irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add FOR610 tool/workflow knowledge base and data pipeline

Browse Source 
Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-28 17:38:15 +01:00
parent 06ebb09ab0
commit f3ccc09c3d
663 changed files with 36339 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+1
View File
@@ -0,0 +1 @@
additional
Makefile
+30 -1
View File
@@ -1,4 +1,4 @@
.PHONY: help build-upstream build-scratch build-kali build-all test clean push
.PHONY: help build-upstream build-scratch build-kali build-all test clean push generate-data generate-master coverage-report
# Default target
help:
@@ -16,6 +16,9 @@ help:
@echo " shell Interactive shell (REMnux build)"
@echo " shell-scratch Interactive shell (scratch build)"
@echo " coverage Check help coverage"
@echo " generate-data Convert FOR610 YAML to JSON"
@echo " generate-master Build master inventory and all help artifacts"
@echo " coverage-report Generate tool coverage gap report"
@echo ""
# Build targets
@@ -63,3 +66,29 @@ shell:
coverage:
@echo "Checking help coverage..."
@docker run --rm tabledevil/file-analysis:latest /usr/local/bin/check-help-coverage.sh || true
# Generate JSON from FOR610 YAML knowledge base
generate-data:
@echo "Generating JSON from FOR610 YAML files..."
@mkdir -p data/generated
@for f in data/for610/*.yaml; do \
name=$$(basename "$$f" .yaml); \
python3 -c "import yaml,json; json.dump(yaml.safe_load(open('$$f')),open('data/generated/$$name.json','w'),indent=2)"; \
echo "$$name.json"; \
done
@echo "✓ JSON files generated in data/generated/"
# Build master inventory from all 3 sources and generate all help artifacts
generate-master: generate-data
@echo "Building master tool inventory..."
python3 scripts/parse-salt-states.py
python3 scripts/scrape-remnux-docs.py
python3 scripts/build-master-inventory.py
python3 scripts/generate-help-artifacts.py
python3 scripts/generate-coverage-report.py
@echo "✓ Master inventory and all artifacts generated"
# Generate coverage report only (requires tools-master.yaml to exist)
coverage-report:
python3 scripts/generate-coverage-report.py
@echo "Report: data/generated/coverage-report.md"
data/for610/README.md
+62
View File
@@ -0,0 +1,62 @@
# FOR610 Knowledge Base
Structured data extracted from the SANS FOR610 (Reverse-Engineering Malware) course materials.
## Files
| File | Description |
|------|-------------|
| `categories.yaml` | Tool category taxonomy (18 categories) |
| `tools.yaml` | Master tool catalog (~110 tools with metadata) |
| `labs.yaml` | All 47 labs with ordered tool sequences |
| `workflows.yaml` | 8 high-level analysis workflow patterns |
## Schema
### tools.yaml
Each tool entry contains:
- `id` — unique kebab-case identifier (used for cross-references)
- `name` — display name as typed on CLI
- `aliases` — alternative names
- `description` — one-line description
- `category` — FK to categories.yaml
- `platform``linux` | `windows` | `both` | `online`
- `in_remnux` — boolean, available in REMnux container
- `labs` — list of lab IDs that use this tool
- `typical_usage` — 1-3 command examples
- `for610_sections` — which course sections cover this tool
- `tags` — free-form search tags
### labs.yaml
Each lab entry contains:
- `id` — lab number (e.g., "3.1")
- `section` — course section (1-5)
- `title` — full lab title
- `sample` — malware specimen analyzed
- `analysis_type` — controlled vocabulary
- `tools_used`**ordered** list with `tool_id`, `platform`, and `purpose`
- `key_techniques` — techniques demonstrated
- `prerequisite_labs` — dependencies (optional)
- `tags` — free-form search tags
### workflows.yaml
Each workflow contains ordered steps with tool references and related labs.
## Generating JSON
```bash
make generate-data
```
This converts all YAML files to JSON under `data/generated/` using `yq`.
## Cross-Reference Integrity
Tool IDs in `labs.yaml``tools_used[].tool_id` must exist in `tools.yaml`.
Lab IDs in `tools.yaml``labs[]` must exist in `labs.yaml`.
Category IDs in `tools.yaml``category` must exist in `categories.yaml`.
data/for610/categories.yaml
+75
View File
@@ -0,0 +1,75 @@
# FOR610 Tool Category Taxonomy
# Each category groups related malware analysis tools
categories:
- id: pdf-analysis
name: "PDF Analysis"
description: "Tools for analyzing PDF document structure, objects, and embedded content"
- id: document-analysis
name: "Document & Macro Analysis"
description: "Tools for examining Office documents, RTF files, email, and embedded macros"
- id: static-analysis-pe
name: "Static Analysis (PE)"
description: "Tools for static examination of Windows PE executables — headers, imports, strings, entropy"
- id: behavioral-analysis
name: "Behavioral Analysis"
description: "Tools for monitoring runtime behavior — processes, filesystem, registry, API calls"
- id: network-analysis
name: "Network Analysis & Interception"
description: "Tools for capturing, analyzing, and simulating network traffic"
- id: code-analysis
name: "Code Analysis & Disassembly"
description: "Disassemblers and decompilers for static code-level analysis"
- id: debugging
name: "Debugging"
description: "Debuggers for dynamic code-level analysis, breakpoints, and memory inspection"
- id: emulation
name: "Emulation & Sandboxing"
description: "Tools that emulate execution of binaries, shellcode, or scripts without native execution"
- id: unpacking
name: "Unpacking & Dumping"
description: "Tools for unpacking compressed/encrypted executables and dumping from memory"
- id: dotnet-analysis
name: ".NET Analysis"
description: "Decompilers, debuggers, and deobfuscators specialized for .NET/CLR malware"
- id: javascript-analysis
name: "JavaScript Analysis"
description: "Tools for deobfuscating and analyzing malicious JavaScript"
- id: powershell-analysis
name: "PowerShell Analysis"
description: "Tools for debugging, decoding, and analyzing malicious PowerShell scripts"
- id: string-deobfuscation
name: "String & Data Deobfuscation"
description: "Tools for decoding XOR, Base64, stack strings, and other obfuscation techniques"
- id: yara-detection
name: "YARA & Capability Detection"
description: "Pattern matching and capability identification tools"
- id: anti-analysis
name: "Anti-Analysis Bypass"
description: "Plugins and techniques for bypassing debugger detection and anti-analysis measures"
- id: online-platforms
name: "Online Analysis Platforms"
description: "Web-based sandboxes, scanners, and threat intelligence services"
- id: virtualization
name: "Virtualization"
description: "Hypervisors and VM platforms for isolated malware analysis labs"
- id: utilities
name: "Utilities"
description: "General-purpose utilities used within malware analysis workflows"
data/for610/labs.yaml
+1200
View File
File diff suppressed because it is too large Load Diff
data/for610/recipes.yaml
+402
View File
@@ -0,0 +1,402 @@
# Multi-Tool Analysis Recipes
# These are pipe chains and multi-step commands that combine tools
# Each recipe is cross-referenced to all tools it uses
recipes:
# ============================================================
# OFFICE DOCUMENT ANALYSIS
# ============================================================
- id: extract-base64-ps-from-vba
name: "Extract Base64 PowerShell from Office Macro"
task: "Get encoded PowerShell payload hidden in a VBA UserForm stream"
tools: [oledump-py, base64dump-py]
commands:
- "# List streams — find macro (M) and data streams"
- "oledump.py <document>"
- "# Extract VBA source to understand what the macro does"
- "oledump.py <document> -s <macro_stream> -v"
- "# Scan data stream for Base64 strings"
- "oledump.py <document> -s <data_stream> -d | base64dump.py -n 10"
- "# Decode the longest Base64 hit to file"
- "oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > payload.ps1"
lab: "3.4"
- id: vba-number-string-decode
name: "Decode VBA Number Arrays to Strings"
task: "Convert VBA macros that use Chr() number sequences into readable text"
tools: [oledump-py, numbers-to-string-py]
commands:
- "# Extract VBA and convert number sequences to text"
- "oledump.py <document> -s <stream> -v | numbers-to-string.py -j"
- "# Same but with line-break formatting for readability"
- "oledump.py <document> -s <stream> -v | numbers-to-string.py -j | sed 's/;/;\\n/g'"
lab: "3.3"
- id: multi-stage-base64-gzip
name: "Decode Base64 + Gzip Payload"
task: "Handle double-encoded payloads: Base64 wrapping gzip-compressed content"
tools: [base64dump-py, gunzip]
commands:
- "# Find Base64 strings in the script"
- "base64dump.py <script.ps1> -n 10"
- "# Decode Base64 and decompress gzip in one chain"
- "base64dump.py <script.ps1> -s <selection> -d | gunzip > decoded.ps1"
lab: "3.4"
- id: base64-xor-shellcode
name: "Decode Base64 + XOR Shellcode"
task: "Extract shellcode encoded as Base64 with an XOR key"
tools: [base64dump-py, translate-py]
commands:
- "# Find Base64 strings"
- "base64dump.py <script.ps1> -n 10"
- "# Decode Base64, then XOR with key"
- "base64dump.py <script.ps1> -s <selection> -d | translate.py 'byte ^ <key>' > shellcode.bin"
lab: "3.4"
- id: office-full-decode-chain
name: "Full Office Macro Decode Chain"
task: "Complete pipeline: Office doc → VBA → Base64 → gunzip → XOR → shellcode"
tools: [oledump-py, base64dump-py, gunzip, translate-py, scdbgc]
commands:
- "# Step 1: List streams and extract VBA"
- "oledump.py <document>"
- "oledump.py <document> -s <macro_stream> -v"
- "# Step 2: Extract Base64 from data stream"
- "oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > stage1.ps1"
- "# Step 3: Decode second Base64 layer + decompress"
- "base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1"
- "# Step 4: XOR decode the shellcode"
- "base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin"
- "# Step 5: Emulate the shellcode"
- "scdbgc /f shellcode.bin /s -1"
lab: "3.4"
- id: password-protected-office
name: "Decrypt Password-Protected Office Document"
task: "Remove password protection before analysis"
tools: [msoffcrypto-tool]
commands:
- "# Common malware passwords: infected, malware, password, 123456"
- "msoffcrypto-tool -p infected <encrypted.docx> <decrypted.docx>"
- id: excel-xlm-macros
name: "Deobfuscate Excel 4.0 (XLM) Macros"
task: "Extract and decode legacy Excel macros hidden in sheets"
tools: [xlmmacrodeobfuscator]
commands:
- "# Deobfuscate XLM macros"
- "xlmdeobfuscator --file <spreadsheet.xlsm>"
- id: vba-pcode-decompile
name: "Recover VBA from p-code (source removed)"
task: "Decompile VBA when source code has been stripped, only p-code remains"
tools: [pcode2code, pcodedmp]
commands:
- "# Decompile p-code back to VBA source"
- "pcode2code <document.docm>"
- "# Or disassemble p-code to assembly"
- "pcodedmp <document.docm>"
# ============================================================
# RTF DOCUMENT ANALYSIS
# ============================================================
- id: rtf-shellcode-extraction
name: "Extract Shellcode from RTF Document"
task: "Find and extract embedded shellcode from a malicious RTF file"
tools: [rtfdump-py, xorsearch, scdbgc]
commands:
- "# Scan RTF structure — look for groups with lots of hex data"
- "rtfdump.py <document.rtf>"
- "# Extract the hex-heavy group as binary"
- "rtfdump.py <document.rtf> -s <group_num> -H -d > extracted.bin"
- "# Scan for shellcode patterns (even XOR-encoded)"
- "XORSearch -W -d 3 extracted.bin"
- "# Emulate shellcode at found offset"
- "scdbgc /f extracted.bin /foff <offset> /s -1"
lab: "3.5"
# ============================================================
# PDF ANALYSIS
# ============================================================
- id: pdf-object-extraction
name: "Extract Embedded Object from PDF"
task: "Pull out an embedded image, JavaScript, or file from a PDF object"
tools: [pdfid-py, pdf-parser-py, feh]
commands:
- "# Scan for suspicious keywords"
- "pdfid.py <document.pdf>"
- "# Find objects containing the keyword"
- "pdf-parser.py <document.pdf> -s /URI"
- "# Extract all values for that keyword"
- "pdf-parser.py <document.pdf> -k /URI"
- "# Dump a specific object to file"
- "pdf-parser.py <document.pdf> -o <obj_id> -d extracted_object"
- "# View extracted image"
- "feh extracted_object &"
lab: "3.1"
- id: pdf-javascript-extraction
name: "Extract JavaScript from PDF"
task: "Find and extract embedded JavaScript from a PDF file"
tools: [pdfid-py, pdf-parser-py, peepdf]
commands:
- "# Check if PDF contains JavaScript"
- "pdfid.py <document.pdf>"
- "# Find objects with JavaScript"
- "pdf-parser.py <document.pdf> -s /JavaScript"
- "# Interactive analysis with peepdf"
- "peepdf -i <document.pdf>"
# ============================================================
# JAVASCRIPT DEOBFUSCATION
# ============================================================
- id: js-deobfuscation-spidermonkey
name: "Deobfuscate JavaScript with SpiderMonkey"
task: "Execute obfuscated JS safely using SpiderMonkey with API simulation"
tools: [js-beautify, spidermonkey]
commands:
- "# Beautify compressed JavaScript"
- "js-beautify <malicious.js> > readable.js"
- "# Execute with objects.js to simulate browser/WScript APIs"
- "js -f /usr/share/remnux/objects.js -f <malicious.js> > decoded.js"
- "# If script expects location.href, edit objects.js first:"
- "cp /usr/share/remnux/objects.js ."
