irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add FOR610 tool/workflow knowledge base and data pipeline

Browse Source 
Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-28 17:38:15 +01:00
parent 06ebb09ab0
commit f3ccc09c3d
663 changed files with 36339 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/generated/workflows.json
+553
View File
@@ -0,0 +1,553 @@
{
"workflows": [
{
"id": "static-analysis-workflow",
"name": "Static Properties Analysis",
"description": "Systematic static examination of a suspicious executable without running it",
"steps": [
{
"order": 1,
"name": "File Identification",
"tools": [
"file",
"trid",
"exiftool"
],
"description": "Determine file type, format, and metadata"
},
{
"order": 2,
"name": "Packing & Entropy Check",
"tools": [
"diec",
"pestudio",
"peframe"
],
"description": "Check for packing indicators, high entropy, and suspicious section names"
},
{
"order": 3,
"name": "String Extraction",
"tools": [
"pestr",
"strings",
"floss"
],
"description": "Extract readable strings; use FLOSS for obfuscated strings"
},
{
"order": 4,
"name": "Import & Capability Analysis",
"tools": [
"pestudio",
"peframe",
"capa"
],
"description": "Examine imported APIs, detect capabilities via MITRE ATT&CK mapping"
},
{
"order": 5,
"name": "Disassembly & Decompilation",
"tools": [
"ghidra"
],
"description": "Static code analysis \u2014 function graphs, cross-references, decompiler output"
}
],
"related_labs": [
"1.1",
"2.1",
"4.1"
],
"tags": [
"static",
"triage",
"pe-analysis"
]
},
{
"id": "behavioral-analysis-workflow",
"name": "Behavioral Analysis",
"description": "Monitor malware runtime behavior in a controlled environment",
"steps": [
{
"order": 1,
"name": "Environment Preparation",
"tools": [],
"description": "Revert to clean VM snapshot, prepare monitoring tools"
},
{
"order": 2,
"name": "Baseline Snapshot",
"tools": [
"regshot"
],
"description": "Capture registry and filesystem state before infection"
},
{
"order": 3,
"name": "Launch Monitoring",
"tools": [
"system-informer",
"process-monitor",
"wireshark"
],
"description": "Start process, filesystem, registry, and network monitoring"
},
{
"order": 4,
"name": "Execute Malware",
"tools": [],
"description": "Run specimen and allow it to execute for 1-2 minutes"
},
{
"order": 5,
"name": "Capture Comparison",
"tools": [
"regshot"
],
"description": "Compare post-infection state with baseline"
},
{
"order": 6,
"name": "Log Analysis",
"tools": [
"procdot",
"wireshark"
],
"description": "Analyze Process Monitor logs with ProcDOT, examine network traffic in Wireshark"
}
],
"related_labs": [
"1.2",
"1.6",
"4.5"
],
"tags": [
"behavioral",
"monitoring",
"dynamic-analysis"
]
},
{
"id": "network-interception-workflow",
"name": "Network Interception",
"description": "Redirect and analyze malware network traffic in an isolated lab",
"steps": [
{
"order": 1,
"name": "DNS Spoofing",
"tools": [
"fakedns"
],
"description": "Start fake DNS server to redirect all queries to REMnux"
},
{
"order": 2,
"name": "Service Emulation",
"tools": [
"httpd",
"inetsim"
],
"description": "Start web server or INetSim to respond to malware requests"
},
{
"order": 3,
"name": "Traffic Capture",
"tools": [
"wireshark"
],
"description": "Start packet capture on analysis interface"
},
{
"order": 4,
"name": "Execute & Observe",
"tools": [
"system-informer"
],
"description": "Run malware and monitor process behavior"
},
{
"order": 5,
"name": "Protocol Analysis",
"tools": [
"wireshark"
],
"description": "Follow TCP streams, analyze HTTP requests, extract payloads"
},
{
"order": 6,
"name": "IP-Based Redirection (if needed)",
"tools": [
"iptables"
],
"description": "Use iptables NAT rules for direct IP-based C2 traffic"
}
],
"related_labs": [
"1.3",
"1.7",
"1.8"
],
"tags": [
"network",
"interception",
"c2-analysis"
]
},
{
"id": "document-analysis-workflow",
"name": "Malicious Document Analysis",
"description": "Analyze Office documents, RTF files, and PDFs for embedded malware",
"steps": [
{
"order": 1,
"name": "Format Identification",
"tools": [
"file",
"trid"
],
"description": "Identify document format (OLE2, OOXML, RTF, PDF)"
},
{
"order": 2,
"name": "Structure Extraction",
"tools": [
"oledump-py",
"rtfdump-py",
"pdfid-py",
"pdf-parser-py"
],
"description": "Parse document structure \u2014 streams, objects, groups"
},
{
"order": 3,
"name": "Macro/Script Extraction",
"tools": [
"oledump-py",
"olevba"
],
"description": "Extract VBA macros, identify macro streams (M indicator)"
},
{
"order": 4,
"name": "Payload Decoding",
"tools": [
"base64dump-py",
"translate-py",
"gunzip",
"numbers-to-string-py"
],
"description": "Decode embedded payloads \u2014 Base64, XOR, gzip chains"
},
{
"order": 5,
"name": "Shellcode Analysis",
"tools": [
"scdbgc",
"xorsearch",
"yara",
"1768-py"
],
"description": "Emulate shellcode, scan for patterns, check for Cobalt Strike"
}
],
"related_labs": [
"3.1",
"3.3",
"3.4",
"3.5"
],
"tags": [
"documents",
