irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
docker_file_analysis/data/remnux/tool-enrichments.yaml
T
tobias f3ccc09c3d Add FOR610 tool/workflow knowledge base and data pipeline 
Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00

263 lines
9.8 KiB
YAML
Raw Permalink Blame History

# Manual enrichments for tools not covered by FOR610
# These provide usage examples and descriptions for Priority 1-2 tools
# Merged into tools-master.yaml by build-master-inventory.py
enrichments:
# === MEMORY FORENSICS ===
volatility3:
description: "Memory forensics framework — analyze RAM dumps to find malware, hidden processes, network connections, and injected code"
typical_usage:
- "vol3 -f <memory_dump> windows.info"
- "vol3 -f <memory_dump> windows.pslist"
- "vol3 -f <memory_dump> windows.pstree"
- "vol3 -f <memory_dump> windows.netscan"
- "vol3 -f <memory_dump> windows.malfind"
- "vol3 -f <memory_dump> windows.dlllist --pid <PID>"
- "vol3 -f <memory_dump> windows.dumpfiles --pid <PID>"
tags: [memory, forensics, volatility, incident-response]
# === NETWORK ===
fakenet-ng:
description: "Emulate network services (HTTP, DNS, SMTP, FTP) to intercept and analyze malware traffic dynamically"
typical_usage:
- "fakenet"
- "fakenet -c custom_config.ini"
tags: [network, emulation, dynamic-analysis, c2]
mitmproxy:
description: "Interactive HTTPS proxy for intercepting, inspecting, and modifying encrypted web traffic"
typical_usage:
- "mitmproxy"
- "mitmdump -w capture.flow"
- "mitmproxy --mode transparent"
tags: [network, https, proxy, tls, interception]
polarproxy:
description: "Transparent TLS proxy that decrypts traffic and saves it as PCAP for analysis in Wireshark"
typical_usage:
- "PolarProxy -p 443,80 -w captured.pcap"
tags: [network, tls, decryption, pcap]
networkminer:
description: "Passive network traffic analyzer — extracts files, images, credentials from PCAP captures"
typical_usage:
- "NetworkMiner --pcap <capture.pcap>"
tags: [network, pcap, file-carving, passive]
ngrep:
description: "Search network traffic for patterns — like grep for packets"
typical_usage:
- "ngrep -I <capture.pcap> 'password'"
- "ngrep -d eth0 'GET|POST' 'tcp port 80'"
tags: [network, search, pattern-matching]
tcpflow:
description: "Extract and reassemble TCP streams from PCAP files into individual files"
typical_usage:
- "tcpflow -r <capture.pcap> -o output/"
tags: [network, tcp, stream-extraction]
tcpxtract:
description: "Carve files from network traffic using file signatures"
typical_usage:
- "tcpxtract -f <capture.pcap> -o output/"
tags: [network, file-carving, pcap]
# === DYNAMIC ANALYSIS ===
frida:
description: "Dynamic instrumentation toolkit — hook and trace running processes, intercept function calls in real time"
typical_usage:
- "frida -l hook.js <process_name>"
- "frida-trace -i 'recv*' <process_name>"
- "frida-ps -U"
tags: [dynamic, instrumentation, hooking, tracing]
qiling:
description: "Multi-platform binary emulation framework — emulate PE, ELF, shellcode across OS/arch combinations"
typical_usage:
- "python3 -c \"from qiling import Qiling; ql = Qiling(['<sample>'], '/path/to/rootfs')\""
tags: [emulation, multi-platform, binary-analysis]
vivisect:
description: "Binary analysis and emulation framework — static analysis with emulation capabilities"
typical_usage:
- "vivbin <sample>"
- "python3 -c \"import vivisect; vw = vivisect.VivWorkspace(); vw.loadFromFile('<sample>')\""
tags: [emulation, static-analysis, binary-analysis]
# === ANDROID ===
androguard:
description: "Analyze Android APK files — extract permissions, activities, intents, and decompile DEX code"
typical_usage:
- "androguard analyze <app.apk>"
- "androguard decompile -o output/ <app.apk>"
- "androgui.py <app.apk>"
tags: [android, apk, permissions, decompilation]
apktool:
description: "Decompile and recompile Android APK files — extract resources, smali code, and manifest"
typical_usage:
- "apktool d <app.apk> -o output/"
- "apktool b output/ -o rebuilt.apk"
tags: [android, apk, decompilation, resources]
jadx:
description: "Decompile Android DEX/APK to Java source code with a GUI or command line"
typical_usage:
- "jadx <app.apk> -d output/"
- "jadx-gui <app.apk>"
tags: [android, dex, java, decompilation]
# === JAVA ===
cfr:
description: "Modern Java decompiler — handles Java 8+ features including lambdas and try-with-resources"
typical_usage:
- "cfr <file.jar> --outputdir output/"
- "cfr <file.class>"
tags: [java, decompilation, jar]
jd-gui:
description: "Visual Java decompiler with GUI — browse and search decompiled JAR/class files"
typical_usage:
- "jd-gui <file.jar>"
tags: [java, decompilation, gui]
# === PYTHON REVERSING ===
uncompyle6:
