Add FOR610 tool/workflow knowledge base and data pipeline

Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00
parent 06ebb09ab0
commit f3ccc09c3d
663 changed files with 36339 additions and 1 deletions
@@ -0,0 +1,66 @@
+============================================================
+  Behavioral Analysis
+============================================================
+
+  Monitor runtime behavior in an isolated environment. Applicable to any executable or script on Linux (REMnux) or Windows.
+
+  Related FOR610 Labs: 1.2, 1.4, 1.6, 4.5
+
+────────────────────────────────────────────────────────────
+
+  Step 1: Environment Preparation
+  Revert to clean snapshot. Disconnect from production
+  network. Verify isolation (host-only networking). Set
+  max execution time (2-5 minutes).
+
+  Step 2: Network Interception Setup
+  Tools: fakedns, inetsim, fakenet-ng
+  Start fake DNS and service emulation so malware gets
+  responses. On REMnux: fakedns for DNS, INetSim or
+  FakeNet-NG for HTTP/HTTPS/SMTP/FTP.
+
+    $ fakedns
+    $ inetsim
+    $ fakenet
+
+  Step 3: Monitoring Setup
+  Tools: wireshark, tcpdump, strace
+  Start packet capture (wireshark or tcpdump). On Linux:
+  strace/ltrace for syscalls. Start filesystem
+  monitoring.
+
+    $ wireshark
+    $ tcpdump -i eth0 -w capture.pcap
+
+  Step 4: Emulation (Safe Alternative)
+  Tools: speakeasy, capa
+  Before live execution, try emulation: speakeasy
+  emulates Windows API calls on Linux safely. Use capa
+  -vv for capability overview.
+
+    $ speakeasy -t specimen.exe -o report.json 2> report.txt
+    $ capa specimen.exe
+
+  Step 5: Execute & Monitor
+  Run the sample with a timeout. Monitor for: new
+  processes spawned, files created/modified, network
+  connections, DNS queries. Kill after 2-5 minutes.
+
+  Step 6: Analyze Results
+  Tools: wireshark, procdot
+  Review network capture: follow TCP streams, extract
+  payloads, identify C2 patterns. Analyze process
+  activity logs. Map filesystem changes.
+
+    $ wireshark
+    $ procdot
+
+  Step 7: Extract IOCs
+  Document: contacted domains/IPs, created
+  files/registry keys, spawned processes, persistence
+  mechanisms. Classify behavior: downloader, backdoor,
+  ransomware, etc.
+
+────────────────────────────────────────────────────────────
+  Tip: 'fhelp cheat <tool>' for full examples
+       'Ctrl+G' for interactive cheatsheet browser