Add FOR610 tool/workflow knowledge base and data pipeline

Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00
parent 06ebb09ab0
commit f3ccc09c3d
663 changed files with 36339 additions and 1 deletions
@@ -0,0 +1,88 @@
+============================================================
+  Static Properties Analysis
+============================================================
+
+  Systematic static examination of a suspicious file without executing it. Works for PE, ELF, .NET, scripts, and documents.
+
+  Related FOR610 Labs: 1.1, 2.1, 4.1
+
+────────────────────────────────────────────────────────────
+
+  Step 1: File Identification & Hashing
+  Tools: file, trid, exiftool, sha256sum
+  Determine file type using magic bytes. Compute hashes
+  (MD5, SHA256) for lookup and documentation. Record
+  file size and timestamps.
+
+    $ file specimen.exe
+    $ trid document.doc
+    $ exiftool document.pdf
+
+  Step 2: Reputation Check
+  Tools: malwoverview, virustotal-search
+  Look up hash on VirusTotal/MalwareBazaar. If known
+  malware, note family name and detection rate. If clean
+  or unknown, continue analysis.
+
+    $ malwoverview -v <hash>
+
+  Step 3: Packing & Entropy Check
+  Tools: diec, peframe
+  Check for packing indicators and high entropy
+  sections. Look for: unusual section names, small
+  import table, high entropy (>7.0). If packed, consider
+  the Unpacking Workflow.
+
+    $ diec specimen.exe
+    $ peframe specimen.exe
+
+  Step 4: String Extraction
+  Tools: strings, floss, pestr
+  Extract readable strings. Use FLOSS for
+  obfuscated/stack strings. Look for: URLs, IPs,
+  domains, registry keys, file paths, error messages,
+  API names.
+
+    $ strings binary.exe
+    $ floss specimen.exe
+    $ pestr specimen.exe
+
+  Step 5: Capability Detection
+  Tools: capa, yara
+  Identify capabilities mapped to MITRE ATT&CK. Scan
+  with YARA rules for known malware families. Look for:
+  persistence, C2, evasion, lateral movement
+  capabilities.
+
+    $ capa specimen.exe
+    $ yara-rules specimen.bin
+
+  Step 6: Import & Export Analysis
+  Tools: peframe, capa
+  Examine imported DLLs and functions. Map imports to
+  behavior categories: networking (ws2_32), crypto
+  (advapi32), process manipulation (kernel32). Check
+  exports for DLL functionality.
+
+    $ peframe specimen.exe
+    $ capa specimen.exe
+
+  Step 7: Disassembly (if needed)
+  Tools: ghidra, cutter, radare2
+  Load into disassembler for code-level analysis. Start
+  at entry point, trace key functions. Use decompiler
+  for C-like view.
+
+    $ ghidra
+    $ cutter specimen.exe
+    $ r2 specimen.exe
+
+  Step 8: Document Findings
+  Record IOCs: hashes, IPs, domains, file paths,
+  registry keys, mutexes. Classify: malware family,
+  capabilities, confidence level. Decide: continue to
+  behavioral analysis?
+
+────────────────────────────────────────────────────────────
+  Tip: 'fhelp cheat <tool>' for full examples
+       'Ctrl+G' for interactive cheatsheet browser