description: "Decompile Python bytecode (.pyc) back to source — supports Python 1.0 through 3.8"
typical_usage:
- "uncompyle6 <file.pyc>"
- "uncompyle6 -o output/ <file.pyc>"
tags: [python, decompilation, bytecode]
pyinstxtractor-ng:
description: "Extract contents of PyInstaller-generated executables without needing matching Python version"
typical_usage:
- "pyinstxtractor-ng <packed_exe>"
tags: [python, pyinstaller, extraction]
# === OFFICE ===
xlmmacrodeobfuscator:
description: "Deobfuscate Excel 4.0 (XLM) macros — these hide in hidden sheets and are hard to detect"
typical_usage:
- "xlmdeobfuscator --file <spreadsheet.xlsm>"
- "xlmdeobfuscator --file <spreadsheet.xlsm> --no-indent"
tags: [office, excel, xlm, macro, deobfuscation]
pcode2code:
description: "Decompile VBA p-code from Office documents — works even when VBA source is removed"
typical_usage:
- "pcode2code <document.docm>"
tags: [office, vba, p-code, decompilation]
msoffcrypto-tool:
description: "Decrypt password-protected Microsoft Office documents (OLE and OOXML)"
typical_usage:
- "msoffcrypto-tool -p infected <encrypted.docx> <decrypted.docx>"
- "msoffcrypto-tool -p password <encrypted.xlsx> <decrypted.xlsx>"
tags: [office, decryption, password]
# === DEOBFUSCATION ===
xortool:
description: "Analyze XOR-encoded data — guess key length and probable key bytes"
typical_usage:
- "xortool <encoded_file>"
- "xortool-xor -s 'key' -i <input> -o <output>"
tags: [xor, deobfuscation, key-recovery]
malchive:
description: "Multi-purpose malware analysis library — config extraction, deobfuscation, and static analysis"
typical_usage:
- "malchive <sample>"
tags: [malware, config-extraction, deobfuscation]
dc3-mwcp:
description: "DC3 Malware Configuration Parser — extract C2 configs from known malware families"
typical_usage:
- "mwcp parse <sample>"
- "mwcp parse -p Emotet <sample>"
tags: [malware, config-extraction, c2]
# === SHELLCODE ===
shcode2exe:
description: "Convert raw shellcode to a Windows PE executable for analysis in disassemblers"
typical_usage:
- "shcode2exe <shellcode.bin> <output.exe>"
tags: [shellcode, conversion, pe]
# === COBALT STRIKE ===
cs-decrypt-metadata-py:
description: "Decrypt Cobalt Strike beacon metadata from network captures"
typical_usage:
- "cs-decrypt-metadata.py <metadata_hex>"
tags: [cobalt-strike, decryption, metadata]
cs-extract-key-py:
description: "Extract AES and HMAC encryption keys from Cobalt Strike beacon process memory dumps"
typical_usage:
- "cs-extract-key.py -f <process_dump>"
tags: [cobalt-strike, encryption, key-extraction]
cs-parse-traffic-py:
description: "Decrypt and parse Cobalt Strike beacon network traffic using extracted keys"
typical_usage:
- "cs-parse-traffic.py -f <capture.pcap> -k <keys_file>"
tags: [cobalt-strike, traffic, decryption]
cs-analyze-processdump-py:
description: "Analyze Cobalt Strike beacon process dumps for sleep mask encoding"
typical_usage:
- "cs-analyze-processdump.py <process_dump>"
tags: [cobalt-strike, sleep-mask, memory]
malwoverview:
description: "Query VirusTotal, Hybrid Analysis, and MalwareBazaar for malware intelligence"
typical_usage:
- "malwoverview -v <hash>"
- "malwoverview -f <sample>"
tags: [threat-intel, virustotal, malware-bazaar]
ioc-parser:
description: "Extract indicators of compromise (IOCs) from PDF reports and text files"
typical_usage:
- "ioc_parser <report.pdf>"
tags: [ioc, extraction, threat-intel]
# === EMAIL ===
mail-parser:
description: "Parse raw SMTP email messages and extract headers, body, and attachments"
typical_usage:
- "python3 -c \"import mailparser; mail = mailparser.parse_from_file('<email.eml>'); print(mail.subject)\""
tags: [email, parsing, attachments]
msg-extractor:
description: "Extract emails and attachments from Microsoft Outlook MSG files"
typical_usage:
- "extract_msg <email.msg>"
- "extract_msg --out-dir output/ <email.msg>"
tags: [email, msg, outlook, attachments]
# === DATA ANALYSIS ===
ssdeep:
description: "Compute fuzzy hashes (CTPH) for finding similar files — useful for malware variant clustering"
typical_usage:
- "ssdeep <sample>"
- "ssdeep -m <known.ssdeep> <sample>"
- "ssdeep -d <sample1> <sample2>"
tags: [hashing, fuzzy, similarity, clustering]
clamav:
description: "Open-source antivirus — scan files for known malware signatures"
typical_usage:
- "clamscan <sample>"
- "clamscan -r <directory>/"
- "freshclam"
tags: [antivirus, scanning, signatures]
unfurl:
description: "Deconstruct and decode URLs — reveal tracking parameters, encoded data, and redirect chains"
typical_usage:
- "unfurl parse <url>"
tags: [url, decoding, phishing, tracking]
Reference in New Issue View Git Blame Copy Permalink