- "# Edit objects.js to set: location = { href: 'http://expected-url' }"
- "js -f objects.js -f <malicious.js> > decoded.js"
lab: "3.6, 3.7"
- id: js-null-byte-cleanup
name: "Clean Null Bytes from UTF-16 JavaScript"
task: "Remove null byte padding from UTF-16 encoded JavaScript before analysis"
tools: [spidermonkey]
commands:
- "# Check for null bytes (look for 00 in hex)"
- "xxd <script.js> | head -2"
- "# Remove null bytes"
- "cat <script.js> | tr -d '\\00' > clean.js"
- "# Then deobfuscate"
- "js -f /usr/share/remnux/objects.js -f clean.js > decoded.js"
- "# Beautify the result"
- "js-beautify decoded.js > final.js"
lab: "4.5"
# ============================================================
# SHELLCODE ANALYSIS
# ============================================================
- id: shellcode-emulate-with-offset
name: "Emulate Shellcode at Specific Offset"
task: "Run shellcode that starts at an offset within a larger binary"
tools: [scdbgc]
commands:
- "# Emulate from file start"
- "scdbgc /f <shellcode.bin> /s -1"
- "# Emulate from specific offset (hex)"
- "scdbgc /f <shellcode.bin> /foff <hex_offset> /s -1"
- "# Emulate with a file handle pre-opened (for exploits)"
- "scdbgc /f <shellcode.bin> /foff <offset> /fopen <carrier.doc> /s -1"
lab: "3.5, 4.6"
- id: cobalt-strike-beacon-parse
name: "Parse Cobalt Strike Beacon Configuration"
task: "Extract C2 config from a Cobalt Strike beacon or shellcode"
tools: [1768-py, yara]
commands:
- "# Scan with YARA for CS signatures"
- "yara-rules <sample>"
- "# Extract beacon configuration"
- "1768.py <sample_or_shellcode.bin>"
lab: "3.4"
- id: shellcode-to-exe
name: "Convert Shellcode to Executable"
task: "Wrap raw shellcode in a PE for analysis in disassemblers"
tools: [shcode2exe]
commands:
- "# Convert 32-bit shellcode to EXE"
- "shcode2exe <shellcode.bin> <output.exe>"
# ============================================================
# STRING DEOBFUSCATION
# ============================================================
- id: xor-key-brute-force
name: "Brute-Force XOR Key"
task: "Find the XOR key used to encode strings in a binary"
tools: [brxor-py, bbcrack, xorsearch, xortool]
commands:
- "# Quick check for XOR-encoded URLs/PE headers"
- "XORSearch <file> http:"
- "# Brute-force single-byte XOR keys"
- "brxor.py <file>"
- "# Try XOR, ROL, ADD combinations"
- "bbcrack -l 1 <file>"
- "# Guess multi-byte XOR key length and value"
- "xortool <file>"
- "# Decode with known key"
- "xortool-xor -s '<key>' -i <encoded> -o <decoded>"
lab: "5.2"
- id: stack-string-extraction
name: "Extract Stack-Built Strings"
task: "Decode strings assembled byte-by-byte on the stack"
tools: [strdeob-pl, floss]
commands:
- "# Automatic stack string recovery"
- "strdeob.pl <sample>"
- "# FLOSS automatic deobfuscation (static + stack + decoded)"
- "floss <sample>"
- "# FLOSS skip static strings, only show decoded"
- "floss --no-static -- <sample>"
lab: "5.2"
- id: cyberchef-xor-decode
name: "Visual XOR/Base64 Decode with CyberChef"
task: "Use CyberChef's recipe builder for multi-step decoding"
tools: [cyberchef]
commands:
- "# Launch CyberChef"
- "cyberchef"
- "# Common recipe: From Hex → XOR (key) → extract strings"
- "# Common recipe: From Base64 → Decode text UTF-16LE"
# ============================================================
# MALWARE EMULATION & CAPABILITY ANALYSIS
# ============================================================
- id: speakeasy-emulation-with-json
name: "Emulate Malware and Extract API Calls"
task: "Emulate a Windows binary on Linux and analyze its API usage"
tools: [speakeasy, jq]
commands:
- "# Emulate and capture both JSON report and text log"
- "speakeasy -t <sample> -o report.json 2> report.txt"
- "# Extract all API names called"
- "jq '.entry_points[].apis[].api_name' report.json"
- "# Extract unique API names"
- "jq -r '.entry_points[].apis[].api_name' report.json | sort -u"
lab: "1.4"
- id: capa-capability-filter
name: "Filter Capabilities by Technique"
task: "Find specific capabilities in capa output"
tools: [capa]
commands:
- "# Full capabilities report"
- "capa <sample>"
- "# Verbose with rule matches"
- "capa -vv <sample>"
- "# Filter for specific technique"
- "capa -vv <sample> | grep -A7 '<technique_name>'"
- "# Find injection-related capabilities"
- "capa -vv <sample> | grep -A7 'inject\\|hollow\\|suspend'"
lab: "1.4, 5.4"
# ============================================================
# NETWORK ANALYSIS
# ============================================================
- id: pcap-file-carving
name: "Extract Files from Network Capture"
task: "Carve downloaded payloads and exfiltrated data from PCAP"
tools: [tcpxtract, tcpflow, networkminer]
commands:
- "# Carve files using signatures"
- "tcpxtract -f <capture.pcap> -o carved/"
- "# Extract individual TCP streams"
- "tcpflow -r <capture.pcap> -o streams/"
- "# Or use NetworkMiner for automated extraction"
- "NetworkMiner --pcap <capture.pcap>"
- id: dns-interception-setup
name: "Set Up DNS + HTTP Interception"
task: "Redirect all malware DNS queries and serve fake HTTP responses"
tools: [fakedns, httpd, inetsim]
commands:
- "# Option A: Simple DNS + HTTP"
- "fakedns &"
- "httpd &"
- "# Option B: Full service emulation (HTTP, HTTPS, DNS, FTP, SMTP)"
- "inetsim"
- "# Verify DNS is working"
- "nslookup anything.com"
- "# Redirect hardcoded IPs too"
- "iptables -t nat -A PREROUTING -i eth0 -j REDIRECT"
# ============================================================
# .NET ANALYSIS
# ============================================================
- id: dotnet-decompile-cli
name: "Decompile .NET on Command Line"
task: "Decompile a .NET assembly to C# source on REMnux"
tools: [ilspycmd, de4dot]
commands:
- "# Decompile to C# source"
- "ilspycmd <assembly.exe> > source.cs"
- "# Search for suspicious patterns"
- "grep -n 'Assembly.Load\\|WebClient\\|Process.Start' source.cs"
- "# If obfuscated, deobfuscate first"
- "de4dot <assembly.exe>"
- "ilspycmd <assembly-cleaned.exe> > source_clean.cs"
lab: "4.8"
# ============================================================
# MEMORY FORENSICS
# ============================================================
- id: volatility-quick-triage
name: "Quick Memory Dump Triage"
task: "Fast initial assessment of a memory dump"
tools: [volatility3]
commands:
- "# Identify OS"
- "vol3 -f <dump> windows.info"
- "# Process tree (spot anomalies)"
- "vol3 -f <dump> windows.pstree"
- "# Network connections"
- "vol3 -f <dump> windows.netscan"
- "# Injected code detection"
- "vol3 -f <dump> windows.malfind"
# ============================================================
# ANDROID ANALYSIS
# ============================================================
- id: apk-quick-triage
name: "Quick APK Triage"
task: "Fast initial assessment of a suspicious Android app"
tools: [apkid, apktool, jadx]
commands:
- "# Check for packers/obfuscators"
- "apkid <app.apk>"
- "# Decompile to smali + resources"
- "apktool d <app.apk> -o output/"
- "# Check permissions"
- "grep 'uses-permission' output/AndroidManifest.xml"
- "# Decompile to Java source"
- "jadx <app.apk> -d src/"
# ============================================================
# EMAIL ANALYSIS
# ============================================================
- id: email-attachment-extraction
name: "Extract and Triage Email Attachments"
task: "Pull attachments from an email and identify their types"
tools: [emldump-py, file, sha256sum]
commands:
- "# List email structure"
- "emldump.py <email.eml>"
- "# Extract all attachments"
- "emldump.py <email.eml> -d"
- "# Identify file types"
- "file attachment_*"
- "# Compute hashes for lookup"
- "sha256sum attachment_*"
data/for610/tools.yaml
+1687
View File
File diff suppressed because it is too large Load Diff
data/for610/workflows.yaml
+588
View File
@@ -0,0 +1,588 @@
# REMnux Analysis Workflows
# Generic, reusable workflows for malware and forensic analysis
# All use <sample>, <document>, <file> placeholders — not tied to specific specimens
# Tools marked [W] are Windows-only; all others available in REMnux container
workflows:
# ============================================================
# 1. STATIC ANALYSIS
# ============================================================
- id: static-analysis-workflow
name: "Static Properties Analysis"
description: "Systematic static examination of a suspicious file without executing it. Works for PE, ELF, .NET, scripts, and documents."
steps:
- order: 1
name: "File Identification & Hashing"
tools: [file, trid, exiftool, sha256sum]
description: "Determine file type using magic bytes. Compute hashes (MD5, SHA256) for lookup and documentation. Record file size and timestamps."
