.
+- [[tools/clamav|ClamAV]] — Open-source antivirus — scan files for known malware signatu
+- [[tools/diec|diec]] — Detect packers, compilers, and tools used to create executab
+
+## FOR610
+**Labs:** 3.4, 3.5
+**Sections:** 3
+
+#file-identification #triage
--- a/Show More
+++ b/Show More