Initial access
Initial foothold of the actor. Example :
Web (Layer 7 : Application)
Software bugs/0-day
Hardware issue : Spectre Meltdown
Policy issues : Dropped malware, Rubber ducky
User issues
How it is downloads, starts or executes ?
Where it come from
How it has to be there (On the file path)
Which parent process / dropper for the executions ?
How it executes ? By user actions or by process triggers ?
Anti Forensic detectection
Anti Debugging
Anti VM
Anti Dissassembly
AV/EDR Evasion
Packer
Cyptor
Sandbox Evasion
Basic, automated, dynamic analysis result :
Basic analysis
strings
MultiAV result
ssdeep (comparing variant)
PE analysis (mismatch name , character encoding)
Dynamic analysis
Process
File system
Network
Registry
Sandbox analysis result
Static analysis
Dynamic analysis
What are things we looking for ?
IOCs
Commands
Dropped Files
Domains / IP
Registry modify / add delete
Techniques , Tactics and procedures
Encryption/Decryption Routines
Folder, File access
Malware Features
Hardcoded values / strings
Common WinAPI used for malicious actions
Shellcode
Encrypted things
What are the malware features ?
Downloader
Launcher
Backdoor
Reverse Sheel
RAT
Botnet
Credentials Stealer
Keylogger
Mimikatz
Hash / Ticket Stealer
Encrypt file
Command and Control
Propagation
Exploit
Process manipulating
Process injection
Bypass UAC
Evade AV
Anti Forensic
What is the behavior meaning of the findings ?
Is the domain really does the command and control ?
Why is it encrypt a certain part
Does it have persistent mechanism ?
Registry key
Scheduled tasks
Startup folder
Winlogon Registry Entries
Image file executions options
Accessibility programs
WMIC Persistent
AppInit_DLLs
DLL Search Order Hijacking
Service
Is the malware has privilege escalation ?
Lateral Movement
Process invoked
malware-analysis-checklist's Introduction
malware-analysis-checklist's People
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.