- order: 2
name: "Reputation Check"
tools: [malwoverview, virustotal-search]
description: "Look up hash on VirusTotal/MalwareBazaar. If known malware, note family name and detection rate. If clean or unknown, continue analysis."
- order: 3
name: "Packing & Entropy Check"
tools: [diec, peframe]
description: "Check for packing indicators and high entropy sections. Look for: unusual section names, small import table, high entropy (>7.0). If packed, consider the Unpacking Workflow."
- order: 4
name: "String Extraction"
tools: [strings, floss, pestr]
description: "Extract readable strings. Use FLOSS for obfuscated/stack strings. Look for: URLs, IPs, domains, registry keys, file paths, error messages, API names."
- order: 5
name: "Capability Detection"
tools: [capa, yara]
description: "Identify capabilities mapped to MITRE ATT&CK. Scan with YARA rules for known malware families. Look for: persistence, C2, evasion, lateral movement capabilities."
- order: 6
name: "Import & Export Analysis"
tools: [peframe, capa]
description: "Examine imported DLLs and functions. Map imports to behavior categories: networking (ws2_32), crypto (advapi32), process manipulation (kernel32). Check exports for DLL functionality."
- order: 7
name: "Disassembly (if needed)"
tools: [ghidra, cutter, radare2]
description: "Load into disassembler for code-level analysis. Start at entry point, trace key functions. Use decompiler for C-like view."
- order: 8
name: "Document Findings"
tools: []
description: "Record IOCs: hashes, IPs, domains, file paths, registry keys, mutexes. Classify: malware family, capabilities, confidence level. Decide: continue to behavioral analysis?"
related_labs: ["1.1", "2.1", "4.1"]
tags: [static, triage, pe-analysis, elf-analysis]
# ============================================================
# 2. BEHAVIORAL ANALYSIS
# ============================================================
- id: behavioral-analysis-workflow
name: "Behavioral Analysis"
description: "Monitor runtime behavior in an isolated environment. Applicable to any executable or script on Linux (REMnux) or Windows."
steps:
- order: 1
name: "Environment Preparation"
tools: []
description: "Revert to clean snapshot. Disconnect from production network. Verify isolation (host-only networking). Set max execution time (2-5 minutes)."
- order: 2
name: "Network Interception Setup"
tools: [fakedns, inetsim, fakenet-ng]
description: "Start fake DNS and service emulation so malware gets responses. On REMnux: fakedns for DNS, INetSim or FakeNet-NG for HTTP/HTTPS/SMTP/FTP."
- order: 3
name: "Monitoring Setup"
tools: [wireshark, tcpdump, strace]
description: "Start packet capture (wireshark or tcpdump). On Linux: strace/ltrace for syscalls. Start filesystem monitoring."
- order: 4
name: "Emulation (Safe Alternative)"
tools: [speakeasy, capa]
description: "Before live execution, try emulation: speakeasy emulates Windows API calls on Linux safely. Use capa -vv for capability overview."
- order: 5
name: "Execute & Monitor"
tools: []
description: "Run the sample with a timeout. Monitor for: new processes spawned, files created/modified, network connections, DNS queries. Kill after 2-5 minutes."
- order: 6
name: "Analyze Results"
tools: [wireshark, procdot]
description: "Review network capture: follow TCP streams, extract payloads, identify C2 patterns. Analyze process activity logs. Map filesystem changes."
- order: 7
name: "Extract IOCs"
tools: []
description: "Document: contacted domains/IPs, created files/registry keys, spawned processes, persistence mechanisms. Classify behavior: downloader, backdoor, ransomware, etc."
related_labs: ["1.2", "1.4", "1.6", "4.5"]
tags: [behavioral, dynamic, monitoring, emulation]
# ============================================================
# 3. NETWORK INTERCEPTION
# ============================================================
- id: network-interception-workflow
name: "Network Traffic Interception"
description: "Redirect and analyze malware network traffic in an isolated REMnux environment. Covers DNS, HTTP, HTTPS, and raw IP interception."
steps:
- order: 1
name: "DNS Interception"
tools: [fakedns]
description: "Start fakedns to resolve ALL domains to REMnux IP. Verify: nslookup any-domain.com should return your REMnux IP."
- order: 2
name: "Service Emulation"
tools: [inetsim, fakenet-ng, httpd]
description: "Choose emulator based on needed protocols. INetSim: HTTP, HTTPS, DNS, FTP, SMTP (most complete). FakeNet-NG: similar but different engine. httpd: simple HTTP only."
- order: 3
name: "TLS/HTTPS Interception (if needed)"
tools: [mitmproxy, polarproxy]
description: "For HTTPS C2: mitmproxy as transparent proxy, or PolarProxy for TLS decryption. Install proxy CA cert on analysis machine if needed."
- order: 4
name: "Packet Capture"
tools: [wireshark, tcpdump]
description: "Start capture before executing malware. Filter: not arp and not broadcast. Save to PCAP for later analysis."
- order: 5
name: "Execute & Observe"
tools: []
description: "Run malware on analysis VM. Watch for: DNS queries (domain names), HTTP requests (URLs, user-agents), raw TCP connections (IP:port)."
- order: 6
name: "Traffic Analysis"
tools: [wireshark, tshark, ngrep, tcpflow]
description: "Follow TCP streams for full request/response. Use ngrep for pattern search across packets. Use tcpflow to extract individual streams. Identify beaconing (regular intervals)."
- order: 7
name: "File Extraction"
tools: [tcpxtract, networkminer]
description: "Carve files from PCAP: downloaded payloads, exfiltrated data, second-stage malware. NetworkMiner does this automatically."
- order: 8
name: "IP-Based Redirection (if needed)"
tools: [iptables]
description: "If malware uses hardcoded IPs (no DNS): iptables -t nat -A PREROUTING -i eth0 -j REDIRECT. This redirects ALL traffic to local services."
- order: 9
name: "Document Network IOCs"
tools: []
description: "Record: C2 domains/IPs, URI paths, user-agent strings, beacon intervals, downloaded file hashes, TLS certificate details."
related_labs: ["1.3", "1.7", "1.8"]
tags: [network, interception, c2, dns, https, pcap]
# ============================================================
# 4. DOCUMENT ANALYSIS
# ============================================================
- id: document-analysis-workflow
name: "Malicious Document Analysis"
description: "Analyze suspicious documents (PDF, Office, RTF, OneNote) for embedded malware, macros, and exploits. Follows Zeltser's 6-step methodology."
steps:
- order: 1
name: "Format Identification"
tools: [file, trid]
description: "Identify true format: OLE2 (legacy Office), OOXML (modern Office), RTF, PDF, OneNote. Don't trust the file extension — use magic bytes."
- order: 2
name: "Structure Analysis"
tools: [oledump-py, rtfdump-py, pdfid-py, pdf-parser-py, onedump-py]
description: "Parse document internals. For Office: oledump.py to list streams (M = macro). For PDF: pdfid.py for risky keywords (/JavaScript, /OpenAction). For RTF: rtfdump.py for hex-heavy groups."
- order: 3
name: "Password Handling (if encrypted)"
tools: [msoffcrypto-tool]
description: "If document is password-protected: msoffcrypto-tool -p <password> <input> <output>. Common passwords: infected, malware, password, 123456."
- order: 4
name: "Macro/Script Extraction"
tools: [oledump-py, olevba, pcode2code, XLMMacroDeobfuscator]
description: "Extract VBA: oledump.py -s <stream> -v. For p-code: pcode2code. For Excel 4.0 macros: XLMMacroDeobfuscator. Check olevba for auto-execute triggers (AutoOpen, Document_Open)."
- order: 5
name: "Payload Decoding"
tools: [base64dump-py, translate-py, gunzip, numbers-to-string-py, cyberchef]
description: "Decode embedded payloads. Common chains: Base64 → gunzip → XOR. Use CyberChef for visual multi-step decoding. translate.py for byte-level transforms (byte ^ key)."
- order: 6
name: "Embedded Object Analysis"
tools: [scdbgc, xorsearch, yara, 1768-py]
description: "If shellcode found: emulate with scdbgc. Scan for known patterns (YARA). Check for Cobalt Strike beacons (1768.py). Route PE payloads to Static Analysis Workflow."
- order: 7
name: "Document IOCs"
tools: []
description: "Record: embedded URLs, downloaded payload hashes, C2 addresses, macro behavior (what APIs called), exploit type (CVE if applicable)."
related_labs: ["3.1", "3.3", "3.4", "3.5"]
tags: [documents, office, pdf, rtf, macro, onenote]
# ============================================================
# 5. JAVASCRIPT DEOBFUSCATION
# ============================================================
- id: javascript-deobfuscation-workflow
name: "JavaScript Deobfuscation"
description: "Deobfuscate and analyze malicious JavaScript from web pages, email attachments, or document macros."
steps:
- order: 1
name: "Beautification"
tools: [js-beautify]
description: "Format minified/compressed JavaScript for readability. Look for: eval() calls, document.write(), String.fromCharCode(), unescape(), atob()."
- order: 2
name: "Static Review"
tools: [visual-studio-code]
description: "Identify obfuscation layers. Search for: eval/Function constructor (code execution), long encoded strings, variable name patterns (single chars = likely obfuscated)."
- order: 3
name: "Safe Execution (SpiderMonkey)"
tools: [spidermonkey]
description: "Execute outside browser with objects.js to simulate browser/WScript APIs. Command: js -f /usr/share/remnux/objects.js -f <script.js>. Captures eval'd code without running it."
- order: 4
name: "Environment Tuning"
tools: [visual-studio-code]
description: "If script expects specific environment (location.href, navigator.userAgent): edit objects.js to provide expected values. Re-run SpiderMonkey."
- order: 5
name: "Alternative Analysis"
tools: [box-js, jstillery]
description: "box-js: Node.js sandbox with WScript emulation. JStillery: AST-based deobfuscation. Use when SpiderMonkey can't handle the obfuscation."
