{ "workflows": [ { "id": "static-analysis-workflow", "name": "Static Properties Analysis", "description": "Systematic static examination of a suspicious executable without running it", "steps": [ { "order": 1, "name": "File Identification", "tools": [ "file", "trid", "exiftool" ], "description": "Determine file type, format, and metadata" }, { "order": 2, "name": "Packing & Entropy Check", "tools": [ "diec", "pestudio", "peframe" ], "description": "Check for packing indicators, high entropy, and suspicious section names" }, { "order": 3, "name": "String Extraction", "tools": [ "pestr", "strings", "floss" ], "description": "Extract readable strings; use FLOSS for obfuscated strings" }, { "order": 4, "name": "Import & Capability Analysis", "tools": [ "pestudio", "peframe", "capa" ], "description": "Examine imported APIs, detect capabilities via MITRE ATT&CK mapping" }, { "order": 5, "name": "Disassembly & Decompilation", "tools": [ "ghidra" ], "description": "Static code analysis \u2014 function graphs, cross-references, decompiler output" } ], "related_labs": [ "1.1", "2.1", "4.1" ], "tags": [ "static", "triage", "pe-analysis" ] }, { "id": "behavioral-analysis-workflow", "name": "Behavioral Analysis", "description": "Monitor malware runtime behavior in a controlled environment", "steps": [ { "order": 1, "name": "Environment Preparation", "tools": [], "description": "Revert to clean VM snapshot, prepare monitoring tools" }, { "order": 2, "name": "Baseline Snapshot", "tools": [ "regshot" ], "description": "Capture registry and filesystem state before infection" }, { "order": 3, "name": "Launch Monitoring", "tools": [ "system-informer", "process-monitor", "wireshark" ], "description": "Start process, filesystem, registry, and network monitoring" }, { "order": 4, "name": "Execute Malware", "tools": [], "description": "Run specimen and allow it to execute for 1-2 minutes" }, { "order": 5, "name": "Capture Comparison", "tools": [ "regshot" ], "description": "Compare post-infection state with baseline" }, { "order": 6, "name": "Log Analysis", "tools": [ "procdot", "wireshark" ], "description": "Analyze Process Monitor logs with ProcDOT, examine network traffic in Wireshark" } ], "related_labs": [ "1.2", "1.6", "4.5" ], "tags": [ "behavioral", "monitoring", "dynamic-analysis" ] }, { "id": "network-interception-workflow", "name": "Network Interception", "description": "Redirect and analyze malware network traffic in an isolated lab", "steps": [ { "order": 1, "name": "DNS Spoofing", "tools": [ "fakedns" ], "description": "Start fake DNS server to redirect all queries to REMnux" }, { "order": 2, "name": "Service Emulation", "tools": [ "httpd", "inetsim" ], "description": "Start web server or INetSim to respond to malware requests" }, { "order": 3, "name": "Traffic Capture", "tools": [ "wireshark" ], "description": "Start packet capture on analysis interface" }, { "order": 4, "name": "Execute & Observe", "tools": [ "system-informer" ], "description": "Run malware and monitor process behavior" }, { "order": 5, "name": "Protocol Analysis", "tools": [ "wireshark" ], "description": "Follow TCP streams, analyze HTTP requests, extract payloads" }, { "order": 6, "name": "IP-Based Redirection (if needed)", "tools": [ "iptables" ], "description": "Use iptables NAT rules for direct IP-based C2 traffic" } ], "related_labs": [ "1.3", "1.7", "1.8" ], "tags": [ "network", "interception", "c2-analysis" ] }, { "id": "document-analysis-workflow", "name": "Malicious Document Analysis", "description": "Analyze Office documents, RTF files, and PDFs for embedded malware", "steps": [ { "order": 1, "name": "Format Identification", "tools": [ "file", "trid" ], "description": "Identify document format (OLE2, OOXML, RTF, PDF)" }, { "order": 2, "name": "Structure Extraction", "tools": [ "oledump-py", "rtfdump-py", "pdfid-py", "pdf-parser-py" ], "description": "Parse document structure \u2014 streams, objects, groups" }, { "order": 3, "name": "Macro/Script Extraction", "tools": [ "oledump-py", "olevba" ], "description": "Extract VBA macros, identify macro streams (M indicator)" }, { "order": 4, "name": "Payload Decoding", "tools": [ "base64dump-py", "translate-py", "gunzip", "numbers-to-string-py" ], "description": "Decode embedded payloads \u2014 Base64, XOR, gzip chains" }, { "order": 5, "name": "Shellcode Analysis", "tools": [ "scdbgc", "xorsearch", "yara", "1768-py" ], "description": "Emulate shellcode, scan for patterns, check for Cobalt Strike" } ], "related_labs": [ "3.1", "3.3", "3.4", "3.5" ], "tags": [ "documents", "office", "pdf", "rtf", "macro" ] }, { "id": "javascript-deobfuscation-workflow", "name": "JavaScript Deobfuscation", "description": "Deobfuscate and analyze malicious JavaScript", "steps": [ { "order": 1, "name": "Beautification", "tools": [ "js-beautify" ], "description": "Format compressed/minified JavaScript for readability" }, { "order": 2, "name": "Static Review", "tools": [ "visual-studio-code" ], "description": "Identify eval() calls, string concatenation, and encoding patterns" }, { "order": 3, "name": "SpiderMonkey Execution", "tools": [ "spidermonkey" ], "description": "Execute with objects.js to simulate ActiveXObject and other APIs" }, { "order": 4, "name": "Environment Customization", "tools": [ "visual-studio-code" ], "description": "Edit objects.js to set location.href and other expected variables" }, { "order": 5, "name": "AMSI Monitoring (Windows)", "tools": [ "logman", "cscript", "amsiscriptcontentretrieval" ], "description": "Enable AMSI tracing, execute with CScript, extract monitored content" } ], "related_labs": [ "3.6", "3.7" ], "tags": [ "javascript", "deobfuscation", "spidermonkey", "amsi" ] }, { "id": "unpacking-workflow", "name": "Unpacking Packed Executables", "description": "Unpack compressed/encrypted executables and reconstruct valid PE files", "steps": [ { "order": 1, "name": "Packing Identification", "tools": [ "pestudio", "diec", "peframe" ], "description": "Detect packer via entropy, sections, and signature matching" }, { "order": 2, "name": "Automated Unpacking Attempt", "tools": [ "upx" ], "description": "Try automated unpacker if packer is recognized" }, { "order": 3, "name": "Debugger-Based Unpacking", "tools": [ "x64dbg", "x32dbg" ], "description": "Set breakpoints at unpacker tail jump or API calls (VirtualAlloc, VirtualProtect)" }, { "order": 4, "name": "Anti-Anti-Debugging", "tools": [ "scyllahide" ], "description": "Enable debugger hiding if malware has anti-debugging" }, { "order": 5, "name": "Memory Dumping", "tools": [ "ollydumpex", "scylla" ], "description": "Dump unpacked process from memory at OEP" }, { "order": 6, "name": "IAT Reconstruction", "tools": [ "scylla" ], "description": "Fix import address table in dumped executable" }, { "order": 7, "name": "PE Fixup (if needed)", "tools": [ "pe-unmapper" ], "description": "Convert virtual alignment to raw alignment" }, { "order": 8, "name": "Verification", "tools": [ "pestudio", "strings" ], "description": "Verify unpacked file has readable strings and valid imports" } ], "related_labs": [ "4.1", "4.2", "4.3", "5.3", "5.8", "5.10" ], "tags": [ "unpacking", "packing", "iat", "memory-dump" ] }, { "id": "code-injection-workflow", "name": "Code Injection Analysis", "description": "Identify and analyze code injection techniques", "steps": [ { "order": 1, "name": "Capability Detection", "tools": [ "capa" ], "description": "Identify injection capabilities via MITRE ATT&CK mapping" }, { "order": 2, "name": "API Identification", "tools": [ "ghidra" ], "description": "Locate CreateRemoteThread, VirtualAllocEx, WriteProcessMemory, NtUnmapViewOfSection" }, { "order": 3, "name": "Target Process Analysis", "tools": [ "ghidra" ], "description": "Identify target process via OpenProcess, CreateToolhelp32Snapshot" }, { "order": 4, "name": "Injection Verification", "tools": [ "x32dbg" ], "description": "Set breakpoint on WriteProcessMemory to capture injected code" }, { "order": 5, "name": "Payload Extraction", "tools": [ "x32dbg", "pestudio" ], "description": "Dump injected PE from memory and verify" } ], "related_labs": [ "4.9", "5.4" ], "tags": [ "code-injection", "process-hollowing", "api-analysis" ] }, { "id": "dotnet-analysis-workflow", "name": ".NET Malware Analysis", "description": "Analyze .NET malware using decompilation, debugging, and deobfuscation", "steps": [ { "order": 1, "name": "Identification", "tools": [ "pestudio", "peframe", "exeinfo-pe" ], "description": "Confirm .NET binary and check for obfuscation indicators" }, { "order": 2, "name": "Static Decompilation", "tools": [ "ilspycmd", "ilspy" ], "description": "Decompile to view C#/VB.NET source code" }, { "order": 3, "name": "Reflective Loading Detection", "tools": [ "visual-studio-code" ], "description": "Search for Assembly.Load, CompileAssemblyFromSource patterns" }, { "order": 4, "name": "Dynamic Debugging", "tools": [ "dnspyex" ], "description": "Set breakpoints on Assembly.Load to capture in-memory assemblies" }, { "order": 5, "name": "Payload Extraction", "tools": [ "dnspyex" ], "description": "Save byte arrays from Locals window" }, { "order": 6, "name": "Deobfuscation", "tools": [ "de4dot" ], "description": "Remove .NET obfuscation from extracted assemblies" }, { "order": 7, "name": "Final Analysis", "tools": [ "ilspy", "pestudio" ], "description": "Decompile and examine clean assembly" } ], "related_labs": [ "3.12", "4.8" ], "tags": [ "dotnet", "decompilation", "deobfuscation", "reflective-loading" ] } ] }