Add FOR610 tool/workflow knowledge base and data pipeline

Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00
parent 06ebb09ab0
commit f3ccc09c3d
663 changed files with 36339 additions and 1 deletions
@@ -0,0 +1,59 @@
+============================================================
+  Email & Phishing Analysis
+============================================================
+
+  Analyze suspicious email messages for phishing indicators, malicious attachments, and weaponized links.
+
+────────────────────────────────────────────────────────────
+
+  Step 1: Header Analysis
+  Tools: emldump-py, mail-parser
+  Parse SMTP headers: emldump.py <email.eml>. Check:
+  Received headers (delivery path), Return-Path vs From
+  (spoofing), SPF/DKIM results, X-Mailer.
+
+    $ emldump.py message.eml
+    $ python3 -c "import mailparser; mail = mailparser.parse_from_file('<email.eml>'); print(mail.subject)"
+
+  Step 2: Attachment Extraction
+  Tools: emldump-py, msg-extractor
+  Extract attachments: emldump.py <email.eml> -d. For
+  MSG format: msg-extractor <email.msg>. List all
+  attachments with types and sizes.
+
+    $ emldump.py message.eml
+    $ extract_msg <email.msg>
+
+  Step 3: Attachment Triage
+  Tools: file, trid, yara, sha256sum
+  For each attachment: identify type, compute hash, scan
+  with YARA. Route to appropriate workflow: Document
+  Analysis (Office/PDF), Static Analysis (PE),
+  JavaScript Deobfuscation (JS/HTML).
+
+    $ file specimen.exe
+    $ trid document.doc
+    $ yara-rules specimen.bin
+
+  Step 4: Link Analysis
+  Tools: unfurl
+  Extract all URLs from email body and headers. Use
+  Unfurl to decompose URLs (reveal tracking pixels,
+  redirect chains, encoded parameters).
+
+    $ unfurl parse <url>
+
+  Step 5: Payload Analysis
+  Analyze extracted attachments using the appropriate
+  workflow. Common patterns: Office doc with macro →
+  downloads PE, PDF with link → credential harvester,
+  HTML attachment → phishing page.
+
+  Step 6: Document IOCs
+  Record: sender address and IP, subject line,
+  attachment names and hashes, all URLs, C2/phishing
+  domains, email infrastructure (mail server names).
+
+────────────────────────────────────────────────────────────
+  Tip: 'fhelp cheat <tool>' for full examples
+       'Ctrl+G' for interactive cheatsheet browser