- order: 6
name: "Payload Identification"
tools: []
description: "What does the deobfuscated JS do? Common patterns: download & execute (dropper), redirect to exploit kit, credential harvesting. Extract all URLs, IPs, file paths."
related_labs: ["3.6", "3.7"]
tags: [javascript, deobfuscation, spidermonkey, box-js, web]
# ============================================================
# 6. UNPACKING
# ============================================================
- id: unpacking-workflow
name: "Unpacking Packed Executables"
description: "Unpack compressed, encrypted, or obfuscated executables to reveal the original code. Covers automated and manual techniques."
steps:
- order: 1
name: "Packing Identification"
tools: [diec, peframe]
description: "Identify packer: DIE detects UPX, ASPack, PECompact, Themida, etc. Check entropy (>7.0 suggests packing). Look for: few imports, unusual section names (.UPX, .packed)."
- order: 2
name: "Automated Unpacking"
tools: [upx, de4dot]
description: "Try known unpackers first. UPX: upx -d <sample>. .NET: de4dot <sample>. If automated unpacking fails (modified packer), proceed to manual."
- order: 3
name: "Emulation-Based Unpacking"
tools: [speakeasy, qiling]
description: "Emulate execution to let the unpacker run. Speakeasy and Qiling can trace API calls during unpacking without a debugger. Look for VirtualAlloc followed by memcpy patterns."
- order: 4
name: "Debugger-Based Unpacking [W]"
tools: [x64dbg, x32dbg]
description: "Set breakpoints on: VirtualAlloc/VirtualProtect (memory allocation), tail JMP to OEP (end of unpacker), or stack breakpoint (ESP trick). Step to OEP."
- order: 5
name: "Anti-Debug Bypass [W]"
tools: [scyllahide]
description: "If malware detects debugger: enable ScyllaHide. Handles IsDebuggerPresent, NtQueryInformationProcess, timing checks."
- order: 6
name: "Memory Dumping [W]"
tools: [ollydumpex, scylla]
description: "At OEP: dump process with OllyDumpEx. Fix IAT with Scylla (IAT Autosearch → Get Imports → Fix Dump)."
- order: 7
name: "PE Fixup [W]"
tools: [pe-unmapper]
description: "If dump has virtual alignment: pe_unmapper /in <dump> /base 400000 /out <fixed>. Only needed if sections have wrong raw sizes."
- order: 8
name: "Verification"
tools: [strings, peframe, capa]
description: "Verify: strings are now visible, imports are reasonable, capa detects capabilities. If good, route to Static Analysis Workflow for full analysis."
related_labs: ["4.1", "4.2", "4.3", "5.3", "5.8", "5.10"]
tags: [unpacking, packing, iat, memory-dump, oep]
# ============================================================
# 7. CODE INJECTION ANALYSIS
# ============================================================
- id: code-injection-workflow
name: "Code Injection Analysis"
description: "Identify and analyze process injection techniques including DLL injection, process hollowing, and reflective loading."
steps:
- order: 1
name: "Capability Detection"
tools: [capa]
description: "Run capa to identify injection techniques. Look for: 'inject code', 'create suspended process', 'allocate RWX memory'. Note MITRE ATT&CK technique IDs."
- order: 2
name: "Injection Type Classification"
tools: [ghidra, cutter]
description: "Identify which technique: Classic DLL injection (LoadLibrary), Process Hollowing (CreateProcess SUSPENDED + NtUnmapViewOfSection), Reflective DLL (manual PE loading), APC injection (QueueUserAPC)."
- order: 3
name: "Target Process Analysis"
tools: [ghidra]
description: "How does malware choose its target? Look for: CreateToolhelp32Snapshot + Process32First/Next (enumeration), hardcoded process names (svchost.exe, explorer.exe), OpenProcess calls."
- order: 4
name: "Payload Identification"
tools: [ghidra]
description: "What gets injected? Trace data flow to WriteProcessMemory or NtWriteVirtualMemory. Is it: embedded PE, shellcode, encrypted blob? Check size and content."
- order: 5
name: "Memory Allocation Analysis"
tools: [ghidra]
description: "Examine VirtualAllocEx parameters: size (hints at payload type), protection flags (PAGE_EXECUTE_READWRITE = 0x40 = suspicious). Allocation address for base relocation."
- order: 6
name: "Injection Verification [W]"
tools: [x32dbg, x64dbg]
description: "Set breakpoint on WriteProcessMemory. When hit: examine lpBuffer (injected data), nSize (payload size). Dump the buffer to file for separate analysis."
- order: 7
name: "Extracted Payload Analysis"
tools: [peframe, capa, strings]
description: "Analyze the injected payload as standalone file. Route to: Static Analysis Workflow (if PE), Shellcode Workflow (if shellcode), .NET Workflow (if .NET assembly)."
- order: 8
name: "Document Technique"
tools: []
description: "Record: injection technique, target process criteria, payload type and hash, API call sequence, memory protection flags. Map to MITRE ATT&CK (T1055.x)."
related_labs: ["4.9", "5.4"]
tags: [code-injection, process-hollowing, dll-injection, reflective-loading]
# ============================================================
# 8. .NET ANALYSIS
# ============================================================
- id: dotnet-analysis-workflow
name: ".NET Malware Analysis"
description: "Analyze .NET malware using decompilation, debugging, and deobfuscation. Works for .NET Framework, .NET Core, and mixed-mode assemblies."
steps:
- order: 1
name: "Identification & Metadata"
tools: [peframe, diec, dnfile, dotnetfile]
description: "Confirm .NET binary (peframe shows 'CLR'). Check runtime version (.NET 2/4/Core). Use dnfile or dotnetfile for .NET-specific metadata. Note entry point and referenced assemblies."
- order: 2
name: "Obfuscator Detection"
tools: [diec, de4dot]
description: "Detect obfuscator: DIE identifies ConfuserEx, Eziriz .NET Reactor, Babel, etc. de4dot -d <sample> reports detected obfuscator without modifying the file."
- order: 3
name: "Decompilation"
tools: [ilspycmd, monodis]
description: "Decompile to C# source: ilspycmd <sample> > output.cs. On REMnux use ilspycmd (CLI). Examine: Main() entry, suspicious class/method names, embedded resources."
- order: 4
name: "Dynamic Loading Detection"
tools: [visual-studio-code]
description: "Search decompiled code for: Assembly.Load(byte[]), Assembly.LoadFrom(), Activator.CreateInstance(), MethodInfo.Invoke(), CSharpCodeProvider. These indicate runtime code loading."
- order: 5
name: "Deobfuscation"
tools: [de4dot]
description: "Run: de4dot <sample> -o <clean>. If de4dot fails: try with --dont-rename flag, or manually rename obfuscated symbols. For ConfuserEx: de4dot handles most variants."
- order: 6
name: "Dynamic Debugging [W]"
tools: [dnspyex]
description: "If static analysis insufficient: load in dnSpyEx, set breakpoint on Assembly.Load or suspicious method. Run and inspect Locals window for decrypted payloads. Save byte[] arrays to disk."
- order: 7
name: "Extracted Payload Analysis"
tools: [ilspycmd, peframe]
description: "Analyze extracted payload: is it another .NET assembly? (recurse this workflow). Is it a PE file? (route to Static Analysis). Document the unpacking chain."
- order: 8
name: "Document Findings"
tools: []
description: "Record: obfuscator type, .NET version, loading mechanism, payload hashes, C2 endpoints found in decompiled code, encryption keys/algorithms."
related_labs: ["3.12", "4.8"]
tags: [dotnet, decompilation, deobfuscation, ilspy, de4dot]
# ============================================================
# 9. SHELLCODE ANALYSIS (NEW)
# ============================================================
- id: shellcode-analysis-workflow
name: "Shellcode Analysis"
description: "Analyze extracted shellcode from documents, exploits, or injected processes. Covers detection, emulation, and payload identification."
steps:
- order: 1
name: "Shellcode Detection"
tools: [xorsearch, yara, capa]
description: "Scan carrier file for shellcode patterns. XORSearch -W -d 3 <file> detects common shellcode signatures even when XOR-encoded. YARA rules catch known frameworks."
- order: 2
name: "Extraction"
tools: [rtfdump-py, oledump-py, pdf-parser-py]
description: "Extract shellcode from carrier. For RTF: rtfdump.py -s <group> -H -d > sc.bin. For OLE: oledump.py -s <stream> -d > sc.bin. For PDF: pdf-parser.py -o <obj> -d sc.bin."
- order: 3
name: "Emulation"
tools: [scdbgc, speakeasy]
description: "Emulate without execution. scdbgc /f sc.bin /s -1 shows API calls. speakeasy -t sc.bin -r -a x86 for deeper emulation. Look for: URL downloads, file writes, process creation."
- order: 4
name: "Framework Identification"
tools: [yara, 1768-py]
description: "Check for known frameworks. 1768.py identifies Cobalt Strike beacons. YARA rules detect Metasploit, Cobalt Strike, custom frameworks. Document beacon config if found."
- order: 5
name: "Conversion to EXE"
tools: [shcode2exe]
description: "Convert shellcode to executable for static analysis: shcode2exe sc.bin sc.exe. Then analyze with peframe, strings, ghidra."
- order: 6
name: "String & IOC Extraction"
tools: [strings, floss, cyberchef]
description: "Extract strings from shellcode. Look for: C2 URLs, download paths, filename markers, encryption keys. Use CyberChef for encoded content."
- order: 7
name: "Document Findings"
tools: []
description: "Record: shellcode offset in carrier, size, encoding/XOR key, framework (Metasploit/CS/custom), C2 address, downloaded payload URL, technique (staged/stageless)."
related_labs: ["3.4", "3.5", "4.6", "4.7"]
tags: [shellcode, emulation, cobalt-strike, metasploit, scdbg]
# ============================================================
# 10. STRING & DATA DEOBFUSCATION (NEW)
# ============================================================
- id: string-deobfuscation-workflow
name: "String & Data Deobfuscation"
description: "Decode obfuscated strings and data in malware. Covers XOR, Base64, stack strings, custom algorithms, and multi-layer encoding."
steps:
- order: 1
name: "Automated Extraction"
tools: [floss, strings]
description: "Start with FLOSS for automatic deobfuscation (static + stack + decoded strings). Compare against plain strings output. FLOSS --no-static for only decoded strings."
- order: 2
name: "Encoding Detection"
tools: [xorsearch, bbcrack]
description: "Identify encoding algorithm. XORSearch: detect XOR with known plaintext (http:, MZ, This program). bbcrack: brute-force XOR, ROL, ADD at multiple levels."
- order: 3
name: "Single-Byte XOR Recovery"
tools: [brxor-py, xortool]
description: "For single-byte XOR: brxor.py <file> finds English words. xortool <file> guesses key length and probable key. xortool-xor -s <key> -i <file> -o decoded.bin to decode."
- order: 4
name: "Multi-Byte / Custom Decoding"
tools: [translate-py, cyberchef]
description: "For custom algorithms: translate.py 'byte ^ key' or complex expressions. CyberChef for visual recipe building (XOR → Base64 → Gunzip chains). Document the recipe."
- order: 5
name: "Stack String Recovery"
tools: [strdeob-pl, floss]
description: "For strings built on the stack (MOV byte-by-byte): strdeob.pl <file> or FLOSS stack string detection. Common in evasive malware to avoid string extraction."