"office",
"pdf",
"rtf",
"macro"
]
},
{
"id": "javascript-deobfuscation-workflow",
"name": "JavaScript Deobfuscation",
"description": "Deobfuscate and analyze malicious JavaScript",
"steps": [
{
"order": 1,
"name": "Beautification",
"tools": [
"js-beautify"
],
"description": "Format compressed/minified JavaScript for readability"
},
{
"order": 2,
"name": "Static Review",
"tools": [
"visual-studio-code"
],
"description": "Identify eval() calls, string concatenation, and encoding patterns"
},
{
"order": 3,
"name": "SpiderMonkey Execution",
"tools": [
"spidermonkey"
],
"description": "Execute with objects.js to simulate ActiveXObject and other APIs"
},
{
"order": 4,
"name": "Environment Customization",
"tools": [
"visual-studio-code"
],
"description": "Edit objects.js to set location.href and other expected variables"
},
{
"order": 5,
"name": "AMSI Monitoring (Windows)",
"tools": [
"logman",
"cscript",
"amsiscriptcontentretrieval"
],
"description": "Enable AMSI tracing, execute with CScript, extract monitored content"
}
],
"related_labs": [
"3.6",
"3.7"
],
"tags": [
"javascript",
"deobfuscation",
"spidermonkey",
"amsi"
]
},
{
"id": "unpacking-workflow",
"name": "Unpacking Packed Executables",
"description": "Unpack compressed/encrypted executables and reconstruct valid PE files",
"steps": [
{
"order": 1,
"name": "Packing Identification",
"tools": [
"pestudio",
"diec",
"peframe"
],
"description": "Detect packer via entropy, sections, and signature matching"
},
{
"order": 2,
"name": "Automated Unpacking Attempt",
"tools": [
"upx"
],
"description": "Try automated unpacker if packer is recognized"
},
{
"order": 3,
"name": "Debugger-Based Unpacking",
"tools": [
"x64dbg",
"x32dbg"
],
"description": "Set breakpoints at unpacker tail jump or API calls (VirtualAlloc, VirtualProtect)"
},
{
"order": 4,
"name": "Anti-Anti-Debugging",
"tools": [
"scyllahide"
],
"description": "Enable debugger hiding if malware has anti-debugging"
},
{
"order": 5,
"name": "Memory Dumping",
"tools": [
"ollydumpex",
"scylla"
],
"description": "Dump unpacked process from memory at OEP"
},
{
"order": 6,
"name": "IAT Reconstruction",
"tools": [
"scylla"
],
"description": "Fix import address table in dumped executable"
},
{
"order": 7,
"name": "PE Fixup (if needed)",
"tools": [
"pe-unmapper"
],
"description": "Convert virtual alignment to raw alignment"
},
{
"order": 8,
"name": "Verification",
"tools": [
"pestudio",
"strings"
],
"description": "Verify unpacked file has readable strings and valid imports"
}
],
"related_labs": [
"4.1",
"4.2",
"4.3",
"5.3",
"5.8",
"5.10"
],
"tags": [
"unpacking",
"packing",
"iat",
"memory-dump"
]
},
{
"id": "code-injection-workflow",
"name": "Code Injection Analysis",
"description": "Identify and analyze code injection techniques",
"steps": [
{
"order": 1,
"name": "Capability Detection",
"tools": [
"capa"
],
"description": "Identify injection capabilities via MITRE ATT&CK mapping"
},
{
"order": 2,
"name": "API Identification",
"tools": [
"ghidra"
],
"description": "Locate CreateRemoteThread, VirtualAllocEx, WriteProcessMemory, NtUnmapViewOfSection"
},
{
"order": 3,
"name": "Target Process Analysis",
"tools": [
"ghidra"
],
"description": "Identify target process via OpenProcess, CreateToolhelp32Snapshot"
},
{
"order": 4,
"name": "Injection Verification",
"tools": [
"x32dbg"
],
"description": "Set breakpoint on WriteProcessMemory to capture injected code"
},
{
"order": 5,
"name": "Payload Extraction",
"tools": [
"x32dbg",
"pestudio"
],
"description": "Dump injected PE from memory and verify"
}
],
"related_labs": [
"4.9",
"5.4"
],
"tags": [
"code-injection",
"process-hollowing",
"api-analysis"
]
},
{
"id": "dotnet-analysis-workflow",
"name": ".NET Malware Analysis",
"description": "Analyze .NET malware using decompilation, debugging, and deobfuscation",
"steps": [
{
"order": 1,
"name": "Identification",
"tools": [
"pestudio",
"peframe",
"exeinfo-pe"
],
"description": "Confirm .NET binary and check for obfuscation indicators"
},
{
"order": 2,
"name": "Static Decompilation",
"tools": [
"ilspycmd",
"ilspy"
],
"description": "Decompile to view C#/VB.NET source code"
},
{
"order": 3,
"name": "Reflective Loading Detection",
"tools": [
"visual-studio-code"
],
"description": "Search for Assembly.Load, CompileAssemblyFromSource patterns"
},
{
"order": 4,
"name": "Dynamic Debugging",
"tools": [
"dnspyex"
],
"description": "Set breakpoints on Assembly.Load to capture in-memory assemblies"
},
{
"order": 5,
"name": "Payload Extraction",
"tools": [
"dnspyex"
],
"description": "Save byte arrays from Locals window"
},
{
"order": 6,
"name": "Deobfuscation",
"tools": [
"de4dot"
],
"description": "Remove .NET obfuscation from extracted assemblies"
},
{
"order": 7,
"name": "Final Analysis",
"tools": [
"ilspy",
"pestudio"
],
"description": "Decompile and examine clean assembly"
}
],
"related_labs": [
"3.12",
"4.8"
],
"tags": [
"dotnet",
"decompilation",
"deobfuscation",
"reflective-loading"
]
}
]
}