PersistenceSniper is a Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines.

🔗https://github.com/last-byte/PersistenceSniper

#tools #sniper
تیم سورین

👾PE-bear
PE-bear is a multiplatform reversing tool for PE files. Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files.

🔗https://github.com/hasherezade/pe-bear

#malware
تیم سورین

👩🏼‍💻🕵🏻‍♀️Windows Securiy Internal With PowerSell

#windows #powershell
تیم سورین

📚Linux Privilege Escalation

#linux
تیم سورین

در زمینه DFIR با فایل های مشکوک زیادی مواجه می شویم که نیاز به تجزیه و تحلیل دارند و عمدتاً آنالیز استاتیک و پویا را برای آنها انجام می دهیم. بسیاری از مردم هنوز این ابزار مجانی و رایگان آنالیز استاتیک را که می خواهم در مورد آن صحبت کنم، نمی دانند، 𝐅𝐢𝐥𝐞𝐀𝐥𝐲𝐳𝐞𝐫.

اگر می خواهید در مورد زندگی درونی فایل ها بیشتر بدانید، FileAlyzer ابزاری است که می توانید در تحقیقات بعدی خود در نظر بگیرید!

✨𝐅𝐢𝐥𝐞𝐀𝐥𝐲𝐳𝐞𝐫 𝐅𝐞𝐚𝐭𝐮𝐫𝐞𝐬:✨

⭕️ 𝐀𝐥𝐭𝐞𝐫𝐧𝐚𝐭𝐞 𝐃𝐚𝐭𝐚 𝐒𝐭𝐫𝐞𝐚𝐦𝐬 (𝐀𝐃𝐒):
FileAlyzer makes the additional information in these streams visible through a list of streams associated with the current file, and a basic hex viewer.

⭕️ 𝐀𝐧𝐝𝐫𝐨𝐢𝐝 𝐀𝐩𝐩𝐬:
Android apps are actually zip archives that include the app code and many resources and configuration files. FileAlyzer will display a few app properties, for example the list of permissions.

⭕️ 𝐀𝐧𝐨𝐦𝐚𝐥𝐢𝐞𝐬:
While loading information on the various views of FileAlyzer, it looks for details that are uncommon or wrong. These details may hint at malware behavior.
Each anomaly is described with an ID, a short noscript, and a denoscription that explains why this detail is unusual, and what it might be used for.

⭕️ 𝐀𝐫𝐜𝐡𝐢𝐯𝐞𝐬:
FileAlyzer displays contents of many common archive types, including .cab, .zip, .chm, NSIS installers, rar, .tar, etc.

⭕️ 𝐀𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐨𝐝𝐞 𝐒𝐢𝐠𝐧𝐚𝐭𝐮𝐫𝐞𝐬:
Signatures allow the user to verify where the program he's using is coming from, to avoid running a malware-infected version.
FileAlyzer displays all details about the signature it finds in a file.

⭕️ 𝐃𝐚𝐭𝐚𝐛𝐚𝐬𝐞𝐬:
FileAlyzer can display the content of some standard database formats like dBase, SQLite3, Ini, Mozilla Preferences, Mozilla or format, or QIF.

⭕️ 𝐏𝐄 & 𝐄𝐋𝐅 𝐚𝐧𝐚𝐥𝐲𝐬𝐢𝐬:
Static Analysis for PE (Disassmber, imports, exports and header) and ELF (header and sections) files formats.

⭕️ 𝐇𝐞𝐱 𝐕𝐢𝐞𝐰𝐞𝐫:
FileAlyzer includes a hexadecimal viewer that displays file content byte for byte

⭕️ 𝐄𝐗𝐈𝐅:
For photos and other graphic files, FileAlyzer will display EXIF information embedded into the file.

⭕️ 𝐏𝐄𝐢𝐃:
PEiD tries to identify packers, cryptors and compilers and determines the files entropy, and FileAlyzer supports the PEiD plugin to display this information.

⭕️ 𝐔𝐏𝐗 𝐃𝐞𝐭𝐚𝐢𝐥𝐬:
Executable files compressed with UPX will be shown with compression details.

⭕️ 𝐕𝐢𝐫𝐮𝐬𝐓𝐨𝐭𝐚𝐥 𝐋𝐨𝐨𝐤𝐮𝐩:
FileAlyzer will be able to display results of dozens on anti-virus engines about the file you currently analyze, either from previous analysis, or by submitting your actual sample (if you want😉).



📌 https://www.safer-networking.org/products/filealyzer/

#DFIR
تیم سورین

Windows Forensic Analysis
287 page
Harlan Carvey

#windows
تیم سورین

📚intelligence driven incident Response 2nd edition

#IR
تیم سورین