- order: 6
name: "Validation & IOC Extraction"
tools: []
description: "Review decoded strings. Extract IOCs: C2 addresses, registry keys, file paths, API names, credentials. Compare against known malware family patterns."
related_labs: ["1.5", "5.2"]
tags: [strings, xor, deobfuscation, floss, cyberchef, encoding]
# ============================================================
# 11. MEMORY FORENSICS (NEW)
# ============================================================
- id: memory-forensics-workflow
name: "Memory Forensics"
description: "Analyze memory dumps to find malware artifacts, injected code, and hidden processes. Uses Volatility 3 framework on REMnux."
steps:
- order: 1
name: "Image Identification"
tools: [volatility3]
description: "Determine OS and profile: vol3 -f <dump> windows.info (or linux.info). Verify image is valid and identify OS version, build, architecture."
- order: 2
name: "Process Analysis"
tools: [volatility3]
description: "List processes: vol3 -f <dump> windows.pslist / windows.pstree. Look for: suspicious names, unusual parent-child relationships, processes with no window title, duplicate system processes."
- order: 3
name: "Network Connections"
tools: [volatility3]
description: "List connections: vol3 -f <dump> windows.netscan. Identify: C2 connections, unusual ports, connections to known-bad IPs. Cross-reference with process PIDs."
- order: 4
name: "Injection Detection"
tools: [volatility3]
description: "Detect injected code: vol3 -f <dump> windows.malfind. Shows: processes with executable memory not backed by a file. Dump suspicious regions for further analysis."
- order: 5
name: "DLL Analysis"
tools: [volatility3]
description: "List loaded DLLs: vol3 -f <dump> windows.dlllist --pid <PID>. Look for: DLLs loaded from unusual paths (temp, appdata), unsigned DLLs, DLLs not in known-good baseline."
- order: 6
name: "String Search"
tools: [volatility3, strings]
description: "Search for known IOCs in memory: vol3 -f <dump> windows.strings. Also: strings <dump> | grep -i '<pattern>'. Look for URLs, domains, file paths, commands."
- order: 7
name: "Process & Code Dumping"
tools: [volatility3]
description: "Extract suspicious processes: vol3 -f <dump> windows.dumpfiles --pid <PID>. Extract injected code regions from malfind results. Analyze dumped files with Static Analysis Workflow."
- order: 8
name: "Timeline Reconstruction"
tools: [volatility3]
description: "Build timeline: vol3 -f <dump> timeliner.Timeliner. Reconstruct: when malware started, what it did, lateral movement. Correlate with process tree and network data."
related_labs: []
tags: [memory, forensics, volatility, injection, incident-response]
# ============================================================
# 12. ANDROID MALWARE ANALYSIS (NEW)
# ============================================================
- id: android-analysis-workflow
name: "Android Malware Analysis"
description: "Analyze suspicious Android APK files using static and dynamic techniques available in REMnux."
steps:
- order: 1
name: "APK Triage"
tools: [file, apkid]
description: "Verify file type and check for packers/obfuscators. APKiD detects: known packers (DexGuard, Bangcle), obfuscators, anti-debug techniques."
- order: 2
name: "Manifest Analysis"
tools: [apktool]
description: "Decompile APK: apktool d <apk> -o output/. Examine AndroidManifest.xml for: excessive permissions, receivers, services, exported components, intent filters."
- order: 3
name: "Source Code Recovery"
tools: [jadx]
description: "Decompile DEX to Java: jadx <apk> -d output/. Review source code for: C2 URLs, crypto operations, SMS interception, data exfiltration, root checks."
- order: 4
name: "Static Analysis"
tools: [androguard, droidlysis]
description: "androguard: analyze APK structure, permissions, activities. droidlysis: automated static analysis with IOC extraction. Check for: hardcoded keys, URLs, suspicious API usage."
- order: 5
name: "Native Library Analysis"
tools: [strings, radare2]
description: "If APK contains .so libraries: extract from lib/ directory. Analyze with strings and radare2. Native code often hides C2 logic and crypto."
- order: 6
name: "Dynamic Instrumentation"
tools: [frida]
description: "Hook suspicious functions at runtime: frida -U -l hook.js <package>. Intercept: crypto operations, network calls, file access, SMS operations."
- order: 7
name: "Document Findings"
tools: []
description: "Record: package name, permissions abused, C2 infrastructure, data exfiltrated, persistence mechanism, targeted user data (SMS, contacts, location)."
related_labs: []
tags: [android, apk, mobile, frida, jadx, apktool]
# ============================================================
# 13. JAVA MALWARE ANALYSIS (NEW)
# ============================================================
- id: java-analysis-workflow
name: "Java Malware Analysis"
description: "Analyze malicious Java archives (JAR), applets, and compiled classes. Covers decompilation and code analysis."
steps:
- order: 1
name: "Archive Inspection"
tools: [unzip, file]
description: "Extract JAR contents: unzip <file.jar> -d output/. Examine META-INF/MANIFEST.MF for Main-Class entry point. List all .class files."
- order: 2
name: "Decompilation"
tools: [cfr, jd-gui]
description: "Decompile with CFR: cfr <file.jar> --outputdir output/. Or use JD-GUI for visual browsing. CFR handles modern Java (lambdas, try-with-resources) better."
- order: 3
name: "Multi-Decompiler Comparison"
tools: [cfr, procyon]
description: "If one decompiler fails on a class: try Procyon. Compare outputs. Some obfuscators break specific decompilers while others handle them fine."
- order: 4
name: "Code Analysis"
tools: [visual-studio-code]
description: "Review decompiled source. Search for: Runtime.exec() (command execution), URLConnection (network), Cipher (crypto), File I/O operations, reflection (Class.forName)."
- order: 5
name: "Resource Extraction"
tools: [strings]
description: "Extract embedded resources and strings. Check for: encoded payloads in resources, config files, embedded binaries. Base64-encoded content is common."
- order: 6
name: "Document Findings"
tools: []
description: "Record: entry point class, malicious methods, URLs/IPs, downloaded payloads, commands executed, Java version requirements."
related_labs: []
tags: [java, jar, decompilation, cfr, jd-gui]
# ============================================================
# 14. EMAIL & PHISHING ANALYSIS (NEW)
# ============================================================
- id: email-analysis-workflow
name: "Email & Phishing Analysis"
description: "Analyze suspicious email messages for phishing indicators, malicious attachments, and weaponized links."
steps:
- order: 1
name: "Header Analysis"
tools: [emldump-py, mail-parser]
description: "Parse SMTP headers: emldump.py <email.eml>. Check: Received headers (delivery path), Return-Path vs From (spoofing), SPF/DKIM results, X-Mailer."
- order: 2
name: "Attachment Extraction"
tools: [emldump-py, msg-extractor]
description: "Extract attachments: emldump.py <email.eml> -d. For MSG format: msg-extractor <email.msg>. List all attachments with types and sizes."
- order: 3
name: "Attachment Triage"
tools: [file, trid, yara, sha256sum]
description: "For each attachment: identify type, compute hash, scan with YARA. Route to appropriate workflow: Document Analysis (Office/PDF), Static Analysis (PE), JavaScript Deobfuscation (JS/HTML)."
- order: 4
name: "Link Analysis"
tools: [unfurl]
description: "Extract all URLs from email body and headers. Use Unfurl to decompose URLs (reveal tracking pixels, redirect chains, encoded parameters)."
- order: 5
name: "Payload Analysis"
tools: []
description: "Analyze extracted attachments using the appropriate workflow. Common patterns: Office doc with macro → downloads PE, PDF with link → credential harvester, HTML attachment → phishing page."
- order: 6
name: "Document IOCs"
tools: []
description: "Record: sender address and IP, subject line, attachment names and hashes, all URLs, C2/phishing domains, email infrastructure (mail server names)."
related_labs: []
tags: [email, phishing, eml, msg, attachments, headers]
# ============================================================
# 15. COBALT STRIKE ANALYSIS (NEW)
# ============================================================
- id: cobalt-strike-workflow
name: "Cobalt Strike Analysis"
description: "Analyze Cobalt Strike beacons, configurations, and network traffic using Didier Stevens' CS toolkit on REMnux."
steps:
- order: 1
name: "Beacon Detection"
tools: [yara, capa]
description: "Scan suspect file with YARA rules for CS signatures. capa detects 'receive data from C2' and beacon-like capabilities. Check for: characteristic 200KB+ size, sleep patterns."
- order: 2
name: "Configuration Extraction"
tools: [1768-py]
description: "Parse beacon config: 1768.py <sample>. Extracts: C2 URLs, user-agent, beacon interval, watermark, spawn-to process, named pipes, proxy config."
- order: 3
name: "Metadata Decryption"
tools: [cs-decrypt-metadata-py]
description: "Decrypt beacon metadata from network captures: cs-decrypt-metadata.py <metadata>. Reveals: computer name, user, process info sent to team server."
- order: 4
name: "Key Extraction"
tools: [cs-extract-key-py]
description: "Extract encryption keys: cs-extract-key.py -f <process_dump>. Recovers AES and HMAC keys used for C2 communication encryption."
- order: 5
name: "Traffic Decryption"
tools: [cs-parse-traffic-py]
description: "Decrypt C2 traffic: cs-parse-traffic.py -f <pcap> -k <keys>. Reveals: tasking commands, downloaded payloads, exfiltrated data."
- order: 6
name: "Sleep Mask Analysis"
tools: [cs-analyze-processdump-py]
description: "Analyze sleep mask: cs-analyze-processdump.py <dump>. Detects if beacon encrypts itself in memory during sleep. Useful for memory forensics."
- order: 7
name: "Document Findings"
tools: []
description: "Record: C2 domains/IPs, beacon interval, watermark (operator ID), user-agent strings, named pipe patterns, spawn-to process, malleable C2 profile indicators."
related_labs: ["3.4"]
tags: [cobalt-strike, c2, beacon, didier-stevens, threat-intel]
data/generated/categories.json
+94
View File
@@ -0,0 +1,94 @@
{
"categories": [
{
"id": "pdf-analysis",
"name": "PDF Analysis",
"description": "Tools for analyzing PDF document structure, objects, and embedded content"
},
{
"id": "document-analysis",
"name": "Document & Macro Analysis",
"description": "Tools for examining Office documents, RTF files, email, and embedded macros"
},
{
"id": "static-analysis-pe",
"name": "Static Analysis (PE)",
"description": "Tools for static examination of Windows PE executables \u2014 headers, imports, strings, entropy"
},
{
"id": "behavioral-analysis",
"name": "Behavioral Analysis",
"description": "Tools for monitoring runtime behavior \u2014 processes, filesystem, registry, API calls"
},
{
"id": "network-analysis",
"name": "Network Analysis & Interception",
"description": "Tools for capturing, analyzing, and simulating network traffic"
},
{
"id": "code-analysis",
"name": "Code Analysis & Disassembly",
"description": "Disassemblers and decompilers for static code-level analysis"
},
{
"id": "debugging",
"name": "Debugging",
"description": "Debuggers for dynamic code-level analysis, breakpoints, and memory inspection"
},
{
"id": "emulation",
"name": "Emulation & Sandboxing",
"description": "Tools that emulate execution of binaries, shellcode, or scripts without native execution"
},
{
"id": "unpacking",
"name": "Unpacking & Dumping",
"description": "Tools for unpacking compressed/encrypted executables and dumping from memory"
},
{
"id": "dotnet-analysis",
"name": ".NET Analysis",
"description": "Decompilers, debuggers, and deobfuscators specialized for .NET/CLR malware"
},
{
"id": "javascript-analysis",
"name": "JavaScript Analysis",
"description": "Tools for deobfuscating and analyzing malicious JavaScript"
},
{
"id": "powershell-analysis",
"name": "PowerShell Analysis",
"description": "Tools for debugging, decoding, and analyzing malicious PowerShell scripts"
},
{
"id": "string-deobfuscation",
"name": "String & Data Deobfuscation",
"description": "Tools for decoding XOR, Base64, stack strings, and other obfuscation techniques"
},
{
"id": "yara-detection",
"name": "YARA & Capability Detection",
"description": "Pattern matching and capability identification tools"
},
{
"id": "anti-analysis",
"name": "Anti-Analysis Bypass",
"description": "Plugins and techniques for bypassing debugger detection and anti-analysis measures"
},
{
"id": "online-platforms",
"name": "Online Analysis Platforms",
"description": "Web-based sandboxes, scanners, and threat intelligence services"
},
{
"id": "virtualization",
"name": "Virtualization",
"description": "Hypervisors and VM platforms for isolated malware analysis labs"
},
{
"id": "utilities",
"name": "Utilities",
"description": "General-purpose utilities used within malware analysis workflows"
}
]
}
data/generated/cheatsheets/1768.py.cheat
+18
View File
@@ -0,0 +1,18 @@
# 1768.py
# Parse Cobalt Strike beacon configuration from shellcode or memory dumps
# FOR610 Labs: 3.4 | Sections: 3 | Author: Didier Stevens
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
% cobalt-strike, beacon, c2-config, didier-stevens
# Basic usage
1768.py shellcode.bin
# --- Recipes (multi-tool chains) ---
# >> Parse Cobalt Strike Beacon Configuration
# Scan with YARA for CS signatures
yara-rules <sample>
# Extract beacon configuration
1768.py <sample_or_shellcode.bin>
data/generated/cheatsheets/7-zip.cheat
+9
View File
@@ -0,0 +1,9 @@
# 7-Zip
# Compress and decompress files using a variety of algorithms.
# Category: Examine Static Properties > General
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
% 7-zip
# Show help for 7-Zip
7-Zip --help
data/generated/cheatsheets/7zip.cheat
+7
View File
@@ -0,0 +1,7 @@
# 7zip
# Installed via: apt (remnux-packages-p7zip-full)
% 7zip
# Show help for 7zip
7zip --help
data/generated/cheatsheets/aeskeyfind.cheat
+7
View File
@@ -0,0 +1,7 @@
# aeskeyfind
# Installed via: apt (aeskeyfind)
% aeskeyfind
# Show help for aeskeyfind
aeskeyfind --help
data/generated/cheatsheets/aeskeyfinder.cheat
+9
View File
@@ -0,0 +1,9 @@
# AESKeyFinder
# Find 128-bit and 256-bit AES keys in a memory image.
# Category: Perform Memory Forensics
# Docs: https://docs.remnux.org/discover-the-tools/perform+memory+forensics
% aeskeyfinder
# Show help for AESKeyFinder
AESKeyFinder --help
data/generated/cheatsheets/androguard.cheat
+14
View File
@@ -0,0 +1,14 @@
# androguard
# Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android
% android, apk, permissions, decompilation
# Basic usage
androguard analyze <app.apk>
# Output to file
androguard decompile -o output/ <app.apk>
# Save output to file
androgui.py <app.apk>
data/generated/cheatsheets/android-project-creator.cheat
+7
View File
@@ -0,0 +1,7 @@
# android-project-creator
# Installed via: unknown (android-project-creator)
% android-project-creator
# Show help for android-project-creator
android-project-creator --help
data/generated/cheatsheets/androidprojectcreator.cheat
+9
View File
@@ -0,0 +1,9 @@
# AndroidProjectCreator
# Convert an Android APK application file into an Android Studio project for easier analysis.
# Category: Statically Analyze Code > Android
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android
% androidprojectcreator
# Show help for AndroidProjectCreator
AndroidProjectCreator --help
data/generated/cheatsheets/anomy.cheat
+9
View File
@@ -0,0 +1,9 @@
# anomy
# A wrapper around wget, ssh, sftp, ftp, and telnet to route these connections through Tor to anonymize your traffic.
# Category: Explore Network Interactions > Connecting
# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting
% anomy
# Show help for anomy
anomy --help
data/generated/cheatsheets/apkid.cheat
+9
View File
@@ -0,0 +1,9 @@
# apkid
# Identify compilers, packers, and obfuscators used to protect Android APK and DEX files.
# Category: Statically Analyze Code > Android
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android
% apkid
# Show help for apkid
apkid --help
data/generated/cheatsheets/apktool.cheat
+24
View File
@@ -0,0 +1,24 @@
# apktool
# Decompile and recompile Android APK files — extract resources, smali code, and manifest
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android
% android, apk, decompilation, resources
# Basic usage
apktool d <app.apk> -o output/
# Output to file
apktool b output/ -o rebuilt.apk
# --- Recipes (multi-tool chains) ---
# >> Quick APK Triage
# Check for packers/obfuscators
apkid <app.apk>
# Decompile to smali + resources
apktool d <app.apk> -o output/
# Check permissions
grep 'uses-permission' output/AndroidManifest.xml
# Decompile to Java source
jadx <app.apk> -d src/
data/generated/cheatsheets/apt-utils.cheat
+7
View File
@@ -0,0 +1,7 @@
# apt-utils
# Installed via: apt (apt-utils)
% apt-utils
# Show help for apt-utils
apt-utils --help
data/generated/cheatsheets/archive-zip.cheat
+7
View File
@@ -0,0 +1,7 @@
# archive-zip
# Installed via: perl (cpan)
% archive-zip
# Show help for archive-zip
archive-zip --help
data/generated/cheatsheets/autoconf.cheat
+7
View File
@@ -0,0 +1,7 @@
# autoconf
# Installed via: apt (autoconf)
% autoconf
# Show help for autoconf
autoconf --help
data/generated/cheatsheets/autoit-ripper.cheat
+9
View File
@@ -0,0 +1,9 @@
# autoit-ripper
# Extract AutoIt scripts embedded in PE binaries.
# Category: Statically Analyze Code > Scripts
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts
% autoit-ripper
# Show help for autoit-ripper
autoit-ripper --help
data/generated/cheatsheets/autologin.cheat
+7
View File
@@ -0,0 +1,7 @@
# autologin
# Installed via: unknown (autologin)
% autologin
# Show help for autologin
autologin --help
data/generated/cheatsheets/automake.cheat
+7
View File
@@ -0,0 +1,7 @@
# automake
# Installed via: apt (automake)
% automake
# Show help for automake
automake --help
data/generated/cheatsheets/baksmali.cheat
+9
View File
@@ -0,0 +1,9 @@
# baksmali
# Disassembler for the dex format used by Dalvik, Android&#x27;s Java VM implementation.
# Category: Statically Analyze Code > Android
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android
% baksmali
# Show help for baksmali
baksmali --help
data/generated/cheatsheets/balbuzard.cheat
+9
View File
@@ -0,0 +1,9 @@
# balbuzard
# Extract and deobfuscate patterns from suspicious files.
# Category: Examine Static Properties > Deobfuscation
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
% balbuzard
# Show help for balbuzard
balbuzard --help
data/generated/cheatsheets/base64dump.py.cheat
+53
View File
@@ -0,0 +1,53 @@
# base64dump.py
# Extract and decode Base64-encoded strings from files
# FOR610 Labs: 3.4, 4.5 | Sections: 3, 4 | Author: Didier Stevens
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
% base64, decoding, didier-stevens
# Basic usage
base64dump.py file.txt
# Suppress default output
base64dump.py file.ps1 -n 10
# Select specific item
base64dump.py file.ps1 -s 2 -d
# --- Recipes (multi-tool chains) ---
# >> Extract Base64 PowerShell from Office Macro
# List streams — find macro (M) and data streams
oledump.py <document>
# Extract VBA source to understand what the macro does
oledump.py <document> -s <macro_stream> -v
# Scan data stream for Base64 strings
oledump.py <document> -s <data_stream> -d | base64dump.py -n 10
# Decode the longest Base64 hit to file
oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > payload.ps1
# >> Decode Base64 + Gzip Payload
# Find Base64 strings in the script
base64dump.py <script.ps1> -n 10
# Decode Base64 and decompress gzip in one chain
base64dump.py <script.ps1> -s <selection> -d | gunzip > decoded.ps1
# >> Decode Base64 + XOR Shellcode
# Find Base64 strings
base64dump.py <script.ps1> -n 10
# Decode Base64, then XOR with key
base64dump.py <script.ps1> -s <selection> -d | translate.py 'byte ^ <key>' > shellcode.bin
# >> Full Office Macro Decode Chain
# Step 1: List streams and extract VBA
oledump.py <document>
oledump.py <document> -s <macro_stream> -v
# Step 2: Extract Base64 from data stream
oledump.py <document> -s <data_stream> -d | base64dump.py -s 1 -d > stage1.ps1
# Step 3: Decode second Base64 layer + decompress
base64dump.py stage1.ps1 -s 3 -d | gunzip > stage2.ps1
# Step 4: XOR decode the shellcode
base64dump.py stage2.ps1 -s 2 -d | translate.py 'byte ^ 35' > shellcode.bin
# Step 5: Emulate the shellcode
scdbgc /f shellcode.bin /s -1
data/generated/cheatsheets/bash-history.cheat
+7
View File
@@ -0,0 +1,7 @@
# bash-history
# Installed via: unknown (bash-history)
% bash-history
# Show help for bash-history
bash-history --help
data/generated/cheatsheets/bash-rc.cheat
+7
View File
@@ -0,0 +1,7 @@
# bash-rc
# Installed via: unknown (bash-rc)
% bash-rc
# Show help for bash-rc
bash-rc --help
data/generated/cheatsheets/bbcrack.cheat
+23
View File
@@ -0,0 +1,23 @@
# bbcrack
# Detect and decode strings obfuscated with XOR, ROL, and ADD algorithms
# FOR610 Labs: 5.2 | Sections: 5
% xor, rol, add, deobfuscation, balbuzard
# Basic usage
bbcrack -l 1 specimen.dll
# --- Recipes (multi-tool chains) ---
# >> Brute-Force XOR Key
# Quick check for XOR-encoded URLs/PE headers
XORSearch <file> http:
# Brute-force single-byte XOR keys
brxor.py <file>
# Try XOR, ROL, ADD combinations
bbcrack -l 1 <file>
# Guess multi-byte XOR key length and value
xortool <file>
# Decode with known key
xortool-xor -s '<key>' -i <encoded> -o <decoded>
data/generated/cheatsheets/bearparser.cheat
+7
View File
@@ -0,0 +1,7 @@
# bearparser
# Installed via: apt (bearparser)
% bearparser
# Show help for bearparser
bearparser --help
data/generated/cheatsheets/binee--binary-emulation-environment.cheat
+9
View File
@@ -0,0 +1,9 @@
# binee (Binary Emulation Environment)
# Analyze I/O operations of a suspicious PE file by emulating its execution.
# Category: Statically Analyze Code > PE Files
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files
% binee--binary-emulation-environment
# Show help for binee (Binary Emulation Environment)
binee (Binary Emulation Environment) --help
data/generated/cheatsheets/binee.cheat
+7
View File
@@ -0,0 +1,7 @@
# binee
# Installed via: unknown (binee)
% binee
# Show help for binee
binee --help
data/generated/cheatsheets/binutils.cheat
+7
View File
@@ -0,0 +1,7 @@
# binutils
# Installed via: apt (binutils)
% binutils
# Show help for binutils
binutils --help
data/generated/cheatsheets/binwalk.cheat
+12
View File
@@ -0,0 +1,12 @@
# binwalk
# Analyze and extract embedded files and firmware images
# Sections: 1
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
% firmware, extraction, embedded-files
# Basic usage
binwalk firmware.bin
# Alternative usage
binwalk -e firmware.bin
data/generated/cheatsheets/box-js.cheat
+9
View File
@@ -0,0 +1,9 @@
# box-js
# JavaScript sandbox for analyzing malicious scripts by emulating browser/WScript APIs
# Sections: 3
# Docs: https://docs.remnux.org/discover-the-tools/dynamically+reverse-engineer+code/scripts
% javascript, sandbox, emulation
# Basic usage
box-js --output-dir=/tmp suspicious.js
data/generated/cheatsheets/brxor.py.cheat
+24
View File
@@ -0,0 +1,24 @@
# brxor.py
# Brute-force XOR key detection for single-byte XOR-encoded strings
# FOR610 Labs: 5.2 | Sections: 5
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
% xor, brute-force, deobfuscation
# Basic usage
brxor.py specimen.dll
# --- Recipes (multi-tool chains) ---
# >> Brute-Force XOR Key
# Quick check for XOR-encoded URLs/PE headers
XORSearch <file> http:
# Brute-force single-byte XOR keys
brxor.py <file>
# Try XOR, ROL, ADD combinations
bbcrack -l 1 <file>
# Guess multi-byte XOR key length and value
xortool <file>
# Decode with known key
xortool-xor -s '<key>' -i <encoded> -o <decoded>
data/generated/cheatsheets/build-essential.cheat
+7
View File
@@ -0,0 +1,7 @@
# build-essential
# Installed via: apt (build-essential)
% build-essential
# Show help for build-essential
build-essential --help
data/generated/cheatsheets/bulk-extractor.cheat
+9
View File
@@ -0,0 +1,9 @@
# bulk-extractor
# Extract interesting strings from binary files.
# Category: Examine Static Properties > General
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
% bulk-extractor
# Show help for bulk-extractor
bulk-extractor --help
data/generated/cheatsheets/bundler.cheat
+7
View File
@@ -0,0 +1,7 @@
# bundler
# Installed via: apt (bundler)
% bundler
# Show help for bundler
bundler --help
data/generated/cheatsheets/burp-suite-community-edition.cheat
+9
View File
@@ -0,0 +1,9 @@
# Burp Suite Community Edition
# Investigate website interactions using this web proxy.
# Category: Explore Network Interactions > Monitoring
# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring
% burp-suite-community-edition
# Show help for Burp Suite Community Edition
Burp Suite Community Edition --help
data/generated/cheatsheets/burpsuite-community.cheat
+7
View File
@@ -0,0 +1,7 @@
# burpsuite-community
# Installed via: apt (remnux-packages-burpsuite-community)
% burpsuite-community
# Show help for burpsuite-community
burpsuite-community --help
data/generated/cheatsheets/bytehist.cheat
+9
View File
@@ -0,0 +1,9 @@
# Bytehist
# Generate byte-usage histograms to visually identify packed or encrypted sections in binaries
# Sections: 1, 4
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/unpacking
% pe, entropy, packing-detection, histogram
# Basic usage
bytehist specimen.exe
data/generated/cheatsheets/cabextract.cheat
+9
View File
@@ -0,0 +1,9 @@
# cabextract
# Extract Microsoft cabinet (cab) files.
# Category: General Utilities
# Docs: https://docs.remnux.org/discover-the-tools/general+utilities
% cabextract
# Show help for cabextract
cabextract --help
data/generated/cheatsheets/capa.cheat
+28
View File
@@ -0,0 +1,28 @@
# capa
# Identify malware capabilities mapped to MITRE ATT&CK framework and Malware Behavior Catalog
# FOR610 Labs: 1.4, 5.4 | Sections: 1, 5
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/pe-files
% capabilities, mitre-attack, automated-analysis
# Basic usage
capa specimen.exe
# Verbose output with details
capa -vv specimen.exe
# Verbose output with details
capa -vv specimen.exe | grep -A7 'Suspended Process'
# --- Recipes (multi-tool chains) ---
# >> Filter Capabilities by Technique
# Full capabilities report
capa <sample>
# Verbose with rule matches
capa -vv <sample>
# Filter for specific technique
capa -vv <sample> | grep -A7 '<technique_name>'
# Find injection-related capabilities
capa -vv <sample> | grep -A7 'inject\|hollow\|suspend'
data/generated/cheatsheets/cast.cheat
+9
View File
@@ -0,0 +1,9 @@
# cast
# Install and manage SaltStack-based Linux distributions.
# Category: General Utilities
# Docs: https://docs.remnux.org/discover-the-tools/general+utilities
% cast
# Show help for cast
cast --help
data/generated/cheatsheets/cffi.cheat
+7
View File
@@ -0,0 +1,7 @@
# cffi
# Installed via: pip (remnux-python3-packages-cffi)
% cffi
# Show help for cffi
cffi --help
data/generated/cheatsheets/cfr.cheat
+11
View File
@@ -0,0 +1,11 @@
# cfr
# Modern Java decompiler — handles Java 8+ features including lambdas and try-with-resources
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/java
% java, decompilation, jar
# Basic usage
cfr <file.jar> --outputdir output/
# Save output to file
cfr <file.class>
data/generated/cheatsheets/chepy.cheat
+9
View File
@@ -0,0 +1,9 @@
# chepy
# Decode and otherwise analyze data using this command-line tool and Python library.
# Category: Examine Static Properties > Deobfuscation
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
% chepy
# Show help for chepy
chepy --help
data/generated/cheatsheets/clamav-daemon.cheat
+7
View File
@@ -0,0 +1,7 @@
# clamav-daemon
# Installed via: apt (clamav-daemon)
% clamav-daemon
# Show help for clamav-daemon
clamav-daemon --help
data/generated/cheatsheets/clamav.cheat
+14
View File
@@ -0,0 +1,14 @@
# ClamAV
# Open-source antivirus — scan files for known malware signatures
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
% antivirus, scanning, signatures
# Basic usage
clamscan <sample>
# Recursive/follow references
clamscan -r <directory>/
# Alternative usage
freshclam
data/generated/cheatsheets/cobalt-strike-configuration-extractor--csce--and-parser.cheat
+9
View File
@@ -0,0 +1,9 @@
# Cobalt Strike Configuration Extractor (CSCE) and Parser
# Analyze Cobalt Strike beacons.
# Category: Examine Static Properties > Deobfuscation
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
% cobalt-strike-configuration-extractor--csce--and-parser
# Show help for Cobalt Strike Configuration Extractor (CSCE) and Parser
Cobalt Strike Configuration Extractor (CSCE) and Parser --help
data/generated/cheatsheets/compatibility.cheat
+7
View File
@@ -0,0 +1,7 @@
# compatibility
# Installed via: unknown (compatibility)
% compatibility
# Show help for compatibility
compatibility --help
data/generated/cheatsheets/cs-analyze-processdump.py.cheat
+8
View File
@@ -0,0 +1,8 @@
# cs-analyze-processdump.py
# Analyze Cobalt Strike beacon process dumps for sleep mask encoding
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
% cobalt-strike, sleep-mask, memory
# Basic usage
cs-analyze-processdump.py <process_dump>
data/generated/cheatsheets/cs-decrypt-metadata.py.cheat
+8
View File
@@ -0,0 +1,8 @@
# cs-decrypt-metadata.py
# Decrypt Cobalt Strike beacon metadata from network captures
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
% cobalt-strike, decryption, metadata
# Basic usage
cs-decrypt-metadata.py <metadata_hex>
data/generated/cheatsheets/cs-extract-key.py.cheat
+8
View File
@@ -0,0 +1,8 @@
# cs-extract-key.py
# Extract AES and HMAC encryption keys from Cobalt Strike beacon process memory dumps
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
% cobalt-strike, encryption, key-extraction
# Basic usage
cs-extract-key.py -f <process_dump>
data/generated/cheatsheets/cs-parse-traffic.py.cheat
+8
View File
@@ -0,0 +1,8 @@
# cs-parse-traffic.py
# Decrypt and parse Cobalt Strike beacon network traffic using extracted keys
# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/monitoring
% cobalt-strike, traffic, decryption
# Basic usage
cs-parse-traffic.py -f <capture.pcap> -k <keys_file>
data/generated/cheatsheets/curl.cheat
+12
View File
@@ -0,0 +1,12 @@
# curl
# Transfer data to/from servers using various protocols
# Sections: 1
# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting
% download, http, transfer
# Basic usage
curl -L http://example.com
# Output to file
curl -o output.bin http://example.com/file
data/generated/cheatsheets/cut-bytes.py.cheat
+9
View File
@@ -0,0 +1,9 @@
# cut-bytes.py
# Cut out a part of a data stream.
# Category: Examine Static Properties > Deobfuscation
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
% cut-bytes.py
# Show help for cut-bytes.py
cut-bytes.py --help
data/generated/cheatsheets/cutter.cheat
+9
View File
@@ -0,0 +1,9 @@
# Cutter
# Open-source reverse engineering platform — Qt-based GUI for radare2
# Sections: 2
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/general
% disassembly, radare2, open-source
# Basic usage
cutter specimen.exe
data/generated/cheatsheets/cyberchef.cheat
+18
View File
@@ -0,0 +1,18 @@
# CyberChef
# Web-based data transformation tool — decode Base64, XOR, hex, decompress, and chain operations
# FOR610 Labs: 1.5, 3.8, 3.12 | Sections: 1, 3
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
% decoding, encoding, transformation, web-based
# Basic usage
cyberchef
# --- Recipes (multi-tool chains) ---
# >> Visual XOR/Base64 Decode with CyberChef
# Launch CyberChef
cyberchef
# Common recipe: From Hex → XOR (key) → extract strings
# Common recipe: From Base64 → Decode text UTF-16LE
data/generated/cheatsheets/dc3-mwcp.cheat
+11
View File
@@ -0,0 +1,11 @@
# dc3-mwcp
# DC3 Malware Configuration Parser — extract C2 configs from known malware families
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/deobfuscation
% malware, config-extraction, c2
# Basic usage
mwcp parse <sample>
# Save output to file
mwcp parse -p Emotet <sample>
data/generated/cheatsheets/de4dot.cheat
+21
View File
@@ -0,0 +1,21 @@
# de4dot
# .NET deobfuscator — remove obfuscation from .NET assemblies
# FOR610 Labs: 4.8 | Sections: 4
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/.net
% dotnet, deobfuscation
# Basic usage
de4dot obfuscated.exe
# --- Recipes (multi-tool chains) ---
# >> Decompile .NET on Command Line
# Decompile to C# source
ilspycmd <assembly.exe> > source.cs
# Search for suspicious patterns
grep -n 'Assembly.Load\|WebClient\|Process.Start' source.cs
# If obfuscated, deobfuscate first
de4dot <assembly.exe>
ilspycmd <assembly-cleaned.exe> > source_clean.cs
data/generated/cheatsheets/decode-vbe.py.cheat
+9
View File
@@ -0,0 +1,9 @@
# decode-vbe.py
# Decode encoded VBS scripts (VBE).
# Category: Statically Analyze Code > Scripts
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/scripts
% decode-vbe.py
# Show help for decode-vbe.py
decode-vbe.py --help
data/generated/cheatsheets/decompyle.cheat
+9
View File
@@ -0,0 +1,9 @@
# Decompyle++
# Python bytecode disassembler and decompiler.
# Category: Statically Analyze Code > Python
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/python
% decompyle
# Show help for Decompyle++
Decompyle++ --help
data/generated/cheatsheets/default-jdk.cheat
+7
View File
@@ -0,0 +1,7 @@
# default-jdk
# Installed via: apt (default-jdk)
% default-jdk
# Show help for default-jdk
default-jdk --help
data/generated/cheatsheets/default-jre.cheat
+7
View File
@@ -0,0 +1,7 @@
# default-jre
# Installed via: apt (default-jre)
% default-jre
# Show help for default-jre
default-jre --help
data/generated/cheatsheets/dex2jar.cheat
+9
View File
@@ -0,0 +1,9 @@
# dex2jar
# Examine Dalvik Executable (dex) files.
# Category: Statically Analyze Code > Android
# Docs: https://docs.remnux.org/discover-the-tools/statically+analyze+code/android
% dex2jar
# Show help for dex2jar
dex2jar --help
data/generated/cheatsheets/dexray.cheat
+9
View File
@@ -0,0 +1,9 @@
# dexray
# Extract and decode data from antivirus quarantine files.
# Category: Gather and Analyze Data
# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data
% dexray
# Show help for dexray
dexray --help
data/generated/cheatsheets/dialog.cheat
+7
View File
@@ -0,0 +1,7 @@
# dialog
# Installed via: apt (dialog)
% dialog
# Show help for dialog
dialog --help
data/generated/cheatsheets/didier-stevens-scripts.cheat
+7
View File
@@ -0,0 +1,7 @@
# didier-stevens-scripts
# Installed via: pip (remnux-python3-packages-dissect-fusepy-prereq)
% didier-stevens-scripts
# Show help for didier-stevens-scripts
didier-stevens-scripts --help
data/generated/cheatsheets/diec.cheat
+9
View File
@@ -0,0 +1,9 @@
# diec
# Detect packers, compilers, and tools used to create executables
# FOR610 Labs: 4.1 | Sections: 1, 4
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
% pe, packer-detection, compiler-detection
# Basic usage
diec specimen.exe
data/generated/cheatsheets/disitool.cheat
+9
View File
@@ -0,0 +1,9 @@
# disitool
# Manipulate embedded digital signatures.
# Category: Examine Static Properties > General
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
% disitool
# Show help for disitool
disitool --help
data/generated/cheatsheets/display.cheat
+7
View File
@@ -0,0 +1,7 @@
# display
# Installed via: unknown (set-scaling)
% display
# Show help for display
display --help
data/generated/cheatsheets/dissect.cheat
+9
View File
@@ -0,0 +1,9 @@
# dissect
# Perform a variety of forensics and incident response tasks using this DFIR framework and toolset.
# Category: Gather and Analyze Data
# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data
% dissect
# Show help for dissect
dissect --help
data/generated/cheatsheets/distro-info.cheat
+7
View File
@@ -0,0 +1,7 @@
# distro-info
# Installed via: pip (distro-info)
% distro-info
# Show help for distro-info
distro-info --help
data/generated/cheatsheets/dllcharacteristics.cheat
+7
View File
@@ -0,0 +1,7 @@
# dllcharacteristics
# Installed via: script (dllcharacteristics.py)
% dllcharacteristics
# Show help for dllcharacteristics
dllcharacteristics --help
data/generated/cheatsheets/dnfile.cheat
+9
View File
@@ -0,0 +1,9 @@
# dnfile
# Analyze static properties of.
# Category: Examine Static Properties > .NET
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/.net
% dnfile
# Show help for dnfile
dnfile --help
data/generated/cheatsheets/dnslib.cheat
+9
View File
@@ -0,0 +1,9 @@
# dnslib
# Python library to encode/decode DNS wire-format packets.
# Category: Gather and Analyze Data
# Docs: https://docs.remnux.org/discover-the-tools/gather+and+analyze+data
% dnslib
# Show help for dnslib
dnslib --help
data/generated/cheatsheets/dnsresolver.py.cheat
+9
View File
@@ -0,0 +1,9 @@
# dnsresolver.py
# DNS resolver tool for dynamic analysis with wildcard and tracking support.
# Category: Explore Network Interactions > Services
# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/services
% dnsresolver.py
# Show help for dnsresolver.py
dnsresolver.py --help
data/generated/cheatsheets/docker.cheat
+9
View File
@@ -0,0 +1,9 @@
# docker
# Run and manage containers.
# Category: General Utilities
# Docs: https://docs.remnux.org/discover-the-tools/general+utilities
% docker
# Show help for docker
docker --help
data/generated/cheatsheets/dog.cheat
+7
View File
@@ -0,0 +1,7 @@
# dog
# Installed via: unknown (dog)
% dog
# Show help for dog
dog --help
data/generated/cheatsheets/dos2unix.cheat
+9
View File
@@ -0,0 +1,9 @@
# dos2unix
# Convert text files with Windows or macOS line breaks to Unix line breaks and vice versa.
# Category: View or Edit Files
# Docs: https://docs.remnux.org/discover-the-tools/view+or+edit+files
% dos2unix
# Show help for dos2unix
dos2unix --help
data/generated/cheatsheets/dot-cache.cheat
+7
View File
@@ -0,0 +1,7 @@
# dot-cache
# Installed via: unknown (dot-cache)
% dot-cache
# Show help for dot-cache
dot-cache --help
data/generated/cheatsheets/dot-config.cheat
+7
View File
@@ -0,0 +1,7 @@
# dot-config
# Installed via: unknown (dot-config)
% dot-config
# Show help for dot-config
dot-config --help
data/generated/cheatsheets/dot-cpan.cheat
+7
View File
@@ -0,0 +1,7 @@
# dot-cpan
# Installed via: unknown (dot-cpan)
% dot-cpan
# Show help for dot-cpan
dot-cpan --help
data/generated/cheatsheets/dot-dbus.cheat
+7
View File
@@ -0,0 +1,7 @@
# dot-dbus
# Installed via: unknown (dot-dbus)
% dot-dbus
# Show help for dot-dbus
dot-dbus --help
data/generated/cheatsheets/dot-local.cheat
+7
View File
@@ -0,0 +1,7 @@
# dot-local
# Installed via: unknown (dot-local)
% dot-local
# Show help for dot-local
dot-local --help
data/generated/cheatsheets/dotnet-runtime-3-1.cheat
+7
View File
@@ -0,0 +1,7 @@
# dotnet-runtime-3-1
# Installed via: apt (dotnet3)
% dotnet-runtime-3-1
# Show help for dotnet-runtime-3-1
dotnet-runtime-3-1 --help
data/generated/cheatsheets/dotnetfile.cheat
+9
View File
@@ -0,0 +1,9 @@
# dotnetfile
# Analyze static properties of.
# Category: Examine Static Properties > .NET
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/.net
% dotnetfile
# Show help for dotnetfile
dotnetfile --help
data/generated/cheatsheets/droidlysis.cheat
+9
View File
@@ -0,0 +1,9 @@
# droidlysis
# Perform static analysis of Android applications.
# Category: Examine Static Properties > General
# Docs: https://docs.remnux.org/discover-the-tools/examine+static+properties/general
% droidlysis
# Show help for droidlysis
droidlysis --help
data/generated/cheatsheets/edb-debugger.cheat
+7
View File
@@ -0,0 +1,7 @@
# edb-debugger
# Installed via: apt (edb-debugger)
% edb-debugger
# Show help for edb-debugger
edb-debugger --help
data/generated/cheatsheets/emldump.py.cheat
+22
View File
@@ -0,0 +1,22 @@
# emldump.py
# Parse and analyze EML email message files
# Sections: 3 | Author: Didier Stevens
# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/email+messages
% email, eml, didier-stevens
# Basic usage
emldump.py message.eml
# --- Recipes (multi-tool chains) ---
# >> Extract and Triage Email Attachments
# List email structure
emldump.py <email.eml>
# Extract all attachments
emldump.py <email.eml> -d
# Identify file types
file attachment_*
# Compute hashes for lookup
sha256sum attachment_*
data/generated/cheatsheets/enchant.cheat
+7
View File
@@ -0,0 +1,7 @@
# enchant
# Installed via: apt (remnux-packages-enchant)
% enchant
# Show help for enchant
enchant --help
data/generated/cheatsheets/epic-irc-client.cheat
+9
View File
@@ -0,0 +1,9 @@
# EPIC IRC Client
# Examine IRC activities with this IRC client.
# Category: Explore Network Interactions > Connecting
# Docs: https://docs.remnux.org/discover-the-tools/explore+network+interactions/connecting
% epic-irc-client
# Show help for EPIC IRC Client
EPIC IRC Client --help
data/generated/cheatsheets/epic5.cheat
+7
View File
@@ -0,0 +1,7 @@
# epic5
# Installed via: apt (epic5)
% epic5
# Show help for epic5
epic5 --help
data/generated/cheatsheets/evilclippy.cheat
+9
View File
@@ -0,0 +1,9 @@
# evilclippy
# Remove VBA project password protection and manipulate Office macro settings
# Sections: 3
# Docs: https://docs.remnux.org/discover-the-tools/analyze+documents/microsoft+office
% office, vba, password-removal
# Basic usage
evilclippy -uu document.docm
data/generated/cheatsheets/evince.cheat
+9
View File
@@ -0,0 +1,9 @@
# evince
# View documents in a variety of formats, including PDF.
# Category: View or Edit Files
# Docs: https://docs.remnux.org/discover-the-tools/view+or+edit+files
% evince
# Show help for evince
evince --help

Some files were not shown because too many files have changed in this